Schedule

SnowFROC consists of a managerial track, a technical track, hands-on training and a panel discussion. This schedule will continue to be updated on a regular basis and will detail times and the room locations of each presentation.


Keynote By:

JOHN STRAND




Technical Presentations

Name: Dan Cornell
Presentation Title:
Threat Modeling for IoT Systems

Name: Tyler Bell & Matt Knox
Presentation Title:
Security and DevOps in IoT: Finding the right balance to protect consumer IoT products

Name: Zach Giezen
Presentation Title:
A whale of a tale. (embattling your apps with Docker)

Name: Joseph Gerber & Christian Price & Chris Wells
Presentation Title:
Building Patterns for secure microservices, an approach and pattern zero candidate

Name: Matthew Fanto
Presentation Title:
Realizing Software Security Maturity: The Growing Pains & Gains

Name: Cody Cornell
Presentation Title:
Automate or Die

Name: Troy Mitchell
Presentation Title:
Defend Your Infrastructure from Evil with Kippo/Cowrie Honeypot

Name: Matt Tesauro
Presentation Title:
Continuous Security: Using Automation to Expand AppSec's Reach

Name: Tony Ramirez
Presentation Title:
The Attacker’s POV - Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business

Name: Jim Manico
Presentation Title:
OWASP Proactive Controls



Managerial Presentations

Name: Caroline Wong
Presentation Title:
The Only Reason Security Really Matters for DevOps

Name: Kimberly Decker
Presentation Title:
Evolving Threats: The Convergence of Computer Hacking and Biohacking

Name: Robert Wood
Presentation Title:
Design Thinking for DevSecOps Culture Building

Name: Demetrios Lazarikos (Laz)
Presentation Title:
Building and Nurturing Your Modern Information Security Risk Programs

Name: Robert Wood & Caroline Wong
Presentation Title:
Hacking Office Politics for Cybersecurity Leaders

Name: Caroline Wong
Presentation Title:
Are Organizations Too Confident About Application Security?



Hands-on Training

If you are signed up for training, be sure to bring a laptop with the capability to run a virtual machine and WIFI. More details to come...

Lab 0: WIFI Hacking

Lab 1: Crypto

Lab 2: The Equifax Breach

Dan Cornell


PRESENTATION TITLE:
Threat Modeling for IoT Systems

PRESENTATION ABSTRACT:
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device. These IoT devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This presentation looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.

SPEAKER BIO:
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including TEDx, RSA Security Conference, OWASP AppSec USA and EU and Black Hat Arsenal.

Kimberly Decker


PRESENTATION TITLE:
Evolving Threats: The Convergence of Computer Hacking and Biohacking

PRESENTATION ABSTRACT:
When did the first hack take place? Likely billions of years ago, perhaps as a targeted attack by a virus to penetrate a vulnerable organism or within an environmentally challenged bacterium, modifying its own genome in an attempt to protect itself from a cellular breach by a determined invader. We can learn much about creative attacks and defenses from the ancient hackers! For the last century or so, scientists have been leveraging these ancient biological processes to better understand how cells work and to fight disease. Today, we are seeing a convergence between biohacking and the ubiquitous security challenges facing our computer systems and networks. Recently, scientists hacked into a software program by encoding their “malware” into DNA. We know that bio-warfare has been used by several nation states in recent history and that the threat continues to escalate. What will future generations be thinking when they hear the word “hacker?”

SPEAKER BIO:
Kimberly Decker has a Ph.D. in Molecular Biology, with experience hacking genes to produce mutant mouse models and conducting research related to diabetes and cancer. Prior to her career in the biomedical sciences, Kimberly worked in the software industry writing documentation for several development tools and managing the software life cycle as a product manager. She currently co-owns Blue Prairie, a company that markets Cloudstreet Portal, a SaaS document management system and BP Forms, a product that gives legacy business applications access to modern printing capabilities. Kimberly is currently enrolled as a student in the CORE Bootcamp program at SecureSet Academy in Denver.

Demetrios Lazarikos (Laz)


PRESENTATION TITLE:
Building and Nurturing Your Modern Information Security Risk Programs

PRESENTATION ABSTRACT:
In this presentation, three-time CISO, Demetrios Lazarikos (Laz), will explore topics that are top of mind for Fortune 1000 Executives, Board of Directors, and practitioners that have direct involvement in building and assessing modern Information Security strategies and programs. Additionally, Laz will provide real world examples and best practices to effectively create, support and evaluate the lifecycle of Cyber Security programs - a pragmatic session that is not to be missed.

SPEAKER BIO:
Demetrios Lazarikos (Laz), a recognized visionary for building Information Security, fraud, and big data analytics solutions, is the Founder and IT Security Strategist for Blue Lava Consulting.
Laz has more than 30 years experience in building and supporting some of the largest InfoSec programs for Financial Services, Retail, Hospitality, and Transportation verticals. He is a three time former CISO and some of his past roles include: CISO at vArmour, CISO at Sears, CISO at Silver Tail Systems (acquired by RSA/EMC), VP of Strategic Initiatives at ReddShell Corporation (acquired by TrustWave), and a former PCI QSA. Laz is an Adjunct Professor at Pepperdine University's Graziadio School of Business and Management, holds a Master’s in Computer Information Security from the University of Denver, an MBA from Pepperdine University, and has earned several security and compliance certifications.

Caroline Wong


PRESENTATION TITLE:
The Only Reason Security Really Matters for DevOps

PRESENTATION ABSTRACT:
This talk begins by exploring the answer to the question, why does DevOps matter? Business do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that.
Next, key differences between the pre-DevOps world and the post-DevOps world are discussed. Before, it was about on-premise, protecting the perimeter, and enforcing gates in the SDLC. Now, supply chain is king. Applications and APIs matter more and more. And everything is mobile.
A detailed look at 10 companies "killing it at DevOps" reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments.
Additional drivers also include avoiding bad press and compliance reasons - both of which, if you look under the covers, are ultimately about getting more sales. This presentation analyzes the actual language in Bill Gates' Trustworthy Computing memo to see that in fact even Microsoft's "noble" initiative was "all about the money."
That being said, what's a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It's enough to make a person's brain explode.
This session concludes with expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NIST Cybersecurity Framework. The 5 points (Identify, Prevent, Detect, Respond, and Recover) are simplified down to just 3 (Identify, Prevent, and React) and the end of the session covers detailed recommendations on how to incorporate practical security concepts into a DevOps environment using this uncomplicated framework.

SPEAKER BIO:
Caroline Wong is the Vice President of Security Strategy at Cobalt (www.cobalt.io).
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured at industry conferences including RSA (USA and Europe), OWASP AppSec, and BSides.
Caroline was featured as an Influencer in the 2017 Women in IT Security issue of SC Magazine and has been named one of the Top Women in Cloud by CloudNOW. She received a 2010 Women of Influence Award in the One to Watch category and authored the popular textbook Security Metrics: A Beginner’s Guide, published by McGraw-Hill in 2011. Caroline graduated from U.C. Berkeley with a B.S. in Electrical Engineering and Computer Sciences and holds a certificate in Finance and Accounting from Stanford University Graduate School of Business.

Caroline Wong & Robert Wood


PRESENTATION TITLE:
Hacking Office Politics for Cybersecurity Leaders

PRESENTATION ABSTRACT:
Who cares about office politics? At the end of the day, isn't it all about doing what's best for the business by protecting its assets? Or implementing the best technical idea? Sadly, no.
Technically savvy cybersecurity professionals often find themselves performing well in individual contributor roles and then getting promoted to management and executive positions. The rules of engagement, however, change as one moves up the corporate ladder. How does a cybersecurity leader communicate to non-cybersecurity experts the value of a program and all the expense that goes along with implementing information security activities? What's the best way to ensure that optimal decisions for the business are made when push comes to shove?

SPEAKER BIO:
Robert Wood is the Chief Security Officer at SourceClear, responsible for the strategic vision and technical direction of SourceClear's security program and security research team. Throughout Robert's has worked with, advised, and led many security programs and initiatives including the trust and security program at Nuna Health and the red team practice at Cigital. Robert has always placed an enormous emphasis on adversarial thinking and strategic planning in his work and applies it everywhere he can.

Caroline Wong is the Vice President of Security Strategy at Cobalt (www.cobalt.io).
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured at industry conferences including RSA (USA and Europe), OWASP AppSec, and BSides.
Caroline was featured as an Influencer in the 2017 Women in IT Security issue of SC Magazine and has been named one of the Top Women in Cloud by CloudNOW. She received a 2010 Women of Influence Award in the One to Watch category and authored the popular textbook Security Metrics: A Beginner’s Guide, published by McGraw-Hill in 2011. Caroline graduated from U.C. Berkeley with a B.S. in Electrical Engineering and Computer Sciences and holds a certificate in Finance and Accounting from Stanford University Graduate School of Business.

Tyler Bell & Matt Knox


PRESENTATION TITLE:
Security and DevOps in IoT: Finding the right balance to protect consumer IoT products

PRESENTATION ABSTRACT:
Many standard DevOps practices have the unexpected benefit of solving common IT security problems. As the world continues to move toward connecting critical infrastructure, everyday appliances, and even the simplest toys to the cloud, the integration of security and DevOps is becoming increasingly important. Our talk aims to explore the intersection of DevOps and security in the IoT world from the perspective of internal DevOps and security teams.
It is all too common that IoT companies wait until their first product release, or even multiple product releases, before they begin thinking about security, much less a fully developed security program. Decentralized product management leads to fragmented architecture, differing toolsets, numerous frameworks, and duplication of effort, leading to wasted time and dollars. SecDevOps professionals have begun identifying these common problems and working on ways to address them in existing companies -- or, even better, those that are just getting started on the architecture of their product.
DevOps practices already begin to remediate these common issues, and in combination with best security practices begin to define a secure IoT product and IoT end user experience. In this talk, we will discuss real-life scenarios where SecDevOps improved the IoT development lifecycle and remediated many common vulnerabilities that plague this space today.

SPEAKER BIO:
Tyler Bell is Director of Application Security at AppliedTrust (a Flexential company) and spends much of his time developing penetration testing methodology, leading assessments, security architecting, and managing clients. Tyler graduated from Oklahoma State University and moved to Colorado in 2012. He likes watching rock and metal concerts at local, small venues and new talent night at ComedyWorks at Larimer Square.

Matt has been working in various roles in the tech industry since graduation from Northern Michigan University in 2011. He currently lives in Denver, CO and is focussed on devops and security best practices for Sphero’s many IoT Devices. In Denver, Matt is very active in the tech community and has helped organize the Denver DevOpsDays conference since it’s inaugural event in 2015.

Zach Giezen


PRESENTATION TITLE:
A whale of a tale. (embattling your apps with Docker)

PRESENTATION ABSTRACT:
What: Growing and adopting new technologies is a good thing. However, when there are so many configuration options, loop holes, misleading information and gotchas. It can be difficult to use them effectively.

Why: Despite the age of process isolation technology, many application security folks don’t understand or may not know about the intricacies or configuration options that can be used with modern implementations. This talk is focused on bringing that into the light through discussion and demonstration.

How: Using a series of demonstrations, consisting of both network and file exploitations; we will walk through how recent process isolation technologies, like Docker, and how they can be correctly configured to bolster known vulnerable applications.

Results: Not every web application vulnerability can be remediated immediately. It takes time to develop the correct fix. Using options outlined herein, we may be able to mitigate vulnerabilities; defanging them while affording developers the time necessary to create the permanent solution.

Conclusion: Using many of the configuration options covered in this presentation, not only can new process isolation technologies help to scale web apps, they can help protect them as well.

SPEAKER BIO:
Armed motorcycle wielding NRA member.
Husband of homeschooling supermom, father to 4 exceedingly intelligent offspring.
Choosing to spend my days mentoring the future veteran battlers of cyber evildoers.

Joseph Gerber

Christian Price & Chris Wells


PRESENTATION TITLE:
Building Patterns for secure microservices, an approach and pattern zero candidate

PRESENTATION ABSTRACT:
So, you’ve committed to a micro-services journey? Well done! But what does that mean from a security point of view? Whether you are decomposing a monolith or building in a green field there are a plethora of design decisions to be made, many of which have security implications. But is there a well vetted catalog of well-known patterns and relevant security implications to draw from?
In civil engineering, one can look up a pattern for a truss that is known to hold a given amount of weight, and has worked for centuries. In electrical engineering, one can look up a pattern for a circuit that actually works. In software engineering, is there a way to build appsec design patterns so that software will have consistent, repeatable levels of security?
The promises of a micro-services architecture are many, and include: shorter time-to-value to deliver new features (faster innovation), simpler ops/maintenance/testing, greater resilience to failure, etc. But the reality is that many initial forays into microservices simply reproduce complicated webs of interdependence and implicit trusts. The result is complex systems that are likely to fail in interesting ways when under stress.
To gain the benefits of microservices and deliver on the vision of simplicity, reliability, security and speed, we need a catalog of generic design patterns for microservices and microservice interactions. Drawing from a combination of software design patterns, cloud security good practices, and industry thought leadership (Jericho Forum, Zero-Trust, BeyondCorp, etc.) we will present an initial set of patterns designed to start the conversation and inspire collaboration and contribution.
Join us as we discuss how to create a software design pattern stack, test it, and redesign it to evolve a repeatable, usable framework for software security. We will walk thorugh version zero of our cloud-based, micro service architecture as a straw-man example of this concept of evolving software security as a discipline of engineering and science, rather than as guess-work to be created under deadline pressure. The (old) pattern is dead, long live the (new) pattern!

SPEAKER BIO:
Christian Price has over a decade of experience in various information security domains and is passionate about transforming how security teams contribute value and unlock innovation. He is currently a cloud security architect, has led 2-pizza teams to develop security services for a cloud security service catalog and enjoys the disruptive nature of clouds because they force us to challenge convention and to innovate.

Chris Wells has deployed security solutions for major healthcare, online retail, telecommunication, and financial industries. He is an accomplished application security architect with over 15 years of application security experience. Chris holds multiple security certifications including a Certified Information Security
Systems Professional (CISSP), and holds a Bachelor degree from the University of Minnesota.

Joe Gerber has over a decade of app sec experience, and came up through the ranks as a software engineer, software designer and architect. He is passionate about creating software design patterns that can improve how software works.

Robert Wood


PRESENTATION TITLE:
Design Thinking for DevSecOps Culture Building

PRESENTATION ABSTRACT:
As security professionals we’re all curious, we wonder how certain technologies work, how they break, and what we can do to manipulate this digital world around us. Our curiosity often stops when it comes to culture change, to understanding people, teams, and the many challenges they are going through relative to our own. As we charge full steam into the age of DevSecOps, we owe it to ourselves to put that natural curiosity to work through design thinking; to build cultures that work for each of us. Design thinking is intended to bridge the gap between differing opinions and objectives across development, operations, and security to find outcomes that are desired, technically feasible, and economically viable in each unique team and company situation. Stop trying to fit square pegs into round holes, start designing your way towards successful outcomes.

SPEAKER BIO:
Robert Wood is a security technologist, strategic advisor, and speaker. He is currently the Chief Security Officer at SourceClear, where he is responsible for the strategic vision and technical direction of SourceClear's security, privacy, and compliance program and the security research team. Throughout Robert's career he has worked with, advised, and led many security programs and initiatives including the trust and security program at Nuna Health and the red team practice at Cigital. Robert has always placed an enormous emphasis on adversarial thinking and strategic planning in his work and applies it everywhere he can. Twitter handle: @cybercareerhack

Matthew Fanto


PRESENTATION TITLE:
Realizing Software Security Maturity: The Growing Pains & Gains

PRESENTATION ABSTRACT:
Software security maturity is often diluted down to the OWASP Top 10, leaving organizations with a simplistic & ineffective view of risks represented by their real-world attack surface. Where do these organizations then go, to realize a strategy that considers the complexity of their production stacks, including frameworks, platforms, languages, & libraries? This talk will focus on leveraging a software assurance maturity model to benchmark coverage & consistency of application security across the software development lifecycle.
If your organization has been considering formalizing your application security program, or just don’t know where to start, come to this talk to find out the pitfalls and opportunities of using a maturity model to guide a successful and ever-maturing application security program. Learn from Duo Security’s Application Security team about the benefits, challenges, and outcomes of what it takes to enable engineering & product teams to excel at their jobs, while providing

SPEAKER BIO:
Matthew Fanto is a Senior Application Security Engineer at Duo Security. Matt specializes in software development and architecture design with a focus towards security and cryptography. He has previously worked as a cryptographer for the National Institute of Standards and Technology (NIST), and as a cryptographer and security researcher in automotive security for Ford, Panasonic, and Bosch.

Cody Cornell


PRESENTATION TITLE:
Automate or Die

PRESENTATION ABSTRACT:
Cyber security operations and incident response teams are drowning in attack and alert volumes. This talk will explain how to better execute a multi-pronged approach to cyber security by leveraging using security automation and orchestration to optimize your SOC.

Attack volumes, a lack of available skilled resources, and the need to deploy an ever-increasing number of specialized cyber security platforms are creating a tidal wave of activities that are exceeding security operation team's capacities. Without automation of high volume, low complexity tasks, security teams will never have the available bandwidth to focus on more valuable security efforts. When properly implemented, security automation and orchestration platforms can extend the capabilities of existing SOC personnel and reduce operating costs, while delivering faster and more consistent incident response and better security. These platforms can also track key performance indicators to better understand and optimize security processes on an ongoing basis. This presentation will not be vendor or solution focused, but will focus on use cases, typical implementations, and the low hanging fruit that organizations can focus on even without technology investments.

SPEAKER BIO:
Cody Cornell is the Founder and CEO of Swimlane, a leading provider of Security Automation and Orchestration solutions. He has over 15 years of experience in information technology and security, including roles with the U.S. Defense Information Systems Agency (DISA), the Department of Homeland Security (DHS), American Express and IBM Global Business Services. Mr. Cornell has presented at forums such as the Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy, and as a guest on NPR. He is a strong advocate for the open exchange of security information and deep technology integration, to maximize the value that organizations receive from their investments in security operations technology and personnel.

Troy Mitchell


PRESENTATION TITLE:
Defend Your Infrastructure from Evil with Kippo/Cowrie Honeypot

PRESENTATION ABSTRACT:
Defending your Infrastructure from Evil can be easier than you think. The use of Kippo/Cowrie honeypots and honeytokens is a great way to gather real time threat intel.

This talk will guide you through the installation, configuration, maintenance, and most importantly, the customization of Kippo/Cowrie honeypots.

Statistics generated from your honeypot database, using Kippo-Graph, will generate targeted, up to the second data that will help you protect your infrastructure. This data includes Geolocation information, usernames and passwords and downloaded files used during an attack. You can even watch the actual attack as it happened, keystroke by keystroke, using Kippo-Graph’s session replay.

Live Demos to include:

1) Hacking our newly created Kippo/Cowrie Honeypot, using several well-known tools and scripts with Kali Linux.

2) Tracking our newly created Honeytokens via Email and Geolocation. Honeytokens will help you sweeten the pot when it comes to luring your attacker so you can gain a better understanding of your attacker’s Tactics, Techniques and Procedures (TTPs) within Cyber Threat Intelligence.

3) Honeypot Data Analysis, using the captured data from our Live Demos.

When you are done with my presentation, you will be able to take back to your company, an actionable step by step guide, that will help you successfully defend your infrastructure from Evil!

SPEAKER BIO:
Troy Mitchell is a Senior Cyber Security Engineer at Jacobs Engineering (formerly CH2M). His main focus includes Incident Response, Forensics, Threat Intelligence, Malware Analysis and Cyber Deception. Troy has written custom applications to automate and orchestrate security systems globally, using many languages, including Microsoft .NET, PowerShell, and Python. He has served in many roles in the Information Technology and Security industries for over 25 years.

Troy has held various technical positions in the private and government sectors, including the Department of Defense (DoD) and the FAA. Troy holds many professional certifications, including Certified Ethical Hacker (CEH), VMware VCP, and MCSE: Security. He frequently uses his knowledge and experience to mentor others in the field of Information Technology. Troy is a member of several professional organizations, including OWASP and ISSA. Troy currently lives with his family in Aurora, Colorado.

Matt Tesauro


PRESENTATION TITLE:
Continuous Security: Using Automation to Expand AppSec's Reach

PRESENTATION ABSTRACT:
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key application security automation principles and provide real world experiences of creating AppSec Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an AppSec program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk uses a fictitious company to demonstrate how it transformed its ability to assess the security of the applications in its inventory. Beyond this ‘case study’, multiple potential architectures for AppSec automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.

SPEAKER BIO:
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.

Tony Ramirez


PRESENTATION TITLE:
The Attacker’s POV - Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business

PRESENTATION ABSTRACT:
In this eye-opening session, Tony Ramirez will uncover and expose how attackers identify and exploit mobile app security vulnerabilities in commercial and custom mobile apps to compromise your enterprise. Through a series of live scenarios using open source and other tools from the attacker POV, Brian will crack and exploit vulnerabilities in mobile apps to steal sensitive data and gain access to systems… and then share best practices on how to protect yourself and your enterprise. Don’t miss this startling presentation!

SPEAKER BIO:
As a senior mobile security analyst at NowSecure, Tony Ramirez enhances test coverage for mobile application penetration testing iOS and Android apps. His expertise in mobile wows customers as he troubleshoots their obstacles in performing mobile app security assessments. He has spoken at numerous OWASP events and enjoys sharing his extensive knowledge of mobile security solutions. Tony holds a master’s degree in cyber forensics and security from Illinois Institute of Technology.

Caroline Wong


PRESENTATION TITLE:
Are Organizations Too Confident About Application Security?

PRESENTATION ABSTRACT:
Security is an increasingly important priority for many organizations, however it's still a trade-off. Resources can be invested in more security controls, or they can be invested in developing new products and features.

A concept that comes into play when deciding how to appropriately prioritize security controls is that of risk tolerance. It's not quite as easy as asking product and engineering leaders to rate their risk tolerance on a scale of 1-10.

This session will discuss a few approaches to leading a productive discussion about risk tolerance in order to justify security spend and investment for an organization.

SPEAKER BIO:
Caroline Wong is the Vice President of Security Strategy at Cobalt (www.cobalt.io).
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured at industry conferences including RSA (USA and Europe), OWASP AppSec, and BSides.
Caroline was featured as an Influencer in the 2017 Women in IT Security issue of SC Magazine and has been named one of the Top Women in Cloud by CloudNOW. She received a 2010 Women of Influence Award in the One to Watch category and authored the popular textbook Security Metrics: A Beginner’s Guide, published by McGraw-Hill in 2011. Caroline graduated from U.C. Berkeley with a B.S. in Electrical Engineering and Computer Sciences and holds a certificate in Finance and Accounting from Stanford University Graduate School of Business.

Jim Manico


PRESENTATION TITLE:
OWASP Proactive Controls

PRESENTATION ABSTRACT:
Software developers are the foundation of any application. But building secure software requires a security mindset. Unfortunately, obtaining such a mindset requires a lot of learning from a developer.

The OWASP top 10 of proactive controls aims to lower this learning curve. It covers ten crucial security controls in virtually every application. This session gives an overview of 10 common security problems, and how to address them. We will go over numerous security anti-patterns and their secure counterparts. Throughout the session, you will get a good overview of common security issues. In the end, you walk away with a set of practical guidelines to build more secure software.

This session is intended for anyone building, designing or securing applications.

SPEAKER BIO:
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation. For more information, see http://www.linkedin.com/in/jmanico

Thank You Sponsors!

For sponsorship opportunities please contact Kathy (kathy DOT thaxton@owasp.org).

Volunteer

For volunteer opportunities please contact Kathy (kathy DOT thaxton@owasp.org)

Information

SnowFROC 2018 will be held March 8, 2018 at the Cable Center Denver. SnowFROC is Denver’s premier Application Security Conference of the year. We will host over 450 developers, business owners, and security professionals for a day of presentations, training and bonding.

John Strand, Owner of Black Hills Information Security, will give the keynote address. This will be followed by a 2-track collection of informational sessions and a parallel hands-on training track, all presented by world-class speakers. A panel discussion with industry leaders in the security field will wrap up the day. The location of this event is The Cable Center on the University of Denver campus near I-25 and University.
 

The Denver OWASP Board of Directors & Organizers is proud to present SnowFROC'18!

SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 8th, 2018 for one day only. The location of this event is The Cable Center on the University of Denver campus near I-25 and University.


This Call For Papers (CFP) is open to anyone that would like to submit a presentation. The final date to submit your presentation is Wednesday January 31, 2018 - if your presentation is selected you will be notified by Sunday February 4th.

 

Presentation Guidelines
Please ensure your topic falls under the realm of information security: (appsec, crypto, emerging trends, privacy, compliance, technology, etc). The basic guidelines are as follow:

  • Presentations should be detailed and in-depth; please avoid cursory overviews
  • Presenters will ideally be well versed in public speaking
  • A mixture of lecture and demos or hands-on presentations are encouraged
  • Focus the topic, presentation and delivery on actionable information that attendees can leverage and put to use
  • Allow 7-15 minutes for Q&A or otherwise plan for audience participation

Sales pitches, presentations focusing on commercial tools or vendors and the like will not be reviewed for acceptance. You will be expected to submit your slide-deck (if applicable) prior to the event and use a standard OWASP template for presentations.

Expect an audience of 50+ for your presentation, reach out to Kathy (kathy DOT thaxton@owasp.org) with any questions or to see past submissions and use the form below to submit your presentation.