It's that time of the year, and Goa is gearing up again to host the 2016 edition of the nullcon security conference at the Bogmalo Beach Resort, Vasco. This marks more than half a decade that nullcon has been trying to bridge the gap in technical capacity building and training, with its community-driven model. Taking place between 9th and 12th March, nullcon has successfully transformed itself into a highly technical and well-respected forum for independent security research in India.
See Also: 2016 State of Threat Intelligence Study
"With nullcon we tried to incubate a knowledge-driven, community-centric model, rather than the certification-driven ecosystem that has been thriving in India," says Aseem Jakhar, co-founder of the event. "The emphasis is on new and innovative research and training." (Also See: Inside nullcon Security Event)
nullcon has grown by leaps from its humble beginnings as a small local player to an international conference that continues to be taken seriously by security researchers in India and around the world.
Founded in 2010 by four security enthusiasts out for a cup of tea on a rainy day, as the story goes, nullcon has been doing a great job of bringing security researchers and practitioners together for a four day non-stop, bare metal security marathon, a la Blackhat and Defcon - but with a 'Desi', or Indian touch. (Also read: Hacking Goes Mainstream)
Trainings and CTF
nullcon this year looks to be bigger than ever with participation from across the globe through its call-for-papers selection for its conference segment, and industry relevant trainings and workshops. There are scheduled and informal software and hardware security workshops being conducted on the first two days preceding the conference itself. Interesting activities also include a capture-the-flag events for attendees at large, and one CTF exclusively for women, called "winja"; a continuation of an initiative started last year by the organizers to encourage more women in the technical security field.
nullcon is also known for its expert hands-on trainings on highly technical subjects, and cutting edge security tools and techniques - all in a whimsical, informal, resort environment. These are subjects for which there are few, if any courses available mainstream, least of all a platform with peer support that gives hands-on experience. A new trend I have noticed over the past few years is the interest and endorsements mainstream training outfits such as SANS, (ISC)2 and others have shown, further strengthening the credibility nullcon enjoys in the security community in India.
Sessions and Highlights
nullcon training has always been sought after, and some of the workshops this year address topics such as "Penetration Testing SmartGrid and SCADA", "Xtreme Android Exploitation Lab", "Understanding and Exploiting Cryptography & PKI Implementations", "Windows Kernel Exploitation", and "Reverse Engineering and Malware Analysis," to name a few. A quick look at the website shows that all the workshops were all sold out. I expect they will be a success this year as well.
The conference itself commences on 11th March and is spread over three tracks. There is a distinct track this year on the first day of the conference, similar to last year, focusing on CXOs. nullcon's increasing focus on the security executive segment is evident here. (Also See: Making a Move from CISO to Consultant)
Here are some of the sessions that catch my attention. Of note are the keynotes on both days of the conference. One by Jaya Baloo, who is CISO at KPN Telecom in the Netherlands, and the second by Roland Cloutier, CSO of ADP corporation in the US. The profiles for both seem suitably impressive, although they have some big shoes to fill; the keynote sessions last year by Katie Moussouris, or Paul Vixie, were a treat to attend!
The CXO track is also the least technical and the most policy oriented track, by the looks of it, and the sessions are all panel discussions, including one on a framework for industry and government cooperation, and another on the future of security. It should be interesting to see how the executive and business side of security ties in with the technical research on display at the conference. (Also see: Security: How to Get Management Buy-In)
Other sessions across tracks, that promise to be worthwhile include once on Automotive Hacking by Craig Smith of Open Garages, and a session by Gregory Pickett of Hellfire Security on Abusing SDN on day one. Day two sessions of my choice would be, post Cloutier's Keynote, Patrick Wardle's session on Practical OS X Malware Analysis, a session on hardware security audit by Julien Moinard, and interestingly, a session on attacking and defending healthcare and EMR solutions by Anirudh Duggal.
There are a whole bunch of other sessions that will likely appeal to others, a full list can be seen here. nullcon is usually kind enough to put up videos of sessions and other shorts from the event on their YouTube channel. If like me, you are unable to attend this year, or have missed a few, I suggest subscribing and checking it out later.
All in all, I expect to hear good things from the conference this year. nullcon has grown by leaps from its humble beginnings as a small local player to an international conference that continues to be taken seriously by security researchers in India and around the world. What is your take from nullcon? Please share your thoughts with me or tweet to @APACInfosec. A shout out to all the old nullcon stalwarts - hope you set some new records this year.