Although security concerns don’t always make it to the top of a software developer’s to-do list, developing secure software is an important aspect of the job that you can never learn too much about. While developers usually receive support in that area from their companies and can look to online resources, sometimes it can help to be immersed in an environment of like-minded people — like at a conference.
Here are some of the best security conferences to check out in 2022, either in person or in your pajamas from home. They offer great ways to expand your knowledge about security, learn about cutting-edge technologies and make connections with others in the field.
10 Security Conferences for Developers
- Cyber Security & Cloud Congress North America
- RSA Conference
- OWASP Global AppSec European Virtual Event
- Gartner Security & Risk Management Summit
- Black Hat USA
- DEF CON
Security Conferences for Developers
Organizer: USENIX, a nonprofit that advances research in computing.
What to expect: Security researchers and others interested in security attend this annual conference to discuss current and emerging security topics and the impact they have on society. Topics covered at Enigma range from social aspects of security (like social engineering and online hate) to technical aspects (like security challenges for autonomous vehicles and machine learning). Each day is organized by hour-and-a-half chunks of talks or panels grouped under themes — this year, those include “hate and encryption” and “money talks.” The talks themselves are also intriguing, with titles like “Why has your toaster been through more security testing than the AI system routing your car?” and “When machine learning isn’t private.”
Speakers scheduled to present this year include Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, and representatives from many top tech companies, including Google and Microsoft.
The details: February 1-3 in Santa Clara, California (with a virtual option).
Organizer: Women in Cybersecurity, an organization that helps advance women working in security.
What to expect: At the annual WiCyS conference, women cybersecurity professionals share challenges, learn about trends in cybersecurity and trade career development tips and resources. Events include research presentations, talks, workshops, community collaborations and usually a capture-the-flag competition, where people compete on intricate hacking challenges set up ahead of time.
WiCyS is also notable for being a welcoming environment for students. Half of last year’s participants were students, with most being in their last years of undergraduate or graduate programs.
Participants can choose between many different concurrent talks each day. The program for the 2022 conference has not been released yet, but topics from 2021 included research on AI-assisted malware analysis techniques, cyber risk metrics and talks about career development and inclusion in the field of security.
The details: March 17-19 in Cleveland, Ohio.
Organizer: Kernelcon’s organizing committee.
What to expect: For those in the Midwest who don’t want to make the trek to the coasts, there is Kernelcon, a security conference named for both the lowest level of the computer operating system and also Nebraska’s agricultural corn production. Activities at Kernelcon include keynote addresses, hour-long and 20-minute tech talks and a “kernel panic” party. Although the schedule has not yet been released, talks from previous years covered topics like security holes in two-factor authentication and improving security for industrial control systems, and range from slightly technical to very technical.
Kernelcon also offers optional training sessions that cost extra to attend. The 2022 training sessions will teach skills like penetration testing and performing forensics on Linux machines.
The details: March 30 - April 2 in Omaha, Nebraska.
Cyber Security & Cloud Congress North America
Organizer: TechEx, an organization that manages tech expos and conferences.
What to expect: This annual event specializes in thought leadership around companies’ security concerns and caters mostly to an audience of chief information security officers and other heads of digital security. The conference focuses on a different topic each day, with the first day dedicated to enterprise security and the second day focused on digital transformation. The first day’s events are especially relevant to developers, covering topics like third-party risk management considerations when using vendor tools and how to implement a zero-trust approach to security. Topics also touch on security at the company level, like insider threats and how to protect products against ransomware attacks.
Second-day topics include discussions on the security aspects of multi-factor authentication and the role of a company’s chief product security officer. Speakers from last year included representatives from Dell, JP Morgan Chase and Synopsys.
The details: May 11-12 in Santa Clara, California.
Organizer: RSA Conference’s advisory board.
What to expect: This four-day conference was founded in 1991. At first, it had a narrow focus on encryption — hence the name, which comes from the widely used RSA encryption algorithm that anchors much of digital communication. But these days, the conference covers broad topics in technology and security.
The RSA Conference offers events including seminars, talks and security research presentations, like research on new threats and techniques for combating cyberattacks. Seminar topics for 2022 include techniques for implementing DevSecOps workflows and ways to design with privacy in mind. The full agenda is still pending, but in 2021, talks included topics like career advice for cybersecurity professionals and best practices for securing direct-to-consumer operations. Speakers from previous conferences included companies like Microsoft, IBM Security and Palo Alto Networks.
For attendees who purchase the premium experience, there are also capture-the-flag exercises, training sessions that offer hands-on experience and lightning talks.
The details: June 6-9 in San Francisco, California (with a virtual option).
OWASP Global AppSec European Virtual Event
Organizer: Open Web Application Security Project, a nonprofit that educates developers on how to build secure websites.
What to expect: The first three days of this OWASP conference are dedicated to training sessions and the last two days consist mainly of tech talks. The optional training sessions cost an additional fee and last between one and three days. While training sessions topics are not yet available, sessions from 2021 included classes on new attack vectors for web applications and how to use the Python programming language to find security vulnerabilities. Tech talks from 2021 included presentations on attack surfaces of Azure cloud platforms and best practices for automating security testing.
This conference is fully virtual, but OWASP will hold another in-person conference on November 14-18 in San Francisco, California.
The details: June 6-10, virtual.
Gartner Security & Risk Management Summit
Organizer: Gartner, a technology consulting company.
What to expect: The Gartner Security & Risk Management Summit includes security keynote addresses and talks, with recommended tracks for different types of attendees so those interested in security management and leadership can have different experiences from software developers interested in security tech and architecture.
Although presentation topics for this year have not yet been released, sessions for the technical track from 2021 covered topics like techniques to mitigate against the effects of ransomware attacks, trends in zero-trust access control and the risks associated with using open-source tooling. Speakers from last year’s summit included Jimmy Wales, the founder of Wikipedia, and representatives from Verizon and Children’s Mercy Hospital.
The details: June 7-9 in National Harbor, Maryland.
Black Hat USA
Organizer: Black Hat, a cybersecurity event series founded in 1997 by Jeff Moss, the security expert who also started DEF CON.
What to expect: Black Hat directly precedes DEF CON (also on this list) and is kind of the respectable sibling to DEF CON, which has more of a party atmosphere. The conference is focused on information security rather than on hacking. Security researchers give talks on new and emerging threats and vulnerabilities, and the conference also offers training sessions, usually two to four days long, that teach a wide array of security concepts and skills. Training topics in 2021 included threat modeling and penetration testing against APIs.
There are also specific portions of the conference dedicated for open-source researchers to demonstrate security tools they’ve built. Speakers from previous years included representatives from Google, Cloudflare and the National Security Agency.
The details: August 6-11 in Las Vegas, Nevada (with a virtual option).
Organizer: Jeff Moss.
What to expect: DEF CON began in 1993 as an informal gathering among a group of engineers interested in security. That has morphed over the years into one of the largest hacker conventions in the world. The conference’s name, per the website, derives from “military lingo” referring to defense readiness condition levels and the old “DEF” letter mapping on telephones for the number 3 — common knowledge for hacker types who engaged in phone “phreaking” back in the day.
DEF CON notably pioneered capture-the-flag competitions at security conventions. There are many different types of events, including scavenger hunts, movies, lock-picking competitions and networking, in addition to talks and presentations. The convention covers a dizzying array of topics, including new hacking methods, application testing best practices and tools that simulate ransomware attacks.
The details: August 11-14 in Las Vegas, Nevada.
Organizer: Snyk, a company that builds security tools for developers.
What to expect: DevSecCon, as the name implies, is a conference dedicated to DevSecOps, a relatively new way of integrating security with DevOps. DevSecCon hosts several events every year in different countries, but DevSecCon24 is the most accessible for everyone, with different programs offered over a period of 24 hours for virtual attendees in the Americas, Asia and Europe.
Last year, companies in the security space that gave talks included vendors like Checkmarx and Atlassian. Talks also ranged from ways of implementing role-based access control on Linux to ways to build the DevSecOps pipelines.
The details: TBD.