AppSec USA 2014

=ABOUT= AppSec USA is a world-class software security conference for developers, auditors, risk managers, technologists, and entrepreneurs gathering with the world’s top practitioners to share the latest research and practices, in the high energy atmosphere of Downtown Denver.

WHY YOU SHOULD ATTEND?

Insightful keynote addresses delivered by leading industry visionaries from thought leaders of critical infrastructure. Over 50 sessions across 5 tracks (developer, tester, operations, workshops, and legal) with world-renowned subject matter experts An all-new Legal Track to address industry regulations, privacy laws, liability, and more A hands-all Workshop Track providing instruction on essential security tools and skills Thousands of attendees exclusively focused on Software Security Extensive Capture the Flag competition developed exclusively for AppSec USA 2014 Home-brewed beer competition open to all attendees Convenience of Downtown Denver WHO SHOULD ATTEND?

Developers, Security Auditors, Risk Managers, Executive Management, Government, Press, Law Enforcement, Entrepreneurs

If you have any questions, please email the conference committee: [mailto:appsecusa2014@owasp.org appsecusa2014@owasp.org] =MEET THE TEAM=

MEET THE TEAM:

AppSec USA would not be possible without the hard work of the following volunteers and staff:

General Conference Chair:

Mark Major Wiki: https://www.owasp.org/index.php/User:Mark_Major Email:: mark dot major at owasp dot org

Speaker and Trainer Selection Chair:

Steve Kosten Wiki: https://www.owasp.org/index.php/User:Steve_Kosten Email: steve dot kosten at owasp dot org

Conference Volunteers: Chris Campbell Rob Jepson Sunil Kollipara Brad Carvalho Ann Marie Ronan

OWASP Staff

Sarah Baso @OWASPgirl LinkedIn: http://www.linkedin.com/pub/sarah-baso/2a/69/53a Kelly Santalucia @KellySantalucia LinkedIn: www.linkedin.com/pub/kelly-santalucia/30/59b/2b3/ Samantha Groves @SamanthaOWASP LinkedIn: http://www.linkedin.com/in/samanthagroves Kate Hartmann @kate_hartmann LinkedIn: www.linkedin.com/pub/kate-hartmann/8/968/786/ Laura Grau LinkedIn: www.linkedin.com/pub/laura-grau/27/639/461 Alison Shrader LinkedIn: www.linkedin.com/pub/alison-shrader/5/328/91b Matt Tesauro @matt_tesauro LinkedIn: www.linkedin.com/in/matttesauro

=CALL FOR PRESENTATIONS= The call for presentations (CFP) is currently open. Submit your talks here.

Dates and deadlines

April 27th, 2014: Submission deadline May 30th, 2014: Notification of acceptance August 4th, 2014: Final materials due for review September 18th – 19th, 2014: Conference proceedings Topics of interest

Conference sessions will be divided into four primary tracks and two smaller supporting tracks. Consistent with OWASP, each track will relate in part to web application security. The primary tracks are:

Builders Targeting developers, testers, and managers involved in the secure software development lifecycle. Breakers Focusing on matters relevant to penetration testers, researchers, and other security professionals. Defenders Emphasizing operations issues affecting infrastructure security teams, administrators, support, etc. Policy and Legal Addressing privacy, compliance, and legal issues affecting development and security communities. The secondary tracks are:

OWASP-specific Status, recruiting, and awareness for OWASP projects; board panels; leadership workshops; etc. Hands-On Skills Lab Introductory workshops designed to familiarize attendees with critical tools (e.g., “nmap 101″). We invite all practitioners of application security and those who work or interact with all facets of application security to submit presentations including, but not limited to the following subject areas:

Secure development: secure coding, static analysis, application threat modelling, web frameworks security, countermeasures, SDLC, DevOps, etc. Mobile security: Development and/or testing devices and the mobile web Cloud security: Offensive and defensive considerations for cloud-based web applications Infrastructure security: Database security, VoIP, hardware, identity management Penetration testing: Methodologies, tools, exploit development, evasion techniques, OSINT, etc. Emerging web technologies and associated security considerations Incident response: Threat detection, triage, malware analysis, forensics, rootkit detection OWASP tools and projects in practice Policy and legal: Legislation, privacy, regulations and compliance, C-level considerations, etc. Cool hacks and other fun stuff: cryptography, social engineering, etc. Submission Format

Only submissions entered into http://cfp.appsecusa.org will be considered. Please have the following information handy.

Presentation title Contact information (speaking name, organizational affiliation, email) Abstract, including the following information: Presentation overview Format (lecture, group panel, live demo, audience participation, etc.) Objectives and outcomes Speaker background, including the following information: Previous conference speaking experience Links to videos of past speaking engagements Anything else we should know about you or your presentation Judging Criteria

All content assessments will be performed blind. Content reviewers will have no knowledge of the presenter’s identity. All uploaded materials must be sanitized of author names and affiliations, email addresses, and other personally-identifiable information.

Strength of presentation

Vendor neutrality Topicality (fresh research, innovative solutions, relevance to current events, etc.) Depth of content (deeply technical talks are preferred to high-level talks) Relevance to conference tracks Relevance to industry trends Relevance to OWASP or OWASP projects Presentation length (45-50 minute talks are preferred) A second evaluation will occur based on speaker experience. The final presentation score will be a composite of the two evaluations. The following criteria will be used during evaluation.

Strength of speaker

Clarity of submission Demonstrated speaking ability (previous experience, videos of prior speaking engagements, etc.) Bonus points

Integration of live demonstrations into the presentation Free and open distribution of source code, exploits, tools, and other materials relevant to the talk Terms

All speakers must provide written agreement to the OWASP Speaker Agreement after notification of acceptance.

=CALL FOR TRAININGS= CALL FOR TRAINING The call for training (CFT) is currently open. Submit your talks here.

Dates and deadlines

April 13th, 2014: Submission deadline May 5th, 2014: Notification of acceptance August 5th, 2014: Final materials due for review September 16th – 17th, 2014: Conference training Topics of interest

Training related to web application security will be prioritized. These include, but are not limited to:

Secure development: secure coding, static analysis, application threat modelling, web frameworks security, countermeasures, SDLC, DevOps, etc. Mobile security: Development and/or testing devices and the mobile web Cloud security: Offensive and defensive considerations for cloud-based web applications Infrastructure security: Database security, VoIP, hardware, identity management Penetration testing: Methodologies, tools, exploit development, evasion techniques, OSINT, etc. Emerging web technologies and associated security considerations Incident response: Threat detection, triage, malware analysis, forensics, rootkit detection OWASP tools and projects in practice Privacy: Legislation, compliance, etc. Submission Format

Only submissions entered into http://cft.appsecusa.org will be considered. Please have the following information handy.

Course title Course instructor(s) and contact information Abstract, including the following information: Course overview Target audience (roles, experience, ideal number of participants) Objectives and outcomes (what results should trainees expect?) Trainer biography (include past training engagements) Additional comments: Assumptions Constraints Anything else we should know about you or this course Terms

OWASP Foundation obligations:

Course marketing mailing lists and official conference channels Registration services Training room with sufficient seating (e.g. table/chair) for registered attendees Single projector and screen Chalkboards, whiteboards, easels, or other fixtures (on request) One (1) full conference pass One (1) conference pass 50% discount code (not stackable with other offers) One (1) seat in training class at no additional cost Timely payment of instructor fees Feedback from course attendees Status updates on the current number of students enrolled (on request) Instructor obligations:

Course materials for students, including syllabus or other hand-outs Distribution and collection of course evaluation forms Travel and accommodations for instructor(s) Marketing of the training course through normal instructor methods Laptop or other presentation device Completed W-9 for (for US-based trainers) Two (2) seats in training class at no additional cost Revenue split

Courses are priced as follows:

One-day course: $800 Two-day course: $1,600 Earnings will be split 60/40 (OWASP/Trainer) for each training class. Instructors have the option to donate proceedings to the OWASP Foundation and/or OWASP project of choice, or to receive travel expenses as sole compensation for training and donate the remaining revenue.

=KEYNOTE SPEAKERS=

Lorenzo Cavallaro has recently joined the Information Security Group at Royal Holloway, University of London as a Lecturer (Assistant Professor) of Information Security. His research interests focus on systems security, and malware analysis and detection. Lorenzo is Principal Investigator on “MobSec: Malware and Security in the Mobile Age”, Principal Investigator on “Mining the Network Behavior of Bots”, co-Investigator on “Cyber Security Cartographies (CySeCa)”, Academic Partner of the EPSRC-funded “Network in Internet and Mobile Malicious Software (NIMBUS)”, Associate Member of the EU FP7 NoE SysSec and member of the SysSec RedBook Task Force, and Partner of the EU FP7 CSA CyberROAD aimed at the development of a cybercrime and cyber-terrorism research roadmap. He is author and co-author of several papers and has published in well-known venues and served as PC member and reviewer of various conferences and journals. Dr. Steven J. Murdoch is a Royal Society University Research Fellow in the Security Group of the University of Cambridge Computer Laboratory, working on developing metrics for security and privacy. His research interests include covert channels, banking security, anonymous communications, and censorship resistance. Following his PhD studies on anonymous communications, he worked with the OpenNet Initiative, investigating Internet censorship. He then worked for the Tor Project, on improving the security and usability of the Tor anonymity system. Currently he is supported by the Royal Society on developing methods to understand complex system security. He is also working on analyzing the security of banking systems especially Chip & PIN/EMV, and is Chief Security Architect of Cronto, an online authentication technology provider and part of the Vasco group. Wendy Seltzer is Policy Counsel to the World Wide Web Consortium (W3C), where she leads the Technology & Society Domain’s focus on privacy, security, and social web standards. As a visiting Fellow with Yale Law School’s Information Society Project, she researches openness in intellectual property, innovation, privacy, and free expression online. As a Fellow with Harvard’s Berkman Center for Internet & Society, Wendy founded and leads the Chilling Effects Clearinghouse, helping Internet users to understand their rights in response to cease-and-desist threats. She serves on the Board of Directors of The Tor Project, promoting privacy and anonymity research, education, and technology; the World Wide Web Foundation, devoted to achieving a world in which all people can use the Web to communicate, collaborate and innovate freely. She seeks to improve technology policy in support of user-driven innovation and communication. Wendy has been a Fellow with Princeton University’s Center for Information Technology Policy and the University of Colorado’s Silicon Flatirons Center for Law, Technology, and Entrepreneurship in Boulder. She has taught Intellectual Property, Internet Law, Antitrust, Copyright, and Information Privacy at American University Washington College of Law, Northeastern Law School, and Brooklyn Law School and was a Visiting Fellow with the Oxford Internet Institute, teaching a joint course with the Said Business School, Media Strategies for a Networked World. Previously, she was a staff attorney with online civil liberties group Electronic Frontier Foundation, specializing in intellectual property and First Amendment issues, and a litigator with Kramer Levin Naftalis & Frankel. Jacob West is chief technology officer for Enterprise Security Products (ESP) at HP. In his role, West influences the security roadmap for the ESP portfolio and leads HP Security Research (HPSR), which drives innovation with research publications, threat briefings, and actionable security intelligence delivered through HP security products.

Prior to this role, West served as chief technology officer for Fortify products and leader of Software Security Research within HP ESP. West has spent more than a decade developing, delivering, and monetizing innovative security solutions, beginning with static analysis research at the University of California, Berkeley and as an early security researcher at Fortify prior to its acquisition by HP.

A world-recognized expert on software security, West co-authored the book, “Secure Programming with Static Analysis” with colleague and Fortify founder, Brian Chess, in 2007. Today, the book remains the only comprehensive guide to how developers can use static analysis to avoid the most prevalent and dangerous vulnerabilities in code.

West is co-author of the Building Security in Maturity Model and a frequent speaker at customer and industry events, including RSA Conference, Black Hat, Defcon and OWASP. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.

OWASP Board Member
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy. Over the years, he has trained and advised dozens of CISOs and senior information security leaders around the world on the management and organisation of security teams and programs. Since 2003 he is the chair of working groups of the IETF (www.ietf.org), a member of the IETF security directorate, since 2010 chair of the web security WG at the IETF and since 2014 member of the IETF Administrative Oversight Committee (IAOC). He has been in a number of project and chapter leadership roles for OWASP since 2007. Currently, he is serving as global board member of OWASP, leading the OWASP CISO Report and Survey project and a contributor to the OWASP CISO Guide. Tobias Gondrom is also serving as a member of the NIS Platform of the European Commission, advising the European Union on Cyber Security and Risk Management. He serves on the board of the CSA Hong Kong and Macau chapter and is an ISC2 CSSLP and CISSP Instructor. Tobias has authored the Internet security standards RFC 4998, RFC 6283 and RFC 7034, co-authored the OWASP CISO Guide and the book „Secure Electronic Archiving“ and is a frequent presenter at conferences and author of articles on security (e.g. AppSec, IETF, etc.)

E-mail: tobias.gondrom@owasp.org

LinkedIn Tobias Gondrom

=VENUE= Anglia Ruskin University is a British university, one of the largest in the East of England, United Kingdom, with a total student population of around 31,500. Its campuses are located in Cambridge, Chelmsford and Peterborough, England, UK. It is is one of the largest universities in the East of England, and one of the largest providers of face-to-face part-time training in the country. It has its Royal Charter, being fully accredited by the British Accreditation Council. Anglia Ruskin University is ranked as the 949th best higher educational intitution by 4icu.org globally, and the 2486th best university in the world according to Webometrics.info. The primary purpose of this ranking is to promote Internet publication, including formal and informal communication, by supporting Open Access initiatives, electronic access to scientific publications and other academic material thus increasing the visibility of universities. Cambridge campus (in Green on the map: East Road, Cambridge CB1 1PT) is in heart of the city and has recently reached a milestone in its history with the opening of the new £35-million redevelopment. The regenerated campus opened in September 2011 and provides a wealth of new facilities which will benefit our Anglia Ruskin community. We offer all the advice and support you'll need for your studies, career aspirations and personal issues. Halls of residence for first year students are on-site, as well as facilities for leisure activities and societies. We've secured the use of the Bradmore Street entrance (just off East Road and round the corner from the main entrance) which is the main entrance for the Lord Ashcroft International Business School where the main conference activities are taking place. Travelling to Anglia Ruskin University Cambridge Campus This information is for guidance purposes and may be subject to change. Please note that trains do not run overnight, so if you are arriving in the evening please check train times in advance: www.trainline.com If you would like to book a taxi from an airport it will be cheaper if you book in advance using one of these firms: A1 Cabco +44 1223 313131 Panther Taxis +44 1223 715715 Arriving at London Stansted Airport Arriving at London Heathrow Airport Arriving at London Gatwick Airport Arriving at London Luton Airport Arriving at London City Airport Arriving at Cambridge International Airport Arriving at London St Pancras If you come into the country by rail - via the Euro tunnel through France - then you will arrive at London St Pancras station. Follow the signs for the Underground and buy a ticket to Chelmsford. Take the Metropolitan line eastbound to Liverpool Street. Follow the signs to the main line station, buy a ticket to Chelmsford and then take a train to Chelmsford. The entire journey should take approximately 1 hour 10 minutes. On arrival in Cambridge Coaches from the airports arrive at Parkside directly opposite the Police Station. The University is very close, only about 0.25km on foot from Parkside, simply turn left at the traffic lights into East Rd and the campus is a short way along on the right. It should take you less 2-3minutes to walk to the campus even with a suitcase. Cambridge main line railway station is about 1.5km from the campus, to the south of the city centre. It will take around 20 minutes to walk to the campus from the railway station. You are advised to get a taxi from the station to the campus.
 * Taxi: A pre booked taxi from London Stansted Airport to Cambridge will cost approximately £45-£55 each way.
 * Coach: National Express operates a coach service from Stansted Airport to Cambridge (£8). Coaches leave regularly from the bays at the front of the terminal building. You will need to check the screens for the correct bay. The journey should take approximately 50 minutes. The coach station in Cambridge is a very short walk to the campus.
 * Train: Follow the signs to the main line station and buy a single ticket to Cambridge (£12). Trains go direct to Cambridge from Stansted Airport. The journey should take between 33-51 minutes. The train station in Cambridge is a 15-20 minute walk to the campus.
 * Taxi: A pre booked taxi from London Heathrow to Cambridge will cost approximately £95-£115 each way.
 * Coach: National Express operates a coach service from Heathrow Airport to Cambridge (£20 single) every hour from the Central Bus Station (Terminals 1,2 & 3). Coaches leave around every half an hour from Terminal 4 & 5 and then travel on to the Central Bus Station. You can buy a ticket from the driver (credit cards not accepted). The journey should take approximately 2 hours 45 mins. You can pre-book this by visiting www.nationalexpress.com
 * Underground and Train: Follow signs for the Heathrow Express and buy a ticket to Cambridge. From Heathrow, you take the Heathrow Express into central London to Paddington Station. Follow signs and take the underground to King’s Cross (Circleline). Follow signs to the main line station, where you catch a train to Cambridge. The journey should take approximately 2 hours 15 minutes in total. Costs are approximately £44. Alternatively you could choose to take the Underground (Piccadilly Line – Eastbound) all the way from Heathrow to Kings Cross station. The journey should take around 2 hours in total. Depending on the time of day you will be travelling it will cost around £27.
 * Taxi: A pre booked taxi from London Gatwick to Cambridge will cost approximately £120-130 each way.
 * Coach: Follow the signs to the coach station. National Express operates a coach service from Gatwick Airport to Cambridge (£15 - £40 single) via Heathrow airport. The journey should take approximately 4 hours.
 * Underground and Train: Follow the signs for the main line station and buy a single ticket to Cambridge. Take the main line train direct to St Pancras. Follow the signs to Kings Cross mainline station (a short walk) and take a mainline train to Cambridge. The journey should take approximately 2 hours 15 minutes. Depending on the time of day it will cost around £30.80.
 * Taxi: A pre booked taxi from London Luton to Cambridge will cost approximately £55-£70 each way.
 * Coach: National Express operates a coach service from London Luton Airport direct to Cambridge (£15.90). Coaches leave every 2 hours. The journey should take approximately 1 hour 40 minutes.
 * Train: Take the shuttle bus service connecting the airport with Luton Airport Parkway station. Buy a single ticket to Cambridge (£38) and then take the First Capital Connect train to London St Pancras. Follow the signs to the main line station at Kings Cross (a short walk) and from there, take a train to Cambridge. The journey should take approximately 2 hours 20 minutes in total.
 * Taxi: A pre booked taxi from London City to Cambridge will cost approximately £80-£95 each way.
 * Underground and Train: Follow the signs for the DLR (Docklands Light Railway). Buy a single ticket to Cambridge (£25.20). Take the train to Bank Underground station and take the Northern Line (Northbound, Platform 4) to King’s Cross St. Pancras Underground Station Kings Cross. Follow the signs to the mainline station and from there, take a train to Cambridge. The entire journey should take approximately 1 hour 45 minutes.
 * Taxi: A pre booked taxi from Cambridge Airport to Cambridge will cost approximately £10-15 each way.
 * Shuttle Bus: The airport Lynx Shuttle Bus service operates 20 minutes after every arrival. It costs £5.50 each way. For more information visit http://www.airportlynx.co.uk/shuttle/shuttlebus.html
 * Coach/Bus: Cambridge city centre is only three miles from the airport and a Park & Ride bus provides direct travel into Cambridge. The bus stop is located just a few minute’s walk from the terminal on Newmarket Road. Additionally there is a frequent Stagecoach bus (number 10) that operates from the same location.

Anglia Ruskin University East Road/Broad Street Entrance Cambridge CB1 1PT United Kingdom Useful maps: http://www.anglia.ac.uk/ruskin/en/home/your_university/anglia_ruskin_campuses/cambridge_campus/find_cambridge.html#maps Useful Websites:
 * Anglia Ruskin University local area, Cambridge and campus maps can be accessed from this page:
 * Transport for London: http://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf
 * http://www.visitcambridge.org/
 * http://www.anglia.ac.uk/ruskin/en/home/your_university/anglia_ruskin_campuses/cambridge_campus/about_cambridge.html

=REGISTRATION=

Registration for this event has now been opened. CLICK HERE to get your ticket.

= ACCOMMODATIONS =

Hotel options
We have confirmed rooms at the below accommodation options for the benefit of Conference delegates. You are encouraged to secure your accommodation via the REGISTRATION FORM to ensure that you receive the negotiated competitive rates.

Rate of 60 GBP per night (20% taxes included). Subject to availability.

Travelodge Cambridge Newmarket Road Hotel 180-190 Newmarket Road Cambridge, UK Cambridge Newmarket Road Hotel is the ideal base for those looking to explore the quaint, historic university town. The hotel has good transport links, just a short taxi ride from Cambridge Railway Station and Cambridge Airport. If you’re looking for accommodation close to Cambridge University, the hotel is just a ten minute drive away. This is a new hotel with our fresh new look and features Travelodge’s new room design complete with Dreamer Bed so you can be sure of a great night’s sleep. Travelodge Cambridge Central Hotel Cambridge Leisure Park Clifton Way Cambridge. UK Located just 1.1 miles from the city center and 2.9 miles from Cambridge Airport, the Cambridge Central Hotel is the ideal place to stay in this historic city. If you’re looking for hotels near Cambridge University, it is only 1.7 miles away. The area boasts a number of celebrated museums and art galleries, as well as a wide range of intricate architecture and majestic college buildings all of which are within walking distance.

= SPONSORS =

We are looking for sponsors for the Global AppSec Europe 2014
This is a truly unique opportunity to increase your brand recognition as a company dedicated to the highest standards of professional technology & security not only in Europe but also internationally throughout the world while supporting the continued activities conducted by OWASP both in the UK and abroad.


 *  Sponsorship benefits for organizations specializing in IT & Security:
 * Opportunity to use the latest technological trends for professional training / development
 * Strengthen your company strategy by learning the latest trends in web software security
 * Improve your business development strategy with leading information from the security industry
 * Get networking and headhunting opportunities with world-class specialists and professionals
 * Get the chance to interact with high-need discerning users to improve product development
 * Increase your image as a professional company through this unique branding opportunity


 * Sponsorship benefits for organizations utilizing the internet in their business:
 * Opportunity to increase the international brand awareness and conduct business networking
 * Strengthen your company strategy by learning the latest trends in web software security
 * Improve your service development by understanding the latest trends in security issues & risks
 * Contribute to information society as a company by developing safe and secure services
 * Get the chance to interact with high-need discerning users to improve product development
 * Opportunity to brand your company as one that focuses on the highest standards in technology

If you are interested in sponsoring Global AppSec Europe 2014, please contact Kelly Santalucia: [mailto:kelly.santalucia@owasp.org kelly.santalucia@owasp.org]

To find out more about the different sponsorship opportunities please check: Sponsorship Oportunities'''