2019 Presentations

Career Paths in ITSec - Tradeoffs, Options[ 1MB ]

Using Security Champions to Build a DevSecOps Culture Within Your Organization [ 2MB ]

Automatically find and fix security misconfigurations in Azure deployments [ 64MB ]

HAM Radio 4 Hackers [ 2MB ]

Injecting Security Controls in Software Applications [ 3MB ]

How to Frida Good [ 43MB ]

Shift Left: Cloud Security in a CI/CD World [ 1MB ]

Serverless Security: A How-to Guide [ 64MB ]

AppSec In A World Of Digital Transformation [ 1MB ]

Enumerating Enterprise Attack Surface [ 4MB ]

2018 Presentations

John Strand's Keynote

Realizing Software Security Maturity

Security and DevOps in IoT_ Finding the right balance to protect consumer IoT products


Defend Your Infrastructure from Evil with Kippo_Cowrie Honeypot

A whale of a tale

Pattern Zero

Continuous Security Using Automation to Expand AppSec's Reach

Threat Modeling For IoT Systems


Are Organizations Too Confident about Application Security

Why does Security matter for DevOps

OWASP Top Ten Proactive Controls

Schedule & Training

SnowFROC consists of presentations by industry experts, hands on training (workshops), the CMD+CTRL Cyber Range, Range Force and a panel discussion.

The CFP closed on January 19th with speaker/presentation selection to occur by January 31st - so please check back in early February for solidified schedule details.

A general outline of the events of the day are below and will be updated as time draws nearer:

Keynote By:


8AM - 9:00AM: Registration and Breakfast [Great Hall]

9AM - 9:50AM: Keynote [Great Hall]

10AM - 12PM: Workshops, Presentations, CTF

12PM - 1PM: Lunch and Vendor giveaway #1

1PM - 4PM: Workshops, Presentations, CTF continue

3:30PM - 5PM: Happy Hour

4PM - 5:30: Panel Discussion, Vendor giveaway #2, Closing

SDR Workshop Additional Information:

  • SDR vs regular radio
  • Carrier and modulation
  • DB
  • Antennas
  • Types of sdrs - pricing, range, transmit & receive

Goal 1: Installation of sdr & Installation of rtl dongle
Goal 2: Simple use of sdr for broadcast FM & Transmit broadcast FM
Goal 3: Reception of ham radio with NFM & Broadcast on call frequency
Goal 4: Installation of PDW & Installation of Virtual audio cable/Decode paging
Goal 5: Installation of DSD and plugin & Reception of DSD and decoding audio
Goal 6: rtl1090 adsb
Goal 7: Satellite weather
Goal 8: Installation of GNURadio for windows
Goal 9: Signal source, throttle block, wx fft & Add slider variable
Goal 10: Show SDR angel transmit FM radio & FM radio receive in GNURadio

Devin Noel & Eric Watkins

HAM Radio 4 Hackers

Introduction into the basics of Radio Frequency (RF). Why it's important to get licensed, better understand RF and be able to legally transmit. We'll address how ham radio relevant to hackers in the modern Software Defined Radio era. We'll have a live DEMO with audience participation, please bring your RTL-SDR and an OTG dongle so you can try out decoding an RF signal using your mobile device.

Eric Watkins: KR0VER- Is a security architect who is interested hacking all things RF. Devin Noel: N7HKR - Is a security engineer who enjoys hacking and doing other cool things with technology.

Jim Manico

The Last XSS Defense Talk

Why are we still talking about Cross Site Scripting in 2019? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an investor/advisor for Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Kevin Cody

How to Frida Good

There are currently between seven and eleventy billion mobile applications in Apple and Google app stores. Users have on average 150 mobile applications on their devices and screen time varies from 5-10hrs per day. Needless to say, we are entrenched in mobile applications and at the mercy of the security of the devices and applications. Over the years there have been many tools released for instrumenting and debugging mobile applications for security purposes, such as Snoop-it, Drozer, cycript, lldb, etc. Frida was released in late 2013, but really started taking a stronghold in mobile application security testing when the other tools became less useful or unmaintained. But how can we best use Frida, what is too deep, and what other tools can we use to improve our mobile testing methods? Join David and Kevin as they walk you through examining functionality of both iOS and Android apps to learn how they work, and dynamically instrument the applications as they are used. You should walk away with a better idea of how powerful Frida is, and how miserable mobile application security is if an attacker has physical access to a device.

Kevin Cody has been in the security space since 2011 where he's lead extensive client engagements across grey/white-box web application assessments, architecture threat models, and security architecture reviews. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin is adamant on helping build-up developers through security, which can be seen in his involvement within OWASP or while speaking at events like CodeMash or BSides. Kevin is dedicated to enthusiastic and dynamic learning as a means of striving to achieve business priorities, service levels, and mitigating risk.

James Wickett

A How-to Guide

No more servers (that you manage) means way less security problems, right? Not so fast. Risk is neither created or destroyed in serverless architectures, it is merely transferred.
This talk covers the four areas of growth for security in the world of serverless. In each of the four areas we will take a look at practices and tooling needed for security to adapt. We will also cover lambhack, an open source, vulnerable lambda-based serverless stack with demos including arbitrary code execution in AWS Lambda.

James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering.
He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless.
James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.
In his spare time he is trying to learn how to make a perfect BBQ brisket.

Matthew Barker

Shift Left: Cloud Security in a CI/CD World

Today, developers have numerous tools to choose from and methods to consider when building applications and websites. Where 15 years ago working in the cloud was a new trend, today entire companies’ services are born in the cloud. Where virtual machines once reigned, containers are gradually taking their place. How does DevOps adapt to these changes, while still securing their environments, from inception to rollout? One way is to ‘shift left’ and embed security best practices into the CI/CD process from the start.
This new approach moves software testing earlier in its lifecycle — or moves left on the project timeline — to prevent defects early in the software delivery process. Sonya Koptyev, Director of Evangelism at Twistlock, will begin this session by giving attendees an in-depth look at what it means to shift left, and will explain the following five steps to ensuring a successful and secure transition to begin testing software earlier in its lifecycle.
Vet configurations: Developers shouldn’t need to make configuration changes. All images, including those used in development and testing stages, should be equal to the images rolled out in production.
Test early and often: Bringing this motto to the shift left approach will help developers measure their success not by how quickly they can get their project into development, but by how many bugs they resolve before rollout.
Give insights into production: Team leads in DevOps should consider building dashboards or visualization tools so developers can gain real-time feedback into the security practices they’re building. This will help security and developer teams join forces to own the security needs in every stage of development.
Rethink automation: Don’t think of automation as a roadblock to production — think of it as a testing gauntlet where the code has to prove itself.
Be proactive: With all the tools today that can detect vulnerabilities and risks, it’s easier than ever to identify and resolve security gaps to prevent being impacted by cyber attacks. Find the right tools, and proactively use them in every stage of the development process.

Matthew an experienced Solutions Architect and Sales Engineer, with extensive experience in open source software, rapid application development, and cloud native security. Currently, Matthew works at Twistlock where he provides insightful, technical guidance to companies desiring to produce secure applications of high quality and with minimal license risk. Prior to Twistlock, Matthew worked at Sonatype and Klocwork.

Matthew Butler

Threat Hunting

Often overlooked in software security strategies is Threat Modeling. And yet we constantly model threats in our everyday lives:
Crossing a busy street, we look for cars to see if they're going to stop or keep going.
Walking down an unfamiliar city street after dark, we ask ourselves if the group coming towards us is gang bangers or just kids out having fun.
A women on a blind date is constantly analyzing her date's words and actions to see if he's a good guy or a bad guy.

Threat Modeling is the foundation of everything else we do when securing our software and hardware systems. It tells us where our attack surfaces are, what possible attack vectors there are, where we aren't verifying who we're communicating with, where we're holding data and more importantly where we holding data we don't use. Threat modeling forces us to analyze our designs and focuses our thinking to that of an attacker.
In this talk, we'll begin by looking at Intrusion Kill Chains, a simple but effective way to describe the process that attackers use to penetrate systems. We'll look at one of the most famous and successful attacks in cyber history through the lens of a kill chain.

Using this knowledge we'll then do a hands-on Threat Modeling exercise against an everyday system using the STRIDE approach (and discuss others as we go). We'll look at:
how Spoofing can be used to gain unauthorized access to data within our system,
how Tampering is used to affect system behavior and how to protect against it,
how Repudiation is used to ensure that all systems behavior is verified,
how Information leaks give an attacker vital information on how to attack our systems,
how to defend against Denial of service attacks, and
how privilege Escalation attacks give attackers access to more than just our systems.
We'll also discuss how we have come to live in a Zero Trust world and how that affects systems design. We'll see how Threat modeling allow us to: expose attack surfaces, uncover architectural flaws early, identify attack vectors, balance risks and usability, and document mitigation strategies.

Matthew Butler has spent the last three decades as a systems architect and software engineer developing systems for network security, law enforcement and the military. He primarily works in signals intelligence using C, C++ and Modern C++ to build systems running on hardware platforms ranging from embedded micro-controllers to FPGAs to large-scale airborne platforms. Much of his experience has come in either building systems that defend against attackers or building highly sensitive systems that are targets. He is actively involved in the C++ community and is on various planning committees for C++Now and CppCon as well as being a speaker at both. Over the past thirty years, he has learned the harsh lessons on how we often design hardware and software systems that fail, not because they don't scale, but because they aren't designed to be secure.

Danny Rosseau

Moving resources to cloud services such as Microsoft's Azure simplifies deployment and maintenance of infrastructure and, to some degree, can make security tasks more straightforward and understandable. This is assuming the service's tools are used safely and correctly, but documentation for the correct way to use these services is often difficult to find and, even when found, difficult to parse or outdated. Cloud deployments may sometimes use configurations that work to get the job done but do not consider security implications. This leads to a lot of errors that are, on the surface, trivial, but can lead to less secure infrastructure and have potentially large scale consequences.
The aim of this presentation is to point out some of these configuration errors and introduce methods to automatically discover and, in some cases, fix these errors. We will also introduce a tool that fills in a missing piece of Azure security: easy automation. We make use of Azure's REST APIs to gather security relevant information and collect it all in one place, simplifying the interface and removing non security relevant noise. We also provide tooling and a testing framework for analyzing this data.

Danny is a security consultant at Carve Systems working on a wide array projects including cloud infrastructure assessments. Before working as a security consultant he worked as a backend developer and as quantum computing researcher in Tokyo. He works nearby out of Eagle, and is taking some time off of the Spring snowboarding to come here and give a talk.

Katy Anton

Injecting Security Controls in Software Applications

Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security is incorporated as part of the software development life cycle.
How can developers write more secure applications? What are the security techniques they can use while writing the software that will help them produce more secure applications ?
These are hard questions as evidenced by the numerous insecure applications we still have today. Starting from real-world examples, we will discuss the security controls that developers are familiar with, offer actionable advice when to use them in the software development life cycle and how to verify for them.
Recommended to all builders and security professionals interested to incorporate security controls as part of software development cycle and building more secure applications.

Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.
In her previous roles she led software development teams and implemented security best practices in software development life cycle. As part of her work she got involved in OWASP Top Ten Proactive Controls project where she joined as project leader.
In her current role as Application Security Consultant, Katy works with security teams and software developers around the world and helps them secure their software.

Dan Cornell

Enumerating Enterprise Attack Surface

Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat Arsenal. He holds three patents for technologies in the information security space.

Erez Yalon

(De)Serial Killers – A Practical Guide to Deserialization Attacks at Large

Set during the Great Marshaling of Pickles Apocalypse; in the year 2015, the internet at large was made aware of a little-known kind of attack: Deserialization of Untrusted Data. Jenkins, JBoss, Oracle WebLogic, IBM WebSphere, Apache Struts and many more were destroyed by Remote Code Executions via complicated deserialization attacks. Gadget Chains smashed through WAFs and rooted systems. By the year 2017, OWASP declared deserialization attacks critical enough for its own OWASP Top 10 category. SQL Injection? Passé. XSS? Weak. Code Injection? Improbable. Deserialization of Untrusted Data? HELL. YES. Join this session to: + Learn what (de)serialization is. + Discover how deserialization can be exploited (including 0-days). + Find out how unsafe deserialization can be mitigated by builders and defenders. + Receive a full breakdown of the issues we’re currently facing, including demos.

Erez is the API Security Project Leader at OWASP and the Head of Security Research at Checkmarx, a global leader in application security. In this role he leads the company’s security research efforts, overseeing and managing teams of top-notch professionals - researchers, analysts, pen-testers, secure developers and bounty hunters. Erez's efforts to educate and raise security awareness brought him to speak in several events and major global conferences, among them: OWASP AppSec US, OWASP AppSec EU, OWASP AppSec IL, DEF CON, BSides Las-Vegas, and more.

Erik Huffman

Human Hacking | The Psychology Behind Cybersecurity

As society becomes more technology-oriented we are facing new challenges. We have ignored the psychology behind cyber security.This talk covers the science of the human mind in a cyber environment. In a cyber war limbic system in a person does not operate in a "fight or flight" manner. This requires people to be able to reason and think through a cyber war. This talk incorporates the vernal theory of crime and the Big Five Model of cyber victims.
In an environment where 73% of hackers say traditional perimeter security firewalls and antivirus are irrelevant or obsolete and 74% IT professionals of respondents named clicking a link or opening an attachment in an email as the top ways threats enter the organization, we need to address this knowledge gap across all technologies. IOT, standard computing devices, and the environment have given cyber criminals a clear advantage.

Dr. Erik Huffman is the founder and CEO of Handshake Leadership, an organizational leadership development and cybersecurity education consulting firm. He is also the 2018 Pikes Peak region's young entrepreneur of the year, 2018 Colorado Springs Mayor's Young Leader in education, and a Colorado Springs Business Journal 2018 Rising Star. Currently he is a Google certified educator and Microsoft certified educator. He is Security+, Project+, HIT, Cloud+, Mobility+, Server+, and CySA+ certified. His passion is in building better organizations and helping further the body of knowledge of leadership and education.

Milton Smith

Security Career Survival Guide

It’s vitally important but nobody’s motivated to do it. There’s virtually no consequences if it’s not done. Everyone thinks you have already have it. What are we talking about, dental hygiene? No, strong software security. So why is it that we fall short of our goals? Is it that we’re fresh out of good ideas for improvement? It’s hard to change the world around us but it’s easy to improve ourselves. Learn how you can improve yourself and your security program to achieve your goals. There’s no CISSP playbook for leading the worlds most impactful security programs and few have the experience. Join Milton Smith as he discusses some of the lessons learned leading product security for the Java Platform Group at Oracle and how you can improve your own program.

Milton Smith (California, USA) is the CEO and founder of AppSec Alchemy. Previously, Milton was top security leader in the Java Platform Group building Java as well as Product Security Director for NetSuite. Other employers include companies like Yahoo and SuccessFactors. Outside the company, Milton is the project leader for both the OWASP DeepViolet TLS/SSL scanning API and OWASP Security Logging Projects. Milton is a regular presenter at international security and engineering conference events like Black Hat, OWASP AppSec, JavaOne, and Devoxx. Milton resides in the United States in the greater San Francisco California area. For more information visit, appsecalchemy.com or follow Milton on Twitter(@spoofzu).

Andy Lewis

Career Paths in ITSec - Tradeoffs, Options

Why are you in this business & where do you expect it to take you? What are the career options? What are the tradeoffs? This is a quick 1-man preso followed by inputs from an ad-hoc panel of folks from different background followed by Q&A. Seems like a lot of folks are in "ITSec" but uncertain as to what career paths are available, what's required, and the tradeoffs.

Andy Lewis is a Solutions Architect for Trend Micro. He has run ITSec operations in Fortune 250 companies and is the founder of a Cloud Security Alliance Chapter and two OWASP Chapters.

John B. Dickson

AppSec in a World of Digital Transformation

The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for application security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed application security throughout the new tech stack. This session will cover emerging strategies that appsec leaders are using to ensure they keep up with this massive industry change.

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.

Brendan Sheairs

Using Security Champions to Build a DevSecOps Culture Within Your Organization

The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.

Brendan Sheairs is a managing consultant and serves as a subject matter expert for Security Champion-related projects at Synopsys. He works closely with organizations to design, build, and implement their software security initiatives in markets such as healthcare, finance, and telecommunications. In addition, he works with various teams of principal consultants, senior consultants, and consultants to manage and oversee the delivery of Synopsys services to clients in the Mid-Atlantic region. Brendan has led several projects with a number of Fortune 50 companies to implement and mature their Security Champions initiatives. He has been a CSSLP since 2013.


For volunteer opportunities please contact Kathy (kathy DOT thaxton@owasp.org)


SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 5th, 2020 for one day only.
SnowFROC includes breakfast, lunch, presentations, vendor giveaways, a panel discussion and optional hands on training and workshops.

The location of this event is The Cable Center on the University of Denver campus near I-25 and University.

Meet the Team

Every year the Denver OWASP Board of Directors works diligently to bring our application security community the very best. This 100% volunteer team is comprised of:

Frank Vianzon

Matt Shufeldt

Steve Kosten

Brad Gable

Aaron Cure

Serge Borso

The Denver OWASP Chapter is proud to present SnowFROC '20!

SnowFROC (Front Range OWASP Conference) is Denver Colorado's premier application security conference and is taking place Thursday March 5th, 2020 for one day only. The location of this event is The Cable Center on the University of Denver campus near I-25 and University.

This Call For Papers (CFP) is open to anyone that would like to submit a presentation. The final date to submit your presentation is Sunday January 19th, 2020 - if your presentation is selected you will be notified by Friday January 31st, 2020.


Presentation Guidelines
Please ensure your topic falls under the realm of information security: (appsec, crypto, emerging trends, privacy, compliance, technology, etc.). The basic guidelines are as follow:

  • Presentations should be detailed and in-depth; please avoid cursory overviews
  • Presenters will ideally be well versed in public speaking
  • A mixture of lecture and demos or hands-on presentations are encouraged
  • Focus the topic, presentation and delivery on actionable information that attendees can leverage and put to use
  • Allow sufficient time for Q&A or otherwise plan for audience participation

Presentations are slotted for 25 or 55 minutes which accounts for your presentation time, Q&A and to ensure the next presenter has time to setup and start promptly. Please plan your talk accordingly.

HDMI adapters, necessary dongles and microphones will be provided for your use.

Sales pitches, presentations focusing on commercial tools or vendors and the like will not be accepted. You will be expected to submit your slide-deck (if applicable) prior to the event and use a standard OWASP template for presentations (which will be provided to you).

As we are aiming for 400+ attendees, expect an audience of 50+ for your presentation, go here to view last year's presentations and use the form below to submit your presentation.