If you could attend any one (and only one) security conference in a given year, which one would it be, and why?
I’ve been on a curtailed (okay, nonexistent) travel budget for a while, so I haven’t gotten to any of the major cons in several years. I don’t want a tarted-up version of a large trade show floor; I want a smart, fun conference that will give me the biggest, widest bang for my security management buck.
Any recommendations from the studio audience?
Next entry: Snarky moment o' the day.
Previous entry: Lovely turn of phrase, not-so-lovely mental image.
on 07/02 at 03:27 PM:Well, one bargain is DefCon. The fact that you only need to give up one weekday to attend is a bonus. Of the same vein there are regional conferences such as Shmoocon, which I’ve heard good things about.
USENIX Security was fun, with a mix of current problems and potential future issues. I haven’t been to one in a while, as I’ve been dealing with similar budget crunch issues…
on 07/02 at 07:49 PM:Kinda depends on what you want to get out of it. You can go totally low-ball and choose DefCon, but you’re likely not going to see/learn anything useful to your job, necessarily. Fun, parties, meet geeks, and see lots of black. Blackhat would be awesome, but it is like the GIAC of conferences; I’d only go if my company would foot the bill.
I’d really pimp out Shmoocon as a nice in-between, and I’ve heard good stuff from CanSecWest as well. I consider those two like a nice solid bar (ages 21 and up) with DefCon the all-ages club.
on 07/02 at 08:07 PM:Does anyone know of a good con that has good presentations on secure application development that aren’t the usual rehash of the OWASP Top 10 or esoteric exploit demonstrations?
I’d consider Metricon, but I haven’t heard enough stories of between-session antics yet to know whether it’s anything more than papers. 
on 07/02 at 08:12 PM:Another vote for FIRST conferences, especially if most of your work relates to incident response, or failed incident response processes.
USENIX Security is always great to attend, especially for the various BoF sessions. Because the level of papers is generally quite high (you can read past submissions on the USENIX site) you won’t feel like you spent precious time and a non-existent budget on trivial stuff.
on 07/03 at 10:28 AM:A couple of years ago I was feeling particularly stale and was told that we had no budget for training, so I sent myself to the Cybercrime Summit near Atlanta.(http://www.cybercrimesummit.com/)
I found a cheap motel and drove 8 hours to get there but thoroughly enjoyed the conference. It was oriented toward law enforcement and computer forensics, and I found it fascinating. At only $250 for the conference, I thought that it was a bargain.
I'm an IT security manager who has worked in various places around the world and in the US. If I told you more, well ... you know.
The FIRST conference (http://www.first.org). Although it has been varying in quality a lot, this year’s supposedly was back at a high level. There is also the GOVCERT.nl symposium (http://www.govcertsymposium.nl); good quality speakers and free to attend, but in the Netherlands. If you’re on a budget the plane fare and 3 nights in a hotel should be doable. This year’s conference is somewhere mid-October.