Breaking Through At AppSecUSA 2016

By   Brian A. McHenry
, F5 | Nov 23, 2016 12:30 am PST

Recently, I attended AppSecUSA, which was held in Washington, DC from October 11th through the 14th. I last attended AppSecUSA in 2013 in New York City, and was fortunate enough to participate in Web Application Defenders’ training led by Ryan Barnett. Each year, the talks and training improve dramatically for OWASP’s biggest meeting here in the United States. With that in mind, it was quite a surprise to have my CFP submission accepted for a 15-minute lightning talk.

This article is less about AppSecUSA and more about my experience submitting to Calls for Papers at the myriad infosec cons that litter the calendar each year. But first, allow me to reiterate: AppSecUSA boasts one of the most diverse groups of attendees among all the conferences I’ve attended. The emphasis on the application layer means there are as many developers as there are folks with “security” somewhere in their job title. The hallway conversations tend to be of a distinct other tone and depth. Many seeking to learn from each other in developing and deploying more secure applications. The talks are more often focused on new ways of improving security process and procedure than they are focused on the latest exploit.

When I tweeted the acceptance of my talk to AppSecUSA 2016, there were quite a few who asked how I got accepted. Many other folks have written (and tweeted) extensively about how to get a talk accepted, but I’ve seen few catalog their own experience. My first submission was back in 2011, to the RSA conference, which puts the journey to a 15-minute slot at AppSecUSA this year at about 5 years.


    (Caption: Lego mini-figure of each AppSecUSA 2016 speaker provided by Sonatype.)

Step 1:

Find conferences you’re interested in, and submit your proposed talk on time. This step seems obvious, but I know too many people who gave up after being rejected or thought their idea would never get accepted. Your idea is a good one, it just needs some help and good luck.

Step 2:

Engage the community you want to accept your talk. In the case of AppSecUSA, attend local chapter meetings of OWASP. See what talks are being delivered at those meetings. For organizations like OWASP and ISSA, there are always projects that need help. Getting engaged is fuel for making your idea better and learning to shape it into something CFP reviewers see as a good fit for their audience.

Step 3:

Document your ideas publicly. Hiding all your deep thoughts on security away on your laptop doesn’t help anyone. Maybe your company has a blog or community site you can contribute to, or you can join me in having a personal blog that’s rarely updated. By first trialing some ideas on my own blog, I was able to work up the courage to write for F5’s community site. A few posts there opened the door to writing for Information Security Buzz.

Writing and sharing regularly builds a body of work that CFP reviewers can easily reference for some idea of the quality of your work. The CFP forms often don’t leave a lot of room for elaborate descriptions of your idea and content. Regular writing also helps to shape your ideas and further engages you with the community. It’s also OK to write something and later find out that you were wrong in some detail or other. People are kinder than you think.

Step 4:

Find someone who will listen to your talk. Even if that someone is your dog, cat, or goldfish. Your idea has now been growing for a while by attending chapter meetings, other infosec conferences, and regularly writing and publishing, but it helps to practice and improve your presentation skills. Toastmasters is one way to work on this and practice. You may find that the local chapter meetings of OWASP, ISSA, or other security professionals’ organization have opened the opportunity to give a short talk there.

Step 5 (optional):

Run your own conference. In January 2016, the first-ever Security BSides NYC happened. After a few years of starts and stops, I and several other intrepid souls finally got the first edition off the ground. Seeing what goes into a relatively small conference enhanced my confidence and empathy for conference organizers and CFP reviewers. It’s hard work getting quality submissions and picking the best of those submissions, not to mention all the other logistics involved. (And yes, the BSidesNYC 2017 is very much in the works.)

For me, the Death of WAF article published here turned into a talk idea for an OWASP NYC chapter meeting back in 2015. That talk was very fortunately recorded, and added to my referenceable body of work. Watching a recording of yourself is every bit as painful as it sounds, but it helps refine your delivery and content immensely. The 15-minute Lightning Talk accepted for AppSecUSA was entitled The Evolution of WAF, and was inspired by and refined from the prior article and talk.

Condensing and refining those ideas into a 15-minute talk was another challenge, but all the work leading up to that date left me more than prepared. I’m already working on some new ideas, and interested in where they take me and the first place those ideas will likely appear is in this space on Information Security Buzz.

See you on the road at one of the many conferences.

Recent Posts