Event Schedule

Please see below for the schedule of events for SnowFROC 2020. This schedule will be updated as required to depict the most accurate information on presentations, room locations and general event scheduling information. It's meant to be concise and easy to consume: Details on the presentations and speakers are here.

Presentations

There are 15 scheduled presentations on a wide range of cyber security topics divided in to two arbitrary "tracks". Most talks are scheduled for 55 minutes however some are 25 minutes in length. Each presenter has been given instructions to make their presentation available, with the idea that their presentation will be shared on this website after the event. Please come prepared to listen, learn and ask questions; have fun!

Workshops

There are 3 scheduled workshops: Secure Coding Tournament by Secure Code Warrior, AWS Security Hub and Offensive WMI. Here is what you can expect:


Secure Coding Tournament by Secure Code Warrior

Improve your secure coding skills by joining our live Secure Coding Tournament by Secure Code Warrior. The tournament allows you to compete against other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability.


Offensive WMI

WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario.
To effectively participate in this workshop, attendees will need to bring a laptop and have a Windows VM where they have admin rights on that windows VM.


AWS Security Hub

This is going to rock!

CTFs


Security Innovation (CMD+CTRL)

The CMD+CTRL Cyber Range suite features intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exposed.


RangeForce

Our on-demand, gamified training modules develop role-based operational cybersecurity skills through real-life scenarios that deliver training down to the command line. A fully integrated cyber range allows security teams to experience the feel of defending against a real cyberattack.

Danny Rosseau


PRESENTATION TITLE:
Moving resources to cloud services such as Microsoft's Azure simplifies deployment and maintenance of infrastructure and, to some degree, can make security tasks more straightforward and understandable. This is assuming the service's tools are used safely and correctly, but documentation for the correct way to use these services is often difficult to find and, even when found, difficult to parse or outdated. Cloud deployments may sometimes use configurations that work to get the job done but do not consider security implications. This leads to a lot of errors that are, on the surface, trivial, but can lead to less secure infrastructure and have potentially large scale consequences.
The aim of this presentation is to point out some of these configuration errors and introduce methods to automatically discover and, in some cases, fix these errors. We will also introduce a tool that fills in a missing piece of Azure security: easy automation. We make use of Azure's REST APIs to gather security relevant information and collect it all in one place, simplifying the interface and removing non security relevant noise. We also provide tooling and a testing framework for analyzing this data.

SPEAKER BIO:
Danny is a security consultant at Carve Systems working on a wide array projects including cloud infrastructure assessments. Before working as a security consultant he worked as a backend developer and as quantum computing researcher in Tokyo. He works nearby out of Eagle, and is taking some time off of the Spring snowboarding to come here and give a talk.

Danny Rosseau


PRESENTATION TITLE:
Moving resources to cloud services such as Microsoft's Azure simplifies deployment and maintenance of infrastructure and, to some degree, can make security tasks more straightforward and understandable. This is assuming the service's tools are used safely and correctly, but documentation for the correct way to use these services is often difficult to find and, even when found, difficult to parse or outdated. Cloud deployments may sometimes use configurations that work to get the job done but do not consider security implications. This leads to a lot of errors that are, on the surface, trivial, but can lead to less secure infrastructure and have potentially large scale consequences.
The aim of this presentation is to point out some of these configuration errors and introduce methods to automatically discover and, in some cases, fix these errors. We will also introduce a tool that fills in a missing piece of Azure security: easy automation. We make use of Azure's REST APIs to gather security relevant information and collect it all in one place, simplifying the interface and removing non security relevant noise. We also provide tooling and a testing framework for analyzing this data.

SPEAKER BIO:
Danny is a security consultant at Carve Systems working on a wide array projects including cloud infrastructure assessments. Before working as a security consultant he worked as a backend developer and as quantum computing researcher in Tokyo. He works nearby out of Eagle, and is taking some time off of the Spring snowboarding to come here and give a talk.

Information

SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 5th, 2020 for one day only.
SnowFROC includes breakfast, lunch, presentations, vendor giveaways, a panel discussion and optional hands on training and workshops.

The location of this event is The Cable Center on the University of Denver campus near I-25 and University.
 

Meet the Team

Every year the Denver OWASP Board of Directors works diligently to bring our application security community the very best. This 100% volunteer team is comprised of:

Frank Vianzon

Matt Shufeldt

Steve Kosten

Brad Gable

Aaron Cure

Serge Borso

Floor Plan & Layout

Review the floor plan to see where each Presentation/Workshop/CTF is taking place

Mobile Information

We're also on the Hacker Track app

The Denver OWASP Chapter is proud to present SnowFROC '20!

SnowFROC (Front Range OWASP Conference) is Denver Colorado's premier application security conference and is taking place Thursday March 5th, 2020 for one day only. The location of this event is The Cable Center on the University of Denver campus near I-25 and University.


This Call For Papers (CFP) is open to anyone that would like to submit a presentation. The final date to submit your presentation is Sunday January 19th, 2020 - if your presentation is selected you will be notified by Friday January 31st, 2020.

 

Presentation Guidelines
Please ensure your topic falls under the realm of information security: (appsec, crypto, emerging trends, privacy, compliance, technology, etc.). The basic guidelines are as follow:

  • Presentations should be detailed and in-depth; please avoid cursory overviews
  • Presenters will ideally be well versed in public speaking
  • A mixture of lecture and demos or hands-on presentations are encouraged
  • Focus the topic, presentation and delivery on actionable information that attendees can leverage and put to use
  • Allow sufficient time for Q&A or otherwise plan for audience participation

Presentations are slotted for 25 or 55 minutes which accounts for your presentation time, Q&A and to ensure the next presenter has time to setup and start promptly. Please plan your talk accordingly.

HDMI adapters, necessary dongles and microphones will be provided for your use.

Sales pitches, presentations focusing on commercial tools or vendors and the like will not be accepted. You will be expected to submit your slide-deck (if applicable) prior to the event and use a standard OWASP template for presentations (which will be provided to you).

As we are aiming for 400+ attendees, expect an audience of 50+ for your presentation, go here to view last year's presentations and use the form below to submit your presentation.