RSA 2018 - Highlights & Thoughts


When the opportunity to attend RSA came up, I decided to take a chance to see how it compares to other security conferences I've attended in the past (like DEF CON, BlackHat and BSides). After attending the 5 days of the conference I can say that RSA definitely has a different 'feel' to it than the other conferences and depending on what you are trying to accomplish, it may or may not be a good value for the $$$ spent.

Venue and Registration

I have to hand it to the conference organizers, they made it trivially simple to both locate the venue (spread across 3 buildings: Moscone North, South and West) and get registered. There were people located on the corner of each block around the convention center locations wearing huge blue 'RSA Conference' flags who were friendly and able to answer just about any question you asked them about the conference.

The Venue was spacious enough to fit the 50,000 registered participants at the conference this year. I only had to wait in line a couple of times and did not have any trouble attending sessions or hands-on labs (even when I neglected to register in advance). Everything was well laid-out and locations were clearly marked.

Sessions and Labs

My experience with the content was mixed. I'd say less than 50% of the sessions I attended presented valuable or highly valuable content. That did not come as a huge surprise, as when you try to find session space for 50,000 people you have to 'reach' a bit to find presentations to fill space. The hands-on labs had more value for me, though there were a fair number of technical difficulties.

Vendor Area

This is where the life of the party is- so much many people hustling & bustling, playing vendor games and grilling prospects. In my fist hour in the Vendor Expo areas I won a remote control car, $25 in starbucks gift-cards and a customized baseball cap with "OH SSH IT" emblazoned on the front (courtesy of Venafi). It was loud.

Vendors gave presentations in a small box 'inside' the expo center (on both the north and south sides). These were warm areas, the volume was too high (to cut through the conference din) and the content was heavily branded/focused on what the vendors were selling. Something to keep in mind if you look at your conference guide and it shows a location of 'expo'.

(Subjective) Comparison to Black Hat, DEF CON and BSidesSLC

Overall, I'd rate the 'value' each conference provides in this order:

  1. BSidesSLC
    • The 2016 and 2017 years were easily the best conferences I've ever attended in terms of value per dollar.
  2. DEF CON
    • This is the conference I've attended most often (5 times over the last 5 years), and I keep going back for good reasons!
    • Not only is DEFCON reasonably priced, it attracts talented presenters and brings together a number of micro conferences all under the same roof (at least until it out-grows a single 'roof'!).
    • The value per dollar is immense. You'll meet awesome people, improve your skills and have some of the most stimulating and interesting conversations you'll ever have at a convention.
    • The vendor area is definitely 'hacker focused' and you can pick up some cool toys. I'm not sure how many of them are allowed on the plane, though, as I'm close enough to drive to Las Vegas (where the conference is held)
  3. Black Hat
    • Black hat has a more 'professional' focus than either BSides or DEF CON events. The price is correspondingly higher. In fact, Black hat has the highest cost of any security conference I've ever attended.
    • There are vendors everywhere, so if you are looking to spend a million dollars on 'enterprise' security gear or software, this is a good place to go to meet the vendors
    • I LOVE the Arsenal at Black Hat. They bring together developers of open source security tools and let them give live demos right at the conference. I've learned more about some of my favorite tools this way than any other.
    • In recent years, my opinion is that the quality of the presentations have declined overall. Not sure how much of that is due to becoming more jaded as I get deeper into the subject matter and field.
    • This is my 'go to' professional security conference, assuming my employer has training $$$ left over for me to attend.
  4. RSA
    • Wow, I can't think of a more establishment focused security convention. If you identify with the mission of big government security, huge multinationals or otherwise are 'into' security compliance to what could be an unhealthy degree, I think the RSA conference might be right up your alley
    • The magic is truly gone at this conference, for the most part. While there are good technical presentations to be found, and I appreciate the availability of 'hands-on labs' that take multi-day trainings and compress them down to 2 hours, the overall feeling here is one of detachment and a lack of relevancy for people with the hacker mindset
    • Vendors play a BIG part in the conference here, with there being FAR more vendors here than at Black Hat. This is a good place to try and blow a couple million dollars on security apartus & software
    • If you can get a free ticket, it would be worth popping in to get a sense of how the 'other half' live.