I must have been asked that question a dozen times during the show, for which I had no good answer. Seems the attendees REALLY wanted to find the new hotness, but couldn't seem to find anything compelling. It got me thinking about security in general and that maybe our expectations are improperly set. I mean, isn't security products/solutions about making sure "nothing happens" (if we do our jobs well)? Of course that’s boring. It’s only when we demo live hacks and something does happen on screen that people begin to perk up.
Another thing occurred to me is “how can anyone make sense of all this stuff”!? There I was in a literal sea of hundreds of infosec company’s, most of which I’d never heard of, doing my best to understand they’re value proposition, while being peddled free software and toys by booth babes. There was tons of NAC, Identity Management, lots of webappsec, and gawd the anti-Malware/Spyware of every kind for every device. Whew! When speaking with a few vendors they did they're job well describing how they differentiate from their competitors. “We go faster, more indepth, find more of the (un)-known, and we focus on the data“. It all sounded somewhat interesting, but in the back of my mind I thinking, “why do I need this?”
There is a lesson to be learned here by those in the web application security field, myself included, because outsiders probably feel the same way about our field. Everything we talk about including XSS, CSRF, SQL Injection, Technical, Logical, and the other confusing terms is all cool, but have we really described why this stuff is important to eliminate? I mean, really really. This might be what Syvlan has been driving at and asking how to prove our worth or value in some type of quantifiable terms. Answering the fundamental question, “why?”.