QCon London 2020
My security interest was sparked over 25 years ago by a book called Masters of Deception: The Gang That Ruled Cyberspace. This introduced me to HOPE, Phreak, 2600 and DefCon and I discovered the technical magic of security.
During the course of my career, I’ve had the pleasure to attend a number of security-centric conferences. However, due to my passion for AppSec/DevOps/DevSecOps I wanted to expose myself to events which weren’t targeting the security community. I was attracted to QCon after watching a microservices talk published on their YouTube channel. I wanted more ….. I took a leap of faith (or a £1500 gamble) and in 2019 I purchased an early bird ticket to attend QCon London 2020.
The big day 2nd March 2020 arrived, allowing me to indulge myself for 3 days with talks from non-security technical specialists.
QCon: My impression of the logistics
Like most conferences the organisers kicked off by welcoming everybody and explained that each day there were 6 different themed tracks. They asked each track host (individuals who were accountable and responsible for finding speakers to present at the con) to come onto the stage and explain their theme and who the speakers were; effectively this was a last minute sales pitch to sway people to attend their talks. This was very novel to me and it did help confirm my decisions about what to attend.
The conference had a mobile app which allowed you to “star” the talk you wanted to attend for each time slot. The app also notified you if your chosen talk had a room change. This quickly replaced my out-of-date printed copy of the schedule.
Unlike my experience with other conferences, QCon scheduled a 25 minutes interval between talks. This allowed attendees to stretch their legs, grab some refreshments and navigate their way to their next talk. The conference was held at the Queen Elizabeth II Conference Centre in Westminster, London and covered 5 floors - so having 25 minutes was perfect. The breaks allowed me to digest the previous talk and to prepare myself for the next. This worked really well especially with the last talk scheduled for 17:25. I was amazed that I was not exhausted. Another plus for this well organised conference.
Vendors were spread over two floors - not much more to say about them :-) I saw a few familiar companies associated with the security industry.
Each day kicked off with a keynote speaker. They were delivered with finesse and each had their own style. For example: I love the design of @anhuan slides; @k_gamanji delivery was very calming. To be able to deliver in the way she did reflects her confidence level.
For the first day I focused on the microservices track. The track host was @NickyWrightson and the first talk was kicked off by @samnewman. I would say that Sam’s talk was the best for me, explaining the possible routes from monolithic to microservices with useful migration patterns. His delivery skills were very engaging, sprinkled with the right balance of humour as well as articulating the topic with ease. I guess the consultancy experience he has as well as writing books on the subject helps.
Another great talk was one delivered by Alexandra Noonan. I only found out that it was her first conference talk EVER when I spoke to her afterwards - clearly a natural. The curveball for her was she had an unannounced break - the fire alarm went off and the whole building had to evacuate. The conference organisers were great and allowed her to complete her presentation which took up some of the actual break time - not a real shame as her talk was very informative and well structured explaining their journey going from a monolithic to microservices and back to a monolithic architecture.
It is very hard not to have come across @patrickdebois if you are working and keeping track of what goes on in the DevOps world. I saw that Patrick had a talk lined up and so decided to hear him out PLUS I wanted to get acquainted with him as I was sharing a panel with him the following week at another (security) conference. I caught up with Patrick the next day and had a hallway chat for about an hour - I missed the Tesla Virtual Power Plant talk (don’t worry it was recorded).
Patrick was part of another track and the track host was Douglas Talbot. The brief discussion I had with Douglas was eye opening. He has a strong development background and was curious as to what DevSecOps was or how security can “easily” be factored into the delivery lifecycle. At one point we used the same term - static code analysis, but our meaning was very different. He had come at it from a code quality perspective, but I only knew of it as a testing method for security code analysis. This is a very good example which supports one of my concerns I have with the security industry - we tend to only hang around with our “own kind”. There is no point in discussing how to factor security into the SDLC with just security people. This was one of the reasons why I attended QCon - to educate myself. It’s not quite sleeping with the enemy - there are no enemies, just a lot of misunderstanding or not knowing “how it’s done” when working with others. There is no shame in admitting not knowing something.
On the third day, the conference had a security track. I did pay close attention to the track host @vixentael and the line up of talks - wanted to see if any inspiration came to me for “DevSecOps - London Gathering”. One of my good friends @SonyaMoisset executed another great talk - go check it out.
We were encouraged to explore more than one track and attend some of the Ask Me Anything (AMA) sessions. I did this for day 2 and 3. I was really spoilt for choice during the 3 days - 6 main tracks, AMA and 2 sponsor tracks each day. That’s like 6 different conferences per day!!!
My overall impression was that the speakers were experts, able to communicate their subjects with ease and confidence, and all supported by a slickly organised and smoothly run conference infrastructure. It opened my eyes to the speed with which development technologies are evolving and the huge breadth of technology choices that we in security are going to have to deal with.