AppSec USA
Your life is in the cloud.

Contact Us
About Us
Women in AppSec

September 21
U Challenge
OSS Showcase


September 22-23, 2011: Software security and software development professionals presented their ideas - read their bios

Slides & Video

Keynote and Talk Listing

Conference Program

Talks at a Glance PDF

Pricing and Registration


Speaker Biographies

Slides & Video

The following information was current as of OWASP AppSec USA 2011.


Ryan Barnett
Presented: OWASP CRS and AppSensor Project

Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Open Proxy Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache.


Beef (Chris Schmidt)Beef (Chris Schmidt)
Presented: ESAPI 2.0 - Defense Against the Dark Arts
Web: http://yet-another-dev.blogspot.com
Twitter: @carne

Chris is currently the Project Leader for the OWASP ESAPI Projects and also serves on the OWASP Global Projects Committee. He has been involved with OWASP for 4 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization.

During the day, Chris is an Application Security Engineer and Senior Software Engineer for Aspect Security where he has been since fall 2010. Prior to joining the team at Aspect Security he spent 5 years as 'Black Ops Beef' for ServiceMagic Inc with the official title of Software Engineer.

In addition to his professional career he is also a musician with several ongoing projects and enjoys cold beer and long walks in the park.


Simon BennettsSimon Bennetts
Presented: Introducing the OWASP Zed Attack Proxy
Web: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Twitter: @psiinon

Simon Bennetts started the OWASP Zed Attack Proxy project, and leads the international group of volunteers who develop it.

He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project.

In his day job he works for Sage UK Ltd as a Team Leader for both a development and a security team.

His day to day work includes designing and building web applications, performing security assessments and delivering security training.


John BenninghoffJohn Benninghoff
Presented: Behavioral Security Modeling: Eliminating Vulnerabilities by Building Predictable Systems
Web: http://www.transvasive.com
Twitter: @transvasive

John Benninghoff started his information security career when he was asked to build and deploy a Network IDS using free software (SHADOW and OpenBSD UNIX) after returning from a SANS conference in 1998. John has worked as a network security engineer, security architect, and manager, and now provides consulting services through his company, Transvasive Security.

The work John has done for clients since becoming a consultant includes managing a $1 million PCI compliance project, which finished successfully, on time and under budget, writing security policies, and creating a standardized process for reviewing application security.

John holds the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) Certifications, and received the CISM Worldwide Excellence Award for earning the top score on the December 2005 CISM Exam. He has experience working with Windows, UNIX, Mainframe (RACF), and Cisco IOS platforms.


Tom BrennanTom Brennan
Presented: Stealing Intellectual Property in 5 Easy Steps
Board Member: September 22 Lunchtime OWASP Foundation Board Discussion
Twitter: @brennantom

Tom Brennan is Director of Strategic Services at Trustwave SpiderLabs where he works with clients to build and optimize information security assurance programs.

Tom is widely recognized in the industry from an attacker's perspective for his ability to apply tactical and technical knowledge strategically. He has donated countless hours to the information security community, including the OWASP Foundation where he currently volunteers his time as an International Board of Directors, Project and Chapter leader.


Shankar Babu ChebroluShankar Babu Chebrolu, PhD, CISSP
Presented: Top Ten Risks with Cloud that will keep you Awake at Night

Shankar Chebrolu is a Senior IT Architect at Cisco Systems currently focusing on IT strategy for business model enablement, cloud broker and web application security architectures, and global data center application migration program by working closely with supply/value chain partners, cloud providers, solution vendors, and functional IT teams. Shankar holds a PhD degree in Information Technology from Capella University and holds a Master's Degree in Computer Science & Engineering from Indian Institute of Technology (IIT), Mumbai, India. His research interests include information security management, cloud computing, IT effectiveness and strategic alignment with business. Shankar has been an active speaker at various professional conferences including Siebel Customer World, Oracle Open World, CA World, Oracle Applications User Group, and NC State University's InfoSeCon presenting in his areas of expertise: Cloud Computing, Web application security architecture, management of security processes and integrating security models within IT enterprises. One of his white papers on web application security is published in a book: Readings & Cases in Information Security: Law & Ethics, Cengage Learning, June 2010. Shankar is a recipient of Cisco Security Champion award for being a security advocate and for his efforts on developer centric web application vulnerability assessment process in collaboration with IBM.


Nadya BartolNadya Bartol
Presented: Why do developers make these dangerous software errors?

Ms. Bartol has over 17 years of information technology (IT) and information assurance (IA) experience. She led numerous strategic groundbreaking cyber security engagements for Federal government clients addressing cyber security measurement, continuous monitoring, and cyber supply chain risk management. Ms. Bartol co-authored several NIST special publications and interagency reports, including 800-55 Revision 1, Performance Measurement Guide for Information Security and NIST Interagency Report 7622, Piloting Supply Chain Risk Management Practices for Federal Information Systems. She serves as Co-chair of DoD/DHS/NIST SwA Measurement Working Group and in that capacity served as a principal author of Practical Measurement Guidance for Software Assurance and Information Security. Nadya led the development of Information Assurance Technology Analysis Center (IATAC) State of the Art Report, Measuring Cyber Security and Information Assurance. She regularly speaks at leading industry conferences on both cyber security measurement and cyber supply chain. Nadya serves as United States delegate to an ISO committee dedicated to the development of cyber security standards where she is US technical expert working on the ISO/IEC 27000 series standards, Information Security Management System and a US Head of Delegation (HOD) for Working Group 1. She is a Project Editor for ISO/IEC 27036 – Information technology – IT security techniques – Information Security for Supplier Relationships. She is a frequent speaker and panel facilitator at numerous premier industry events including RSA, Carnegie Mellon University Software Engineering Institute (CMU SEI) workshops, and other conferences.


Kris BrittonKris Britton
Presented: Sticking to the Facts: Scientific Study of Static Analysis Tools

Kris Britton is the Director for the NSA Center for Assured Software. He has been involved in the Information Assurance discipline for the U.S. DoD for the last 20 years working in areas of operating system security, database security, international security criteria, security engineering and most recently software assurance. As the Director of the NSA Center for Assured Software he leads a government team of analysts to promote software assurance principles and practice to DoD and National Security clients.


Brian ChessBrian Chess, Ph.D. and Founder/Chief Scientist, Fortify Software, an HP Company
Presented: Gray, the New Black: Gray-Box Web Penetration Testing

Brian Chess is a founder and Chief Scientist at Fortify Software, an HP Company.  Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.


Bill ChuDr. Bill Chu
Presented: Secure Programming Support in IDE

Bill Chu is Professor of Software and Information Systems at the University of North Carolina at Charlotte. He has over 25 years of research and education experiences in Computer Science and Information Technology. His current research interests include secure software engineering, cognitive psychology, and IT education. He has published in areas of software assurance, information technology education, enterprise integration, access control, and artificial intelligence. He received his Ph.D. and M.S. in Computer Science and B.S. in Electrical Engineering all from the University of Maryland at College Park.


Michael CoatesMichael Coates
Presented: Security Evolution - Bug Bounty Programs for Web Applications, Pure AppSec, No Fillers or Preservatives - OWASP Cheat Sheet Series
Incoming Board Member: September 22 Lunchtime OWASP Foundation Board Discussion
Web: http://michael-coates.blogspot.com
Twitter: @_mwc

Michael Coates is a Senior Manager at Mozilla and leads the Infrastructure Security team which is responsible for web application, network and OS security throughout Mozilla. Michael holds a M.S. in Computer, Information and Network Security from DePaul University and a B.S in Computer Science from the University of Illinois.

Michael Coates has extensive experience in application and network security, security code review and penetration assessments. He has conducted hundreds of security assessments for financial, enterprise and cellular customers worldwide. Michael has been an active leader in OWASP since 2008. He is the creator and leader of the AppSensor project, a project to create attack aware applications that leverage real time detection and response capabilities, and is a recognized contributor to the 2010 OWASP Top 10. He is a frequent speaker at security conferences including numerous OWASP conferences in the US and Europe, the Chicago Thotcon conference, and has provided application security training for BlackHat and for many enterprises.


Justin CollinsJustin Collins
Presented: Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code
Web: http://www.presidentbeef.com
Twitter: @presidentbeef

Justin is a security engineer at AT&T Interactive and a perpetual graduate student (Ph.D. candidate) at UCLA. A Ruby and security enthusiast, Justin holds a MS in CS from UCLA.


Dan CornellDan Cornell
Presented: The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching
Web: http://www.denimgroup.com
Twitter: @danielcornell

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. As Denim Group’s Chief Technology Officer, he leads the company's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway, OWASP EU AppSec in Dublin and OWASP EU Summit in Portugal.


Dinis CruzDinis Cruz
Panelist: Speeding Up Security Testing Panel
Web: http://diniscruz.blogspot.com/
Twitter: @DinisCruz

Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.

For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).


Mark CurpheyMark Curphey
Presented: September 22 Morning Keynote: Community - The Killer App
Web: http://www.curphey.com
Twitter: @curphey

As OWASP celebrates ten years, OWASP AppSec USA 2011's September 22 keynote, OWASP founder Mark Curphey, makes his return and will run with the theme of Community - The Killer App, much in the spirit of recent SXSW keynote Christopher Poole.

Mark joins OWASP AppSec USA 2011's other morning keynote, world class speaker and author Ira Winkler, author of Spies Among Us, and lunch keynote and secure protocol expert Moxie Marlinspike.

Mark Curphey graduated from Royal Holloway, University of London with a Masters degree in Information Security in the mid-nineties (as a mature student). Royal Holloway is recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the bestselling novel The Da Vinci Code.

After spending several years working at investment banks in the City of London working on a variety of technical projects including PKI design, Windows NT security, policy development and single sign-on systems, he moved to Atlanta to run a consulting team performing security assessments at Internet Security Systems (now a division of IBM).

In late 2000 Mark Curphey took a job at Charles Schwab to create and manage the global software security program where he was responsible for ensuring the security of all business applications protecting over a Trillion dollars of customer investments. During this period Mark started OWASP (http://www.owasp.org), the Open Web Application Security Project. In 2003 he then joined a small startup called Foundstone to take the experience learnt at Schwab to other Fortune 1000 companies. Foundstone was sold to McAfee in October 2004 and Mark Curphey joined the McAfee executive team reporting directly to the President.

Mark Curphey was awarded the Microsoft MVP for Visual Developer Security in 2005 for his community work in advancing the discipline of software security. In November 2006 he left Foundstone, moved back to Europe and took a year out to think seriously about the design of an information security management platform. A year later he joined Microsoft as a product Unit Manager building static analysis tools and protection libraries for web applications.

Mark Curphey currently runs the MSDN Subscriptions engineering team at Microsoft and is working on a side project with friends developing better social networking software for online communities using Ruby on Rails.

Mark Curphey now lives in Seattle with his wife and three children and in recent times has discovered distance running (bare foot) with aspirations for ultra-marathon trail running in the future.


Javier Marcos de PradoJavier Marcos de Prado
Presented: Pwning intranets with HTML5
Twitter: @javutin

Javier Marcos de Prado works in IBM as security researcher, performing whitebox and blackbox security assessments and his background goes from developer to sysadmin having done functional and reliability testing as well. He holds a MSc in Computer Engineering and a MSc in Security and Forensic Computing. Javier is a regular speaker at security trainings, technical sessions and colleges about how to exploit web application vulnerabilities, to show real risks and analyse real attacks. He also is an active member of OWASP, having participated in the local chapters of Dublin and Limerick and presented in the OWASP European conference 2011.


Sebastien DeleersnyderSebastien Deleersnyder
Due to a scheduling conflict, OWASP Foundation Board Member Sebastien Deleersnyder is unable to make the September 22 Lunchtime OWASP Foundation Board Discussion.

Web: https://www.owasp.org/index.php/User:Sdeleersnyder
Twitter: @SebaDele

I am OWASP board member since 2007.
I am active within OWASP since 2005 and have contributed year on year to OWASP chapters, conferences, projects and the OWASP mission of fighting the causes of software insecurity. I am based in Belgium and run the SAIT Zenitel ICT security team.
I have started the successful Belgium Chapter in 2005 and have helped starting other chapters in Europe.
I co-organized the European AppSec Conferences in OWASP AppSec Europe 2008 - Belgium and OWASP AppSec Europe 2009 - Poland.
Together with the Netherlands and Luxembourg we organize the yearly OWASP BeNeLux Days, BeNeLux OWASP Day 2009, BeNeLux OWASP Day 2010 and BeNeLux OWASP Day 2011.
I am an active member of the Global Chapter Committee.
I have started the OWASP Education Project.


Ganesh DevarajanGanesh Devarajan
Presented: Keeping up with the Web-Application Security
Web: http://www.godaddy.com

Ganesh Devarajan is the Sr. Security Architect within Go Daddy's Security Research Team. His focuses are web application security, Malware Analysis, Reputation Service and Cloud security.

Ganesh has a wide variety of experience in his field. Prior to joining Go Daddy in 2010, he worked as a security researcher for the TippingPoint DVLabs and The CASE Research Center in Syracuse, NY. He has publications in a variety of fields, ranging from Supervisory Control and Data Acquisition (SCADA) Securities, Role Based Access Control (RBAC), Wireless Securities and Runtime Software Application patches. His talks have been presented at various venues, including RSA, Department of Defense (DoD) Cybercrime conference, Computer Security Convention DEFCON, LayerOne, Reboot, National Petrochemicals & Refiners Association (NPRA), SMi, Hawaii International Conference on Social Sciences (HICSS), International Information Security Conference (IFIP/SEC) and Hacker Halted. Ganesh received a Masters Degree in Computer Engineering from Syracuse University.


John B. DicksonJohn Dickson, CISSP
Presented: Software Security: Is OK Good Enough?
Web: http://www.denimgroup.com
Twitter: @johnbdickson

John B. Dickson, CISSP, has over 15 years in the information security field including hands-on experience with intrusion detection systems, telephony security, and application security in the commercial and government sectors. In his current position as a Principal at Denim Group, he helps Chief Security Officers of Fortune 500 clients and Federal organizations launch successful software initiatives. John regularly speaks on the topic of application security at venues such as the RSA Security Conference and the Computer Security Institute’s (CSI) conferences.


Richard EnbodyRichard J Enbody
Presented: The Good Hacker - Dismantling Web Malware

Dr. Richard Enbody is an Associate Professor in the Department of Computer Science and Engineering, Michigan State University. He joined the faculty in 1987 after earning his Ph.D. in Computer Science from the University of Minnesota. Richard’s research interests are in computer security, computer architecture, web-based distance education, and parallel processing. He has two patents pending on hardware buffer-overflow protection, which will prevent most computer worms and viruses. He recently co-authored a CS1 Python book, The Practice of Computing using Python.


Chris EngChris Eng
Panelist: Speeding Up Security Testing Panel
Web: http://about.me/chriseng
Twitter: @chriseng

Chris Eng is Vice President of Research at Veracode, where he helps define and implement the security analysis capabilities of Veracode's service offerings. He is a regular speaker at information security conferences including Black Hat, OWASP, and RSA, and has presented on a diverse set of application security topics ranging from attacking cryptography to building an SDLC. Chris's professional experience includes stints at Symantec, @stake, and the US Department of Defense, where he specialized in software security assessments, penetration testing, and vulnerability research.


Arian Evans
Presented: Six Key Metrics: A look at the future of appsec
Web: http://www.whitehatsec.com
Twitter: @arianevans

Arian Evans is the VP of Operations and R&D at WhiteHat Security. In this role, Arian leads a team of application security engineers integral to delivering the WhiteHat Sentinel SaaS-based website vulnerability management service, currently assessing over 4,000 production websites around the globe, primarily in e-commerce, financial services and healthcare verticals, and including many Fortune 500 companies. Arian's team also verifies all vulnerabilities identified by WhiteHat Sentinel, a unique feature of the service.

Arian has worked at the forefront of Web application security for more than 12 years. His global projects include work with the Center for Internet Security, NIST, the FBI, the Secret Service, and many large commercial organizations in analyzing Web application security and providing hacking incident-response. Arian also researches and discloses new attack techniques and vulnerabilities in Web application software including commercial platforms like Cisco and Nokia.

Previously, Arian led the Application Security Practice at FishNet Security, working with Fortune 500 clients and delivering software security services globally.

Arian is a frequent speaker at industry conferences including Black Hat, Hacker Halted, OWASP, RSA, and WASC events, and was also a contributing author for "Hacking Exposed: Web Applications."


Sean FaySean Fay
Panelist: Speeding Up Security Testing Panel

Sean Fay is Chief Architect for Fortify at Hewlett-Packard, where he has nearly a decade of experience building automated solutions to find security problems in software of all shapes and sizes.


Tom FischerTom Fischer
Presented: Lessons Learned Building Secure ASP.NET Applications

Tom's software development assignments includes designing and delivering several large websites over past ten years. He coauthored two books, &Professional Design Patterns in VB .NET& and &.NET Security&. His speaking engagements for the Twin Cities .NET User Group and Minnesota Developer Conferences (MDC) have covered a broad range of topics over years, such as, &Beginning Functional Programming with F#& and &Understanding and enhancing WS-SecureConversation&. Tom currently works as an application architect for a financial services company.


Juan Galiana LaraJuan Galiana Lara
Presented: Pwning intranets with HTML5
Twitter: @jgaliana

Juan Galiana Lara works as a Software Security Engineer for IBM and specializes in web application and network penetration testing. He has discovered vulnerabilities in software like ModSecurity, Joomla, Horde, Wordpress, and in top websites like Facebook that led him to obtain a large number of CVEs. Juan holds a MSc in Computer Engineering, CEH and CHFI certifications and is a regular speaker at local and international conferences in the security field including OWASP AppSec Iberia and OWASP Europe.


Garrett HeldGarrett Held
Presented: Hacking (and Defending) iPhone applications
Web: http://www.trustwave.com

Garrett Held is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has been involved in the Information Technology industry for more than 15 years, with over 10 years specializing in Information Security. Prior to Trustwave he worked as a Security Consultant for Deloitte & Touche, where he worked with Fortune 500 corporations and government organizations.


Charles HendersonCharles Henderson
Presented: Global Security Report
Web: http://www.trustwave.com

Charles Henderson is Director of Application Security Services of SpiderLabs at Trustwave.

Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services. Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe. Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.


Jerry HoffJerry Hoff
Panelist: Speeding Up Security Testing Panel

Jerry Hoff is vice president of the Static Code Analysis division at WhiteHat Security. In this role, he oversees the development of WhiteHat's cloud-based static application security testing (SAST) service. Prior to WhiteHat, Mr. Hoff was co-founder and managing partner of Infrared Security, a leading application security professional services firm. Mr. Hoff is an experienced application security consultant with years of professional development and training delivery. He is also the lead of the OWASP AppSec Tutorial Series.


Eoin KearyEoin Keary
Board Member: September 22 Lunchtime OWASP Foundation Board Discussion
Web: http://www.bccriskadvisory.com
Twitter: @eoinkeary

OWASP Global Board Member.
Director & CTO of BCC Risk Advisory.
Eoin has been with OWASP since 2004.
During this time he has been involved in the following projects:

  • OWASP Code Review Guide (lead)
  • OWASP Testing Guide v2.0 (lead)
  • OWASP Ireland Chapter Lead
  • OWASP AppSec Europe 2011 Chair

Eoin lives in Ireland and works across Europe for BCC Risk Advisory. He has dedicated much of his professional career to solving software insecurity issues and believes in buidling security in.

Eoin has 2 children (Eoghan & Lewis) and a lovely wife Louise.
In his part time he likes filling out forms and weighing things.


Ajoy Kumar
Panelist: Application Security Advisory Board SDLC Panel

Ajoy Kumar is the Head of Application Security at UBS. He has extensive experience in designing, implementing, and managing enterprise Software Security Programs from the ground up. He is a strong believer in implementing application security by process re-engineering and implementing the technology controls over the development lifecycle. He believes application security education is essential for the necessary transformation of the enterprise. Ajoy has an MS in Security Management and EE and a BS in Computer Science.


Adrian LaneAdrian Lane
Presented: CloudSec 12-Step
Web: http://securosis.com
Twitter: @AdrianLane

Adrian is a CTO and Analyst at Securosis, bringing over 24 years of industry experience to the research team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, and regularly contributes to Dark Reading, Information Security Magazine and other security publications. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.


Zach LanierZach Lanier
Presented: OWASP Mobile Top 10 Risks

Zach Lanier is a Principal Consultant with the Intrepidus Group, specializing in network, mobile, and web application penetration testing. Prior to joining Intrepidus, Zach served as Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. Zach likes Android, vegan food, and cats (but not as food).


Glenn LeifheitGlenn Leifheit
Moderating: Application Security Advisory Board SDLC Panel
Web: http://www.glennleifheit.com
Twitter: @gleifhe

Glenn Leifheit, CISSP, CSSLP is a Senior Security Architect at FICO. He has worked in developing, managing, architecting and securing large scale applications for over 15 years. His day is spent rolling out an Enterprise secure software development lifecycle and managing PCI requirements as well as secure software reviews. Glenn is active in the technology community as the Co-Chair of (ISC)² Application Security Advisory Board, President of TechMasters Twin Cities, as an active member of IASA (International Association of Software Architects) and OWASP (Open Web Application Security Project) as well as a regional speaker evangelizing secure software.


Jason LiJason Li
Presented: OWASP Projects Portal Launch! (5-10 Minutes)
Web: https://www.owasp.org/index.php/GPC
Twitter: @OWASPguy

Jason is a Principal Consultant for Aspect Security and serves as the volunteer chair of the OWASP Global Projects Committee (GPC). The GPC is dedicated to fostering an active OWASP developer community, facilitating contributions from OWASP community members, and encouraging adoption of OWASP Projects by the global community at large.


Rafal LosRafal Los
Panelist: Making it in Information Security and Application Security
Web: http://hp.com/go/white-rabbit
Twitter: @Wh1t3Rabbit

Rafal Los is the Software Security Evangelist for the Software & Solutions business at Hewlett-Packard. Rafal combines knowledge of industry, customer, and technology solutions - bridging the gaps between security technologies and business needs. Rafal focuses on how organizations can demonstrate the business value of software security by implementing practical solutions and measuring risk reduction as part of HP's Application Security team. He has spent over 11 years in various facets of information security and data protection, from technical research to building programs at companies ranging from startups to Fortune 50 enterprises. Rafal is a regular speaker at public and private information security and quality conferences (including OWASP, SecTor, DEF CON, Black Hat, SANS and others). Additionally, Los contributes to regularly to organizations such as the Open Web Application Security Project (OWASP) and others promoting education, openness and standards.

Prior to joining HP, Los led the web application security program and served as a security lead at a Global Fortune 100. Los also worked with various sub-businesses, leading security engineering, architecture and building the web application security program. Los has a long history of strategic success with organizations large and small, providing critical strategic leadership on products, services, and strategy. Rafal received his B.S. in Computer Information Systems from Concordia University, River Forest, Illinois.


Jim ManicoJim Manico
Presented: Ghosts of XSS Past, Present and Future
Twitter: @manicode

Jim Manico has been an active member of OWASP since 2008.

Jim is the founder, producer and host of the OWASP Podcast Series. As of July 2011 there are 86 shows that have entailed Jim working over 500 hours. Jim is grateful to the many guests who have made the show a success.

Jim is also the project manager of the ESAPI Project, and one of the largest contributors for the ESAPI-Java project and facilitator of communication between the many volunteers of this project.

Jim is also the chair of the OWASP Connections Committee where he manages the OWASP Blog, twitter feed and press communications for OWASP. He feels that these activities are directly inline with the OWASP core mission of spreading awareness.

Jim is also spearheading several ESAPI-like projects that provide modular single-use controls for ease of use. He has only begun these efforts, but has started to manage the OWASP Encoder, the OWASP validator and the OWASP HTML Sanitizer project with a variety of very talented developers.

He has also been a significant contributor and manager of the OWASP Cheatsheet Series. He has worked on the XSS, DOM XSS, SQL Injection, Cryptographic Storage, Forgot Password and other topics in this series.


Jack ManninoJack Mannino
Presented: OWASP Mobile Top 10 Risks
Web: http://www.nvisiumsecurity.com/
Twitter: @jack_mannino

Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington, DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the co-leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter.


Moxie MarlinspikeMoxie Marlinspike
Presented: September 23 Lunch Keynote
Web: http://www.thoughtcrime.org
Twitter: @moxie__

Moxie Marlinspike is the CTO of Whisper Systems and a fellow at the Institute for Disruptive Studies. He is the author of sslsniff, sslstrip, runs a cloud-based WPA cracking service, manages the GoogleSharing targeted anonymity service, and is the author of the sailing film Hold Fast.


Scott MatsumotoScott Matsumoto
Presented: Threat Modeling in the Cloud: What You Don’t Know Will Hurt You!
Web: http://www.cigital.com/about/team/thoughtleaders/scott-matsumoto.php
Twitter: @cigital

Scott Matsumoto is a Principal Consultant at Cigital bringing over 20 years of commercial software product development experience to the company. At Cigital, Scott is responsible for the security architecture practice within the company. He consults for many of Cigital's clients on security architecture topics such as Cloud Computing Security, SOA Security, fine-grained entitlements systems and SOA Governance. His prior experience encompasses development of component-based middleware, performance management systems, graphical UIs, language compilers, database management systems and operating system kernels.

Scott is a founding member of the Cloud Security Alliance (CSA) and is actively involved in its Trusted Computing Initiative.


Mike McCormickMike McCormick
Panelist: Making it in Information Security and Application Security

Mike McCormick is Vice President, Information Security Architecture, and lead security architect of a large national bank.

Mike is also active in security and standards organizations - for example, serving as US biometrics expert to ISO. He holds pending patents in biometrics and fraud detection.

Mike contributed to Steve Bellovin's 2008 "Insider Attack" book. He has published articles in various publications, most recently ISSA Journal. Mike also speaks regularly at security conferences.

Mike is an (ISC)² CISSP. He's also active in his local ISSA chapter.

One of Mike's passions is encouraging young people to consider careers in information security. Mike was a co-founder of the Minnesota Cybersecurity Career Consortium (MnC3).


Jon McCoyJon McCoy (DigitalBodyGuard)
Presented: Hacking .NET (C#) Applications: The Black Arts
Web: http://www.digitalbodyguard.com

Jon McCoy is a .NET Software Engineer that focuses on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself. He provides consulting to protect .NET applications.


Darren Meyer
Panelist: Speeding Up Security Testing Panel
Twitter: @dm914

Darren is a Senior Technical Architect working in application security at a large company in the Minneapolis area. He has over a decade of software development experience that informs his desire to support and educate developers in application security practice.


Adam MeyersAdam Meyers
Presented: Mobile Applications Software Assurance
Web: http://www.sra.com
Twitter: @Cyber_Adam_SRA

Adam Meyers is the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. Mr. Meyers serves as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects and provides both technical expertise at the tactical level and strategic guidance on overall security program objectives, security and risk management. His areas of expertise include Information Security Assurance, Application Assessment, Secure Application Development and Secure Network Architecture Design and Implementation. He specializes in security assessments and secure software lifecycle.


Alessandro MorettiAlessandro Moretti
Panelist: Application Security Advisory Board SDLC Panel

Alessandro leads a global risk analysis, risk management and IT forensic team. A British and Swiss national, he has extensive international consulting experience working with Fortune 500 financial services, nuclear and petrochemical companies, including Baker Hughes, as interim CISO on some assignments, establishing new security risk management and security testing functions.


Michelle MossMichelle Moss
Presented: Why do developers make these dangerous software errors?

Michele Moss is Lead Associate at Booz Allen Hamilton. She leads the development, integration, and benchmarking of security engineering and software assurance processes within Booz Allen's Organizational Standard Processes. Michele assists government organizations with tailoring industry best practices and capability maturity models (CMMI, Assurance for CMMI, RMM, and SSE-CMM) to mature their systems/software development, operational, information assurance, project management, and support practices. Michele led the development and Booz Allen pilot of the Assurance Process Reference Model for CMMI. She provides expert support on ICT Supply Chain Risk Management and Software Assurance to DoD Trusted Mission Systems and Networks and is an active contributor to the evolution of International Cyber Security standards through the US Technical Advisory Group for ISO/IEC JTC1/SC7. She Co-Chairs the DHS Software Assurance Working Group on Processes & Practices and has spoken at multiple industry events on software assurance implementation, benchmarking and measurement. Michele holds a CISSP and CSSLP.


Andy MurrenAndy Murren
Presented: SwA and the Cloud - Counting the Risks

Andy Murren is a Manager with Security & Privacy Services Group of Deloitte & Touche LLP. He has over 16 years of experience in the field of Information Technology, Information Systems Security and he is a Certified Information Systems Security Professional (CISSP). He has extensive experience in the realm of Information Security and risk management; his areas of specialization include Information Security Assurance, Application Assessment, Secure Application Development and Secure Network Architecture Design and Implementation. He specializes in security assessments and secure software lifecycle.


Wendy NatherWendy Nather
Moderating: Speeding Up Security Testing Panel
Web: http://www.the451group.com
Twitter: @451Wendy

Wendy Nather is the Research Director within The 451 Group's Enterprise Security Practice, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's areas of coverage are on application security and security services.
Wendy joined The 451 Group after five years building and managing all aspects of the IT security program at the Texas Education Agency, which serves 4.6 million Texas students. In that position, she directed multimillion-dollar initiatives for a statewide external user base of over 50,000. She also provided security guidance for the datacenter consolidation of 27 Texas state agencies.

Wendy previously worked in various roles in the investment banking division of Swiss Bank Corp (now UBS), including helping to build Europe's then-largest private trading floor. Based in Chicago, Zurich and London, she also served as the first IT Security Director for the EMEA region, managing the security aspects of various mergers, IT operations outsourcing and the division's first Internet presence.

Wendy is based in Austin, Texas.


Gerrit PadghamGerrit Padgham
Presented: When Zombies Attack - a Tracking Love Story
Twitter: @weasel0x00

Gerrit is a Senior Security Consultant at Electric Alchemy with over 11 years of experience securing everything from small businesses to ISPs and global Fortune 500s including systems in Antarctica. Gerrit's primary responsibilities currently include network and application penetration testing, and incident response.

Gerrit currently helps to organize the Denver, CO OWASP chapter. Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) certifications.


Mike ParkMike Park
Presented: Android Security, or This is not the Kind of "Open" I Meant...
Web: https://www.trustwave.com/application-security.php

Mike Park is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.


Srini PenchikalaSrini Penchikala
Presented: Messaging Security using GlassFish 3.1 and Open Message Queue
Web: http://srinip2007.blogspot.com

Srini currently works as Security Architect at a major financial services organization in Austin, Texas. He has over 17 years of experience in software product development, security and risk program management areas. Srini's main areas of interest are Agile Enterprise and Security Architecture, Agile Risk Management. He has presented at conferences like JavaOne, SEI Architecture Technology Conference (SATURN), IT Architect Conference (ITARC), No Fluff Just Stuff, and Project World Conference. He has also published several articles on Security Architecture and Agile Security Methodologies on websites like InfoQ.com, ServerSide.com, ONJava, DevX Java, java.net and JavaWorld. Srini publishes a blog on Java, JEE, and other topics at http://srinip2007.blogspot.com/.


Gunnar Peterson
Presented: Mobile Web Services
Web: http://1raindrop.typepad.com
Twitter: @oneraindrop

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed-systems security for large mission-critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups. Gunnar is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, a contributor to the SEI and DHS Build Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences.


Todd RedfootTodd Redfoot, Chief Information Security Officer
Presented: Keeping up with the Web-Application Security
Web: http://www.godaddy.com

Todd is responsible for overseeing Go Daddy's award winning Security Team. His specific focus is maintaining a safe hosting platform for customer websites and insuring a high level of information security within the company.

Since joining Go Daddy in 2003 as a Senior Developer, Todd has led several Development and Security teams, including Email Systems, Marketing Infrastructure and Internal Information Technology. Todd is well versed in Network, Application and Database security and is trained in several programming and software scripting languages as well. He has a Bachelor of Science in Computer Information Systems from Arizona State University.
When not keeping customer websites safe and secure, Todd enjoys frequent trips to Mexico with his wife and kids.


Andrés RianchoAndrés Riancho
Presented: Web Application Security Payloads
Web: http://www.rapid7.com
Twitter: @w3af

Andrés Riancho is Director of Web Security at Rapid7, where he leads the efforts of automating the detection of Web application vulnerabilities. Currently based in Buenos Aires, he manages Rapid7's Web Application Security Center of Excellence. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (Spain), SecTor (Canada), FRHACK (France), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and Ekoparty (Buenos Aires).

Andrés's entrepreneurship lead him to establish his own company, Bonsai Information Security, with the objective of providing it's customers with high quality services in the Penetration Testing arena.


Charles SchmidtCharles Schmidt
Presented: You’re Not Done (Yet) – Turning Securable Apps into Secure Installations using SCAP

Charles Schmidt is a Lead Information Security Engineer at the MITRE Corporation. He has supported security guidance development efforts for more than 11 years covering a wide range of technologies. He has directly supported the CVE, CCE, OVAL, and OCIL security automation standards and is currently the moderator of the XCCDF benchmark standard. He also led the development teams for a number of supporting applications. Charles holds a Bachelors degree in both Mathematics and Computer Science from Carleton College and a Masters degree in Computer Science from the University of Utah.


Shreeraj ShahShreeraj Shah
Presented: Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Web: http://shreeraj.blogspot.com
Twitter: @shreeraj

Shreeraj Shah, B.E., MSCS, MBA, is a founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in the security space. He is also the author of popular books like Hacking Web Services (Thomson 2006) and Web Hacking: Attacks and Defense (Addison-Wesley 2003). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Black Hat, OSCON, Bellua, Syscan, ISACA, and more. His articles have been regularly published on SecurityFocus, InformIT, DevX, O’Reilly, and HNS. His work has been quoted on BBC, Dark Reading, and Bank Technology as expert analysis.


Ryan W SmithRyan W Smith, Praetorian
Presented: STAAF: An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis
Web: http://www.praetorian.com
Twitter: @ryanwsmith13

At Praetorian, Ryan's current focus is on the development of technology and systems in support of computer network defense, attack, and exploitation. Prior to joining Praetorian, Ryan Smith was an Associate Staff member of the Information Systems Technology Group at MIT Lincoln Laboratory. His previous work at Lincoln Labs was in the code analysis group, in which he focused on the development of a prototype tool to automate the malware analysis process using information flow and virtual machine introspection. Prior to Lincoln Laboratory, Mr. Smith worked at 21st Century Technologies and Applied Research Labs in Austin, TX, and PricewaterhouseCoopers in Dallas, TX. Previous work has included graph-based network attack correlation, steganography, netflow traffic analysis, vulnerability and risk analysis, and identity management.

Ryan is currently the Chair of the OWASP Dallas Chapter and recently founded the Texas Honeynet Chapter (RoT-1). Ryan was an active member of the Honeynet Project from 2002 - 2008, in which he participated in the testing and development of various honeynet technologies, and was invited to give several talks on the usefulness of honeynets for strengthening network security as well as research. While at the University of Texas, Ryan was the head of the local information security group on campus, and the organizer of the local cyber "capture the flag" exercise. As a result of this position, he was invited to a NFS funded workshop to determine the efficacy of a National Collegiate Cyber Defense Exercise, and subsequently assisted in the organization of the inaugural Collegiate Cyber Defense Competition, which now hosts over 50 Universities in 8 regional qualifiers and a finalist round in San Antonio. While at the University of Texas, Ryan also led a team of graduate students to design and implement a prototype of an automated polymorphic shellcode analyzer to extract the system calls and parameters of arbitrarily obfuscated Windows shellcode.

Industry designations include the Certified Information Systems Security Professional (CISSP). Ryan received a B.S in Electrical Engineering from The University of Texas in Austin, where he focused on information assurance and network communications. Ryan received a M.S. in Security informatics from Johns Hopkins, where he focused on network and systems security as well as privacy and technical public policy.


Alex SmolenAlex Smolen
Presented: Application Security and User Experience
Web: http://alexsmolen.com
Twitter: @alsmola

Alex Smolen designs systems that are usable, secure, and respect users' privacy expectations. This year, he received his masters degree from the UC Berkeley School of Information and joined Twitter as a Security Engineer. Alex spent last summer as an intern in the User Experience team at VMware. Previously, Alex was a security consultant at Foundstone, where he built Hacme Casino and was a Microsoft Developer Security MVP.

Alex has been involved with OWASP for several years - he spoke at the 2005 conference, contributed the web services lessons to WebGoat, and released the first two versions of the .NET ESAPI and .NET Swingset.


Ashkan SoltaniAshkan Soltani
Presented: When Zombies Attack - a Tracking Love Story
Twitter: @ashk4n

Ashkan Soltani is an independent researcher and consultant specializing in consumer privacy and security on the Internet. He has more than 15 years of experience as a technology consultant and has published three major reports on the extent and means of online tracking: "KnowPrivacy: The Current State of Web Privacy, Data Collection, and Information Sharing", "Flash Cookies and Privacy", and "Flash Cookies and Privacy II". His work highlights the prevalence and practice of tracking online, including the use of specific technologies designed to circumvent consumer privacy choices online. He has served as a staff technologist in the Division of Privacy and Identity Protection at the Federal Trade Commission and also worked as the primary technical consultant on the Wall Street Journal's What They Know series investigating Internet privacy and online tracking.

Finally, he recently testified as an independent expert in front of the Senate Commerce Committee hearing on "The State of Online Consumer Privacy" and the Senate Judiciary Committee hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy"


Aditya K SoodAditya K Sood
Presented: The Good Hacker - Dismantling Web Malware
Web: http://secniche.blogspot.com

Aditya K Sood is a security researcher and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security Labs, an independent security research arena for cutting edge computer security research. At SecNiche, he also acts as an independent researcher and security practitioner for providing services including software security and malware analysis. He has been an active speaker at industry conferences and already spoken at RSA, HackInTheBox, ToorCon, HackerHalted, Source, TRISC, AAVAR, EuSecwest, XCON, Troopers, OWASP AppSec USA, FOSS, CERT-IN, etc. He has written content for HITB Ezine, Hakin9, ISSA, ISACA, CrossTalk, Usenix Login, and Elsevier Journals such as NESE and CFS. He is also a co author for debugged magazine.


Kevin StadmeyerKevin Stadmeyer
Presented: Hacking (and Defending) iPhone applications
Web: http://www.trustwave.com

Kevin is a Senior Security Consultant in the Application Security Group in Trustwave’s SpiderLabs. He has worked in the information security field for over 8 years. His main focus has been on application security assessments and he has worked in this capacity for a number of companies with the primary the emphasis being on the banking and pharmaceutical industries. His work included testing web applications as well as designing information security programs for these clients. In this capacity he has tested 500+ distinct applications for a variety of business sectors, these tests including code review as well as black box application testing. Kevin has spoken at a variety of security-oriented conferences across the globe, including Black Hat, FROC, and You Sh0t The Sherriff.


John StevenjOHN Steven
Panelist: Speeding Up Security Testing Panel
Web: http://feeds.feedburner.com/M1splacedOnTheWeb
Twitter: @m1splacedsoul

John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.


Anthony J. Stieber
Presented: How NOT to Implement Cryptography for the OWASP Top 10

Anthony J. Stieber has worked in academia, banks, retail, and insurance; designed enterprise security architectures, installed military and commercial firewalls; engineered medical diagnostic systems; reverse-engineered Internet stores; encrypted terabyte data warehouses; provided expertise for court cases; spoken at international cryptography conferences; become an apprentice locksmith; and had his writing published.


Ryan StinsonRyan Stinson
Presented: Improve your SDLC with CAPEC and CWE

Ryan Stinson is the chief of Cyber Assessment Services at Knowledge Consulting Group. The KCG Cyber Assessment Services group provides penetration testing, code reviews, secure architecture assessments, web application security testing, and vulnerability research. Mr. Stinson holds a Bachelor of Science in Computer Science, as well as certifications as a Certified Information Systems Security Professional (CISSP), GIAC Certified Incident Handler and GIAC Certified Penetration Tester.


Richard StruseRichard Struse
Presented: Software Assurance Automation throughout the Lifecycle

Richard Struse is the Deputy Director for Software Assurance in the Department of Homeland Security's National Cyber Security Division where he oversees efforts relating to the automation of Software Assurance. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high-performance, extremely high-reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system.


Patrick TatroPatrick Tatro
Presented: Principles of Patrolling: Applying Ranger School to Information Security
Twitter: @warri0r26

Patrick is an Information Security Specialist with LarsonAllen. He has three years of experience in the Information Technology field. He brings with him a wide variety of technical expertise that covers Microsoft Windows, Active Directory, and networking systems.

Prior to entering the Information Technology field, Patrick served as a First Lieutenant in the Army National Guard. He deployed as an Infantry Platoon Leader for 22 months in support of Operation Iraqi Freedom. While in Iraq, Patrick planned and led combat patrols and was awarded the Bronze Star, Purple Heart, Combat Infantry Badge, and two Army Accommodation medals. Patrick is also Airborne, Ranger, and Pathfinder qualified.

Patrick has an Associates of Applied Science degree in Computer Network Systems from ITT Technical Institute and is currently pursuing a Bachelors of Science in Information Systems Security. He has a CompTIA Security+ Certification and is currently pursuing his SSCP certification.


Matt TesauroMatt Tesauro
Presented: Testing from the Cloud: Is the Sky Falling?
Board Member: September 22 Lunchtime OWASP Foundation Board Discussion
Web: http://www.praetorian.com
Twitter: @matt_tesauro

Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Praetorian, Matt was a Security Consultant at Trustwave's Spider Labs. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.

Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.

Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.


Richard TychanskyRichard Tychansky
Panelist: Application Security Advisory Board SDLC Panel

Mr. Tychansky has over 15 years of experience in designing and testing software security controls for automated information systems – systems that use artificial intelligence (AI) to make decisions and process information automatically. He consults with higher education and government to ensure that systems are developed following standard software engineering processes.


Christophe Veltsos
Panelist: Making it in Information Security and Application Security
Web: http://www.drinfosec.com
Twitter: @DrInfoSec

Dr. Christophe Veltsos, aka Dr. InfoSec™, teaches Information Security and Information Warfare courses at Minnesota State University, Mankato. He has helped many students enter the field of infosec but looks forward to the day when one of his former students becomes a CISO. Both faculty and practitioner, Chris holds the CISSP, CISA, and CIPP certifications.


Kevin Wall
Presented: ESAPI 2.0 - Defense Against the Dark Arts

Kevin Wall currently works at CenturyLink (formerly Qwest) as a Staff Security Engineer under Risk Management / Information Security. During the 11 years prior to this, he worked as the tech lead on the Application Security team in Qwest's IT division.

Prior to that, Kevin spent 3+ years as an independent contractor consulting on C++ and Java development, and 17 years at (then) AT&T (now Alcatel-Lucent) Bell Labs where he was started his career as a Senior Technical Assistant and finished out his term there as a Distinguished Member of Technical Staff.

Kevin is currently working on the OWASPI ESAPI for Java project where he spends most of my time is spent on ESAPI's crypto system and writing long-winded emails that no one ever reads.

After years of swearing that he would never program in C++ again, lo and behold, Kevin finds himself working working on the new ESAPI for C++ project.

His career claim to fame is that his has survived over 20 years of C and C++ without fatally stabbing himself with pointers.


Mike WareMike Ware
Presented: Simplifying Threat Modeling
Web: http://www.mikeware.us/

Mike Ware is a Senior Software Security consultant at Cigital. At Cigital, Mike has led static analysis rollouts at some of the world's largest financial firms in addition to delivering architectural risk analysis and threat modeling engagements. Mike is also a contributer to BSIMM.

Prior to Cigital, Mike worked as a web application developer. Mike approaches software security with an engineer's mindset.


Colin WatsonColin Watson
Presented: OWASP Codes of Conduct
Web: http://www.clerkendweller.com/
Twitter: @clerkendweller

Colin Watson is an experienced application security consultant, working mainly in the area of building security and privacy into the software development life cycle.


Dave WichersDave Wichers
Board Member: September 22 Lunchtime OWASP Foundation Board Discussion

Dave Wichers is the Chief Operating Officer (COO) of Aspect Security (www.aspectsecurity.com), a company that specializes in application security services. Mr. Wichers brings over seventeen years of experience in the information security field. Prior to Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications.

His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.

Dave holds a BSE in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis. Dave is a CISSP and a CISM, is currently the OWASP Conferences Chair (www.owasp.org), and is a coauthor of the OWASP Top Ten.


Jeff WilliamsJeff Williams
Presented: AppSec Inception - Exploiting Software Culture
Panelist: Making it in Information Security and Application Security
Board Member: September 22 Lunchtime OWASP Foundation Board Discussion
Web: http://www.aspectsecurity.com
Twitter: @planetlevel

Jeff has spent the last 15 years helping companies improve their application security. He started and led many of the most popular OWASP projects, including the T10, chapters, ESAPI, and cheatsheets. He served as the OWASP Chair during the tremendous growth from 2004-2011. Jeff is also the CEO of Aspect Security, provider of industry leading training, eLearning, code review, pentesting, and consulting. You can contact Jeff anytime about application security.


Chuck WillisChuck Willis
Presented: Sticking to the Facts: Scientific Study of Static Analysis Tools
Web: http://www.mandiant.com
Twitter: @chuckatsf

Chuck Willis is a Technical Director with MANDIANT, a full spectrum information security company in Alexandria, Virginia. At MANDIANT, Mr. Willis concentrates in several areas including application security, where he assesses the security of sensitive software applications through external testing and static analysis. He also studies static analysis tools and techniques and strives to identify better ways to evaluate and secure software. Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.


Ira WinklerIra Winkler
Presented: September 23 Morning Keynote
Web: http://www.irawinkler.com

As OWASP celebrates ten years, OWASP AppSec USA 2011's September 23 keynote, famous real world spy author Ira Winkler, will bring a dose of reality about today's threats.

Ira joins OWASP AppSec USA 2011's September 22 keynote, OWASP founder Mark Curphey, and lunch keynote and secure protocol expert Moxie Marlinspike.

Ira Winkler, CISSP, is Chief Security Strategist at TechnoDyne. He is considered one of the world’s most influential security professionals, and has been named a "Modern Day James Bond" by the media. He earned this title by performing espionage simulations, physically and technically "breaking into" some of the largest companies in the world, investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these espionage simulations, as well as assist organizations in developing cost effective security programs. Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards.

Ira is also author of the riveting, entertaining, and educational books, Spies Among Us and Zen and the Art of Information Security. He is also a columnist for ComputerWorld and writes for several other industry publications.

Mr. Winkler began his career at the National Security Agency, where he served as an Intelligence and Computer Systems Analyst. He moved onto support other US and overseas government military and intelligence agencies. After leaving government service, he went on to serve as President of the Internet Security Advisors Group, Chief Security Strategist at HP Consulting, and Director of Technology of the National Computer Security Association (now ICSA Labs). He was also on the Graduate and Undergraduate faculties of the Johns Hopkins University and the University of Maryland.

Mr. Winkler has also written the book Corporate Espionage, which has been described as the bible of the Information Security field, and the bestselling Through the Eyes of the Enemy. Both books address the threats that companies face protecting their information. He has also written hundreds of professional and trade articles. He has been featured and frequently appears on TV on every continent. He has also been featured in magazines and newspapers including Forbes, USA Today, Wall Street Journal, San Francisco Chronicle, Washington Post, Planet Internet, and Business 2.0.


Chris WysopalChris Wysopal
Presented: Application Security Debt and Application Interest Rates
Web: http://www.veracode.com
Twitter: @WeldPond

Chris Wysopal, Veracode’s CTO and Co-Founder, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTOs and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of "The Art of Software Security Testing" published by Addison-Wesley.


Jing XieJing Xie
Presented: Secure Programming Support in IDE

Jing Xie is pursuing her Ph.D. in Department of Software and Information Systems at The University of North Carolina at Charlotte. Her current research focuses on developing interactive tool support for software developers to write more secure code that has less common vulnerabilities. She also has a general interest of exploring the security aspect of all kinds of software.


Tin ZawTin Zaw
Presented: Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code
Twitter: @tzaw

Tin Zaw is a security architect at AT&T Interactive and the president of the Los Angeles chapter of OWASP. A veteran software developer, Tin holds CISSP and CSSLP certifications and MS in CS from University of Southern California.


Mike ZusmanMike Zusman
Presented: OWASP Mobile Top 10 Risks
Twitter: @schmoilito

Michael Zusman is an independent consultant. Prior to working independently, Mr. Zusman has held the position of Director at the Intrepidus Group, where he joined as a senior security consultant in 2008. Prior to his work at Intrepidus Group, he held the position of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect and developer at a number of smaller firms. In addition to his corporate experience, Mr. Zusman is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors including Apple and SonicWall. He has spoken at a number of top industry events including CanSecWest, Black Hat, regional OWASP events, and has also taught portions of the penetration testing class at NYU/Polytechnic University. Mr. Zusman has previously obtained the CISSP certification, but only because it meant that he would get a pay raise. He is an active member of the OWASP foundation.


Talks Icon


Sponsors Icon


Training Icon


Capture the Flag Icon


Promotional Consideration Provided By

Corporate Donors

Trustwave   Security Innovation

IBM   NetSPI   Veracode

Qualys   Fortify, an HP Company

Cigital   Accuvant   Core Security

Radware   Imperva   WhiteHat Security

Barracuda Networks   Rapid7   Aspect Security

Fishnet Security   Intrepidus Group   NT OBJECTives

Additional Sponsors

Media Partners
TECHdotMN   The 451 Group

(ISC)2   InfoSecurity