Schedule & Training
SnowFROC consists of a managerial track, a technical track, hands on training, the CMD+CTRL Cyber Range and a panel discussion. This schedule details times and room locations for each presentation as does the content below. At the bottom of this page are details of the training sessions and the Cyber Range.
8AM - 9AM: Registration and Breakfast [Great Hall]
9AM - 9:50AM: Keynote - Troy Hunt [Great Hall]
10AM - 11AM: The Last XSS Defense Talk [Malone Theater]
10AM - 11AM: HAM Radio 4 Hackers [Bresnan Boardroom]
10AM - 11AM: Human Hacking | The Psychology Behind Cybersecurity [Great Hall]
10AM - Noon: WMI Showcase (TRAINING) [Library]
11AM - Noon: Security Career Survival Guide [Malone Theater]
11AM - Noon: How to Frida Good [Bresnan Boardroom]
11AM - Noon: Serverless Security: A How-to Guide [Great Hall]
Noon - 1PM: Catered Lunch & Vendor Give-Away #1 [Great Hall]
1PM - 2PM: Shift Left: Cloud Security in a CI/CD World [Malone Theater]
1PM - 2PM: Threat Hunting [Great Hall]
1PM - 2PM: Career Paths in ITSec - Tradeoffs, Option [Bresnan Boardroom]
1PM - 2PM: XSS (TRAINING) [Library]
2PM - 3PM: Automatically find and fix security misconfigurations in Azure deployments [Malone Theater]
2PM - 3PM: Injecting Security Controls in Software Applications [Bresnan Boardroom]
2PM - 3PM: AppSec in a World of Digital Transformation [Great Hall]
2PM - 4PM: Software Defined Radio (TRAINING) [Library]
3PM - 4PM: (De) Serial Killers – A Practical Guide to Deserialization Attacks at Large [Malone Theater]
3PM - 4PM: Using Security Champions to Build a DevSecOps Culture Within Your Organization [Great Hall]
3PM - 4PM: Enumerating Enterprise Attack Surface [Bresnan Boardroom]
3:30 Happy Hour Begins [Great Hall]
4-5:30 Vendor Give-Away #2 Followed by Panel Discussion [Great Hall]
If you are signed up for training, be sure to bring a laptop with (with 8+ Gigabytes of RAM) the capability to run a virtual machine (VirtualBox/VMware) and SPECIFICALLY FOR THE SDR WORKSHOP: Attendees will also need an SDR device such as This. Training takes place in the Library.
Lab 0: WMI Workshop
WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely?
The goal for this workshop will be to enable students to walk away with an understanding of how WMI, a service installed and enabled by default since Windows 2000, is utilized by attackers, demystify interacting with the service locally and remotely, and give students the ability to leverage WMI in the same manner as attackers.
Bio: Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other open-source software. Chris began developing tools that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well.
Lab 1: XSS
Lab 2: Software Defined Radio (SDR) Workshop
Software defined radio is a fascinating way to explore radio spectrum. In this workshop we will go through some of the basics of RF and of using an SDR device to explore the radio spectrum. Several different software packages will be used, and we will begin exploring GNURadio. *Attendees should bring a laptop running windows with at least a dual core processor and 8GB of RAM. Attendees will also need an SDR device such as this* More Information
CMD+CTRL Cyber Range
Security Innovation's CMD+CTRL Cyber Range will be running throughout the day: Unique in the industry, CMD+CTRL is an immersive learning environment where SnowFROC attendees can exploit their way through hundreds of vulnerabilities that lurk in business applications today – and learn quickly that attack and defense are about thinking on your feet. This is free to all attendees!
SDR Workshop Additional Information:
- SDR vs regular radio
- Carrier and modulation
- Types of sdrs - pricing, range, transmit & receive
Goal 1: Installation of sdr & Installation of rtl dongle
Goal 2: Simple use of sdr for broadcast FM & Transmit broadcast FM
Goal 3: Reception of ham radio with NFM & Broadcast on call frequency
Goal 4: Installation of PDW & Installation of Virtual audio cable/Decode paging
Goal 5: Installation of DSD and plugin & Reception of DSD and decoding audio
Goal 6: rtl1090 adsb
Goal 7: Satellite weather
Goal 8: Installation of GNURadio for windows
Goal 9: Signal source, throttle block, wx fft & Add slider variable
Goal 10: Show SDR angel transmit FM radio & FM radio receive in GNURadio
Devin Noel & Eric Watkins
HAM Radio 4 Hackers
Introduction into the basics of Radio Frequency (RF). Why it's important to get licensed, better understand RF and be able to legally transmit. We'll address how ham radio relevant to hackers in the modern Software Defined Radio era. We'll have a live DEMO with audience participation, please bring your RTL-SDR and an OTG dongle so you can try out decoding an RF signal using your mobile device.
Eric Watkins: KR0VER- Is a security architect who is interested hacking all things RF. Devin Noel: N7HKR - Is a security engineer who enjoys hacking and doing other cool things with technology.
The Last XSS Defense Talk
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an investor/advisor for Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.
How to Frida Good
There are currently between seven and eleventy billion mobile applications in Apple and Google app stores. Users have on average 150 mobile applications on their devices and screen time varies from 5-10hrs per day. Needless to say, we are entrenched in mobile applications and at the mercy of the security of the devices and applications. Over the years there have been many tools released for instrumenting and debugging mobile applications for security purposes, such as Snoop-it, Drozer, cycript, lldb, etc. Frida was released in late 2013, but really started taking a stronghold in mobile application security testing when the other tools became less useful or unmaintained. But how can we best use Frida, what is too deep, and what other tools can we use to improve our mobile testing methods? Join David and Kevin as they walk you through examining functionality of both iOS and Android apps to learn how they work, and dynamically instrument the applications as they are used. You should walk away with a better idea of how powerful Frida is, and how miserable mobile application security is if an attacker has physical access to a device.
Kevin Cody has been in the security space since 2011 where he's lead extensive client engagements across grey/white-box web application assessments, architecture threat models, and security architecture reviews. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin is adamant on helping build-up developers through security, which can be seen in his involvement within OWASP or while speaking at events like CodeMash or BSides. Kevin is dedicated to enthusiastic and dynamic learning as a means of striving to achieve business priorities, service levels, and mitigating risk.
A How-to Guide
No more servers (that you manage) means way less security problems, right? Not so fast. Risk is neither created or destroyed in serverless architectures, it is merely transferred.
This talk covers the four areas of growth for security in the world of serverless. In each of the four areas we will take a look at practices and tooling needed for security to adapt. We will also cover lambhack, an open source, vulnerable lambda-based serverless stack with demos including arbitrary code execution in AWS Lambda.
James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering.
He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless.
James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.
In his spare time he is trying to learn how to make a perfect BBQ brisket.
Shift Left: Cloud Security in a CI/CD World
Today, developers have numerous tools to choose from and methods to consider when building applications and websites. Where 15 years ago working in the cloud was a new trend, today entire companies’ services are born in the cloud. Where virtual machines once reigned, containers are gradually taking their place. How does DevOps adapt to these changes, while still securing their environments, from inception to rollout? One way is to ‘shift left’ and embed security best practices into the CI/CD process from the start.
This new approach moves software testing earlier in its lifecycle — or moves left on the project timeline — to prevent defects early in the software delivery process. Sonya Koptyev, Director of Evangelism at Twistlock, will begin this session by giving attendees an in-depth look at what it means to shift left, and will explain the following five steps to ensuring a successful and secure transition to begin testing software earlier in its lifecycle.
Vet configurations: Developers shouldn’t need to make configuration changes. All images, including those used in development and testing stages, should be equal to the images rolled out in production.
Test early and often: Bringing this motto to the shift left approach will help developers measure their success not by how quickly they can get their project into development, but by how many bugs they resolve before rollout.
Give insights into production: Team leads in DevOps should consider building dashboards or visualization tools so developers can gain real-time feedback into the security practices they’re building. This will help security and developer teams join forces to own the security needs in every stage of development.
Rethink automation: Don’t think of automation as a roadblock to production — think of it as a testing gauntlet where the code has to prove itself.
Be proactive: With all the tools today that can detect vulnerabilities and risks, it’s easier than ever to identify and resolve security gaps to prevent being impacted by cyber attacks. Find the right tools, and proactively use them in every stage of the development process.
Sonya Koptyev is the Director of Evangelism at Twistlock. She has been driving community efforts across various development technologies since the early days of SharePoint and .NET. Sonya worked on building the Office developer community and the Microsoft AI developer community and bringing the latest in bleeding edge technologies into the hands of developers. As part of Twistlock, Sonya is looking to bring the world of secure cloud native development into the hands of every developer, ensuring that they can make the most of the best cloud native technologies in a secure way.
Often overlooked in software security strategies is Threat Modeling. And yet we constantly model threats in our everyday lives:
Crossing a busy street, we look for cars to see if they're going to stop or keep going.
Walking down an unfamiliar city street after dark, we ask ourselves if the group coming towards us is gang bangers or just kids out having fun.
A women on a blind date is constantly analyzing her date's words and actions to see if he's a good guy or a bad guy.
Threat Modeling is the foundation of everything else we do when securing our software and hardware systems. It tells us where our attack surfaces are, what possible attack vectors there are, where we aren't verifying who we're communicating with, where we're holding data and more importantly where we holding data we don't use. Threat modeling forces us to analyze our designs and focuses our thinking to that of an attacker.
In this talk, we'll begin by looking at Intrusion Kill Chains, a simple but effective way to describe the process that attackers use to penetrate systems. We'll look at one of the most famous and successful attacks in cyber history through the lens of a kill chain.
Using this knowledge we'll then do a hands-on Threat Modeling exercise against an everyday system using the STRIDE approach (and discuss others as we go). We'll look at:
how Spoofing can be used to gain unauthorized access to data within our system,
how Tampering is used to affect system behavior and how to protect against it,
how Repudiation is used to ensure that all systems behavior is verified,
how Information leaks give an attacker vital information on how to attack our systems,
how to defend against Denial of service attacks, and
how privilege Escalation attacks give attackers access to more than just our systems.
We'll also discuss how we have come to live in a Zero Trust world and how that affects systems design. We'll see how Threat modeling allow us to: expose attack surfaces, uncover architectural flaws early, identify attack vectors, balance risks and usability, and document mitigation strategies.
Matthew Butler has spent the last three decades as a systems architect and software engineer developing systems for network security, law enforcement and the military. He primarily works in signals intelligence using C, C++ and Modern C++ to build systems running on hardware platforms ranging from embedded micro-controllers to FPGAs to large-scale airborne platforms. Much of his experience has come in either building systems that defend against attackers or building highly sensitive systems that are targets. He is actively involved in the C++ community and is on various planning committees for C++Now and CppCon as well as being a speaker at both. Over the past thirty years, he has learned the harsh lessons on how we often design hardware and software systems that fail, not because they don't scale, but because they aren't designed to be secure.
Moving resources to cloud services such as Microsoft's Azure simplifies deployment and maintenance of infrastructure and, to some degree, can make security tasks more straightforward and understandable. This is assuming the service's tools are used safely and correctly, but documentation for the correct way to use these services is often difficult to find and, even when found, difficult to parse or outdated. Cloud deployments may sometimes use configurations that work to get the job done but do not consider security implications. This leads to a lot of errors that are, on the surface, trivial, but can lead to less secure infrastructure and have potentially large scale consequences.
The aim of this presentation is to point out some of these configuration errors and introduce methods to automatically discover and, in some cases, fix these errors. We will also introduce a tool that fills in a missing piece of Azure security: easy automation. We make use of Azure's REST APIs to gather security relevant information and collect it all in one place, simplifying the interface and removing non security relevant noise. We also provide tooling and a testing framework for analyzing this data.
Danny is a security consultant at Carve Systems working on a wide array projects including cloud infrastructure assessments. Before working as a security consultant he worked as a backend developer and as quantum computing researcher in Tokyo. He works nearby out of Eagle, and is taking some time off of the Spring snowboarding to come here and give a talk.
Injecting Security Controls in Software Applications
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security is incorporated as part of the software development life cycle.
How can developers write more secure applications? What are the security techniques they can use while writing the software that will help them produce more secure applications ?
These are hard questions as evidenced by the numerous insecure applications we still have today. Starting from real-world examples, we will discuss the security controls that developers are familiar with, offer actionable advice when to use them in the software development life cycle and how to verify for them.
Recommended to all builders and security professionals interested to incorporate security controls as part of software development cycle and building more secure applications.
Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.
In her previous roles she led software development teams and implemented security best practices in software development life cycle. As part of her work she got involved in OWASP Top Ten Proactive Controls project where she joined as project leader.
In her current role as Application Security Consultant, Katy works with security teams and software developers around the world and helps them secure their software.
Enumerating Enterprise Attack Surface
Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including RSA Security Conference, OWASP AppSec USA and EU, TEDx, and Black Hat Arsenal. He holds three patents for technologies in the information security space.
(De)Serial Killers – A Practical Guide to Deserialization Attacks at Large
Set during the Great Marshaling of Pickles Apocalypse; in the year 2015, the internet at large was made aware of a little-known kind of attack: Deserialization of Untrusted Data. Jenkins, JBoss, Oracle WebLogic, IBM WebSphere, Apache Struts and many more were destroyed by Remote Code Executions via complicated deserialization attacks. Gadget Chains smashed through WAFs and rooted systems. By the year 2017, OWASP declared deserialization attacks critical enough for its own OWASP Top 10 category. SQL Injection? Passé. XSS? Weak. Code Injection? Improbable. Deserialization of Untrusted Data? HELL. YES. Join this session to: + Learn what (de)serialization is. + Discover how deserialization can be exploited (including 0-days). + Find out how unsafe deserialization can be mitigated by builders and defenders. + Receive a full breakdown of the issues we’re currently facing, including demos.
Erez is the API Security Project Leader at OWASP and the Head of Security Research at Checkmarx, a global leader in application security. In this role he leads the company’s security research efforts, overseeing and managing teams of top-notch professionals - researchers, analysts, pen-testers, secure developers and bounty hunters. Erez's efforts to educate and raise security awareness brought him to speak in several events and major global conferences, among them: OWASP AppSec US, OWASP AppSec EU, OWASP AppSec IL, DEF CON, BSides Las-Vegas, and more.
Human Hacking | The Psychology Behind Cybersecurity
As society becomes more technology-oriented we are facing new challenges. We have ignored the psychology behind cyber security.This talk covers the science of the human mind in a cyber environment. In a cyber war limbic system in a person does not operate in a "fight or flight" manner. This requires people to be able to reason and think through a cyber war. This talk incorporates the vernal theory of crime and the Big Five Model of cyber victims.
In an environment where 73% of hackers say traditional perimeter security firewalls and antivirus are irrelevant or obsolete and 74% IT professionals of respondents named clicking a link or opening an attachment in an email as the top ways threats enter the organization, we need to address this knowledge gap across all technologies. IOT, standard computing devices, and the environment have given cyber criminals a clear advantage.
Dr. Erik Huffman is the founder and CEO of Handshake Leadership, an organizational leadership development and cybersecurity education consulting firm. He is also the 2018 Pikes Peak region's young entrepreneur of the year, 2018 Colorado Springs Mayor's Young Leader in education, and a Colorado Springs Business Journal 2018 Rising Star. Currently he is a Google certified educator and Microsoft certified educator. He is Security+, Project+, HIT, Cloud+, Mobility+, Server+, and CySA+ certified. His passion is in building better organizations and helping further the body of knowledge of leadership and education.
Security Career Survival Guide
It’s vitally important but nobody’s motivated to do it. There’s virtually no consequences if it’s not done. Everyone thinks you have already have it. What are we talking about, dental hygiene? No, strong software security. So why is it that we fall short of our goals? Is it that we’re fresh out of good ideas for improvement? It’s hard to change the world around us but it’s easy to improve ourselves. Learn how you can improve yourself and your security program to achieve your goals. There’s no CISSP playbook for leading the worlds most impactful security programs and few have the experience. Join Milton Smith as he discusses some of the lessons learned leading product security for the Java Platform Group at Oracle and how you can improve your own program.
Milton Smith (California, USA) is the CEO and founder of AppSec Alchemy. Previously, Milton was top security leader in the Java Platform Group building Java as well as Product Security Director for NetSuite. Other employers include companies like Yahoo and SuccessFactors. Outside the company, Milton is the project leader for both the OWASP DeepViolet TLS/SSL scanning API and OWASP Security Logging Projects. Milton is a regular presenter at international security and engineering conference events like Black Hat, OWASP AppSec, JavaOne, and Devoxx. Milton resides in the United States in the greater San Francisco California area. For more information visit, appsecalchemy.com or follow Milton on Twitter(@spoofzu).
Career Paths in ITSec - Tradeoffs, Options
Why are you in this business & where do you expect it to take you? What are the career options? What are the tradeoffs? This is a quick 1-man preso followed by inputs from an ad-hoc panel of folks from different background followed by Q&A. Seems like a lot of folks are in "ITSec" but uncertain as to what career paths are available, what's required, and the tradeoffs.
Andy Lewis is a Solutions Architect for Trend Micro. He has run ITSec operations in Fortune 250 companies and is the founder of a Cloud Security Alliance Chapter and two OWASP Chapters.
John B. Dickson
AppSec in a World of Digital Transformation
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for application security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed application security throughout the new tech stack. This session will cover emerging strategies that appsec leaders are using to ensure they keep up with this massive industry change.
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.
Using Security Champions to Build a DevSecOps Culture Within Your Organization
The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.
Brendan Sheairs is a managing consultant and serves as a subject matter expert for Security Champion-related projects at Synopsys. He works closely with organizations to design, build, and implement their software security initiatives in markets such as healthcare, finance, and telecommunications. In addition, he works with various teams of principal consultants, senior consultants, and consultants to manage and oversee the delivery of Synopsys services to clients in the Mid-Atlantic region. Brendan has led several projects with a number of Fortune 50 companies to implement and mature their Security Champions initiatives. He has been a CSSLP since 2013.
Thank You 2019 Sponsors!
For volunteer opportunities please contact Kathy (kathy DOT email@example.com)
SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 14th, 2019 for one day only.
This year's keynote speaker, all the way from Australia, is TROY HUNT!
In addition to Troy, SnowFROC includes breakfast, lunch, 15 presentations, vendor giveaways, a panel discussion and optional hands on training, as well as Security Innovation's CMD+CTRL Cyber Range which will be running throughout the day.
The location of this event is The Cable Center on the University of Denver campus near I-25 and University.
The Denver OWASP Board of Directors & Organizers is proud to present SnowFROC'19!
SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 14th, 2019 for one day only. The location of this event is The Cable Center on the University of Denver campus near I-25 and University.
The Call For Papers (CFP) is closed. The final date to have submitted your presentation was Sunday January 13th 2019. Thank you to everyone that submmitted a talk!
Please ensure your topic falls under the realm of information security: (appsec, crypto, emerging trends, privacy, compliance, technology, etc). The basic guidelines are as follow:
- Presentations should be detailed and in-depth; please avoid cursory overviews
- Presenters will ideally be well versed in public speaking
- A mixture of lecture and demos or hands-on presentations are encouraged
- Focus the topic, presentation and delivery on actionable information that attendees can leverage and put to use
- Allow sufficient time for Q&A or otherwise plan for audience participation
Presentations are slotted for 30 or 60 minutes which accounts for your presentation time, Q&A and to ensure the next presenter has time to setup and start promtly. Please plan your talk accordingly.
HDMI adapters, necessary dongles and microphones will be provided for your use.
Sales pitches, presentations focusing on commercial tools or vendors and the like will not be accepted. You will be expected to submit your slide-deck (if applicable) prior to the event and use a standard OWASP template for presentations.
Expect an audience of 50+ for your presentation, go here to view last years presentations and use the form below to submit your presentation.