We need Product Security Community

Communities are a place to discuss, share, network, give & take mentorship, grow together, and find your next startup partner. I remember my first community visit to Nullcon Chennai when I was working in Zoho. I also gave a security talk on developer-friendly SAST workflow in the API security community recently. 

some are the infosec communities acclaimed by the masses ( famous )

1. OWASP

2. NullCon

3. DefCon

4. Bsides

5. Cloudsec

Communities are focused on the audiences and focus areas. For example OWASP, NullCon and DefCon are for all types of audiences and cover all aspects of security but most of the talk will be related to attacking focused and less on the defensive side. Another example is Cloudsec which is for all audiences but focuses on cloud security. Recent BSides 2023 and NullCon 2023, mostly cover in an attacker perspective such as finding novel bugs, automated security testing and CTFs.

The above communities ( apart from niche communities such as CloudSec) work on a franchising model where anyone could start a community in a local area. Franchising empowers local regions to grow the community but there are gaps in those franchised small communities other than OWASP ( internationally ), BSides Ahmedabad and Nullcon Goa. Most of the small communities face issues such as 

1. No clear vision in leadership making the community inactive

2. Inability to maintain the community due to various factors

3. Dry up of talks 

4. Self goals 

5. None or less funding or packs ( stuff that could motivate people to share ). Not backed up by startups, companies and sponsors.

Gift Economy Impacts on Community

Any economy works on trading, something you have to give to get something. Be it community or open source. There are many reasons why someone contributes to open source or gives talks to the community. But all the rivers meet the ocean, and it ends up in only 2 things

1. Getting an opportunity to make more money. Create a startup, network to get jobs and get good hikes in your promotions cycle.

2. Get status and enjoy the same as you get money but via indirect ways, through free stays, aeroplane tickets, appreciation and praises. This can go beyond what getting money feels like. 

The immediate outcome of the gift economy is not money, it gives the opportunity to make one. In the gift economy, you have to give more, run in a less funded way and make the community active is a difficult task to do and it takes some willpower.

Where could I find a Product Security Community?

I am not able to find any product security community. By product security community, I mean talking and debating the security of SAAS/B2C products. Talking about the issues faced by security engineers working in a corporate environment and solving them. These groups are not in the limelight where it run within peers, known sets of people and small communities. There is a real gap in the product security community and they are

1. Most of the famous communities are dominated by consultants and companies providing services. Very few product security engineers get involved. This does not mean that product based security engineers are not giving talks, it's just minimal. For example, you can see the recent NullCon Goa and BSides Ahmedabad talks, 90% of it will be how I attacked and gained $$, Bug Bounty experiences and how you can become an attacker/hacker.

2. No specific platform for product security engineers to showcase their work with their set of audience

3. The famous community are in one of the following: attacking related, BugBounty related or it would be niche. Niche communities such as CloudSec, ThreatModelCon and ZeroTrustConference concentrates on only one pillar/aspect of the product security and not a whole and it has been distributed across communities and regions.

Why do I choose to write rather than giving talks?

Giving a talk in a small community without any CFP selection is easy, you have to grab some data and put up what you did in a slide. It just takes 1-2 days of work. But writing is difficult, it takes time to research, create a draft, polish it and put out your points in a clear way. Talk focuses on showcasing how you did it in less time, you don't have time to talk about the nuances, small talk, why, and make you think.  It's a personal choice and the justification that I had. It is always great to present in national and international talks vetted by expert CFP reviewers.

Meme Time

Good Blogs that I came across