This year we decided to open up our Rapid7 Rapid Fire event to the infosec community as a whole, and the great questions and audience engagement from the event tonight proves what a great idea this was. All of us on the Rapid7 team are incredibly grateful to everyone who attended Rapid7 Rapid Fire tonight -- from our customers and UNITED attendees to the greater Boston infosec community.

This year we had a phenomenal panel of speakers:

  • Josh Corman @joshcorman (CTO, Sonatype)
  • David Kennedy @hackingdave (CEO & Founder, TrustedSec)
  • HD Moore @hdmoore  (Chief Research Officer, Rapid7)
  • Chris Wysopal @weldpond (Co-Founder, CTO & CISO, Veracode)
  • Moderator: Paul F. Roberts @paulfroberts (The Security Ledger, Security of Things forum)

Watching a lively debate at #Rapid7social featuring @paulfroberts @WeldPond @hdmoore & @joshcorman - no one wins... pic.twitter.com/jphQDygMYk

— Nicholas J. Percoco (@c7five) June 16, 2015

For those that couldn't attend -- sorry we missed you! -- as we've covered before, this is a lively debate between some of the brightest minds in our industry, where a controversial opinion is debated with one expert arguing for, and another against, which means inevitably someone's arguing for a position they (and their employer) fundamentally does not agree with. Inevitably there's a lot of squirming in seats, but the stakes are high, as the audience votes on who argues the most convincing point and the loser has to drink. (And this year, the drink of choice was bourbon.) So as the debate goes on, things do get more ...interesting.

To top it all off, the questions aren't exactly softballs. As you'll see below, our panelists had no-holds-barred topics to discuss contributed directly from our audience members:

  1. Should bug bounties replace security testing?
  2. Privacy is dead, agree or disagree? (And is that a good thing or a bad thing?)
  3. Should you trust a security vendor or partner just because you have a contract with them?
  4. Full disclosure (versus "responsible disclosure") - is it the voice of reason, or no?
  5. Do enterprise security teams spend too much money on things that don't work?
  6. Should the CISO report to the CEO? (And if not, who should they report to?)
  7. Are some companies just lazy about security because it's cheaper to pay the regulatory fines than to put proper security measures in place?
  8. Do we need more government & industry regulation to help make us safer and more secure?

You might think there's a clear answer for some of these questions, but keep in mind that someone in this debate has to argue the other side -- convincingly. To demonstrate this all in action, here's a clip of HD Moore & Josh Corman from the debate tonight on question number seven:

Our deepest thanks to our panelists and to our moderator for a fantastic hour of infosec debates -- and of course, a big thank you also to the great community and audience who asked these amazing questions!

Were you at Rapid7 Rapid Fire this year? What did you think? Your suggestions will help us shape this event next time, so I want to hear 'em!

~ @mvarmazis