CanSecWest

CanSecWest is an annual computer security conference held in Vancouver, British Columbia, showcasing research in information security, applied cryptography, vulnerability research, intrusion analysis, and exploit development. Founded in the early 2000s, it quickly gained prominence alongside Black Hat, DEF CON, and RSA Conference as a venue where academic researchers, industry practitioners, and government representatives present advanced technical work. The event is noted for its combination of peer-reviewed presentations, hands-on workshops, and a high-profile competitive component that drives vulnerability disclosure and defensive innovation.

History

CanSecWest was inaugurated in 2004 during a period of rapid expansion in the information security community that included events such as Black Hat USA 2004, the maturation of CERT Coordination Center, and the growth of the Open Web Application Security Project. Early editions attracted researchers associated with institutions like University of California, Berkeley, Carnegie Mellon University, and industry groups including Microsoft Research and Google Project Zero. Over successive years the conference featured work connected to projects from Mozilla Foundation, Apple Inc., and Adobe Systems while maintaining ties to regional organizations such as British Columbia Institute of Technology and University of British Columbia. CanSecWest evolved its program to balance academic rigor with practical exploit demonstrations, reflecting trends exemplified by conferences like Usenix Security Symposium and IEEE Symposium on Security and Privacy.

Conference Format and Activities

The conference program combines curated technical talks, multi-day workshops, and panel discussions similar to formats used at ACM SIGCOMM and USENIX. Sessions have been delivered by researchers from Microsoft, Google, Intel Corporation, AMD, and independent security firms including FireEye, Kaspersky Lab, and Trend Micro. Workshops frequently partner with organizations such as SANS Institute and OWASP to provide training on topics ranging from exploit mitigation research to reverse engineering techniques employed by teams at Symantec and McAfee. Panels have included participants from national agencies like Canadian Security Intelligence Service and regulatory bodies such as Communications Security Establishment. The conference venue and schedule are structured to facilitate networking among professionals from Cisco Systems, Amazon Web Services, IBM Research, and academic groups at Massachusetts Institute of Technology and Stanford University.

Notable Speakers and Presentations

Over its history CanSecWest has hosted speakers who also presented at leading venues like Black Hat Europe and DEF CON, including figures associated with Charlie Miller, Dmitry Sklyarov, HD Moore, and Joanna Rutkowska. Presentations have covered exploits and defenses relevant to vendors such as Microsoft Corporation, Apple Inc., Google LLC, Adobe Systems Incorporated, and Oracle Corporation. Work on kernel hardening and memory safety has been presented by researchers from University of Cambridge, ETH Zurich, and Tel Aviv University, while talks on web security referenced exploits targeting platforms from WordPress Foundation, Drupal Association, and MediaWiki. Notable demonstrations included techniques later discussed at IEEE S&P and ESORICS and projects involving teams from Facebook, Twitter, and LinkedIn Corporation.

Pwn2Own Competition

CanSecWest is the venue for the Pwn2Own competition, a high-profile exploit contest originally hosted by organizations such as Zero Day Initiative and coordinated with vendors including Microsoft and Google. Pwn2Own challenges competitors to exploit widely used software and devices from companies like Apple Inc., Google LLC, Microsoft Corporation, Tesla, Inc., and VMware, Inc. under controlled conditions. Successful exploits must demonstrate reliable code execution or privilege escalation on targets such as Microsoft Windows, Apple macOS, Google Chrome, Mozilla Firefox, and mobile platforms supported by Apple and Google. Rewards and disclosures are managed in collaboration with brokerage and vulnerability-purchasing entities including Trend Micro's Zero Day Initiative and corporate security teams at Intel Corporation and AMD. The competition has driven disclosures later adopted in advisories issued by organizations like CERT/CC and vendor-specific security response teams such as Microsoft Security Response Center and Google Project Zero.

Impact and Controversies

CanSecWest's open demonstration of zero-day exploits and aggressive vulnerability research has had a measurable impact on vendor patching cycles, affecting companies such as Microsoft, Apple, Google, Adobe Systems, and Oracle. The conference has influenced defensive innovations like address space layout randomization popularized in projects at OpenBSD, and hardware mitigations discussed in collaboration with Intel and AMD. At the same time, the visibility of exploit techniques has prompted debate similar to controversies at Black Hat and DEF CON regarding full disclosure versus coordinated vulnerability disclosure, involving stakeholders like CERT Coordination Center, Zero Day Initiative, and national security agencies including National Security Agency and Communications Security Establishment. Ethical discussions at the conference have engaged academics from Harvard University and University of Oxford as well as corporate legal counsels from Microsoft and Google concerning responsible disclosure policies, exploit weaponization, and the role of competitive incentives in security research.

Category:Computer security conferences