AppSec USA 2014

Jump to: navigation, search


AppSec USA is a world-class software security conference for developers, auditors, risk managers, technologists, and entrepreneurs gathering with the world’s top practitioners to share the latest research and practices, in the high energy atmosphere of Downtown Denver.

Why should you attend?
Insightful keynote addresses delivered by leading industry visionaries from thought leaders of critical infrastructure. Over 50 sessions across 5 tracks (developer, tester, operations, workshops, and legal) with world-renowned subject matter experts An all-new Legal Track to address industry regulations, privacy laws, liability, and more A hands-all Workshop Track providing instruction on essential security tools and skills Thousands of attendees exclusively focused on Software Security Extensive Capture the Flag competition developed exclusively for AppSec USA 2014 Home-brewed beer competition open to all attendees Convenience of Downtown Denver

Who should attend?
Developers, Security Auditors, Risk Managers, Executive Management, Government, Press, Law Enforcement, Entrepreneurs

If you have any questions, please email the conference

There are two ways to register based on whether you are an OWASP member. Not sure if you are a member? Refer to the Member Directory.

Learn more about the benefits of individual and corporate membership here.

Member Registration OWASP members may register here. Note: inactive members may need to renew membership.

Public Registration Everyone else may register here.

Terms and Conditions AppSec USA 2014 follows standard OWASP Conference Policies, including anti-harassment, privacy, code of ethics, and cancellation.

The call for presentations (CFP) is close. Dates and deadlines

  • April 27th, 2014: Submission deadline
  • June 13th, 2014: Notification of acceptance
  • August 4th, 2014: Final materials due for review
  • September 18th – 19th, 2014: Conference proceedings

Topics of interest
Conference sessions will be divided into four primary tracks and two smaller supporting tracks. Consistent with OWASP, each track will relate in part to web application security.

The primary tracks are:

  • Builders: Targeting developers, testers, and managers involved in the secure software development lifecycle.
  • Breakers: Focusing on matters relevant to penetration testers, researchers, and other security professionals.
  • Defenders: Emphasizing operations issues affecting infrastructure security teams, administrators, support, etc.
  • Policy and Legal: Addressing privacy, compliance, and legal issues affecting development and security communities.

The secondary tracks are:

  • OWASP-specific: Status, recruiting, and awareness for OWASP projects; board panels; leadership workshops; etc.
  • Hands-On Skills Lab: Introductory workshops designed to familiarize attendees with critical tools (e.g., “nmap 101″).

We invite all practitioners of application security and those who work or interact with all facets of application security to submit presentations including, but not limited to the following subject areas:

  • Secure development: secure coding, static analysis, application threat modelling, web frameworks security, countermeasures, SDLC, DevOps, etc.
  • Mobile security: Development and/or testing devices and the mobile web
  • Cloud security: Offensive and defensive considerations for cloud-based web applications
  • Infrastructure security: Database security, VoIP, hardware, identity management
  • Penetration testing: Methodologies, tools, exploit development, evasion techniques, OSINT, etc.
  • Emerging web technologies and associated security considerations
  • Incident response: Threat detection, triage, malware analysis, forensics, rootkit detection
  • OWASP tools and projects in practice
  • Policy and legal: Legislation, privacy, regulations and compliance, C-level considerations, etc.
  • Cool hacks and other fun stuff: cryptography, social engineering, etc.

Submission Format
Only submissions entered into will be considered. Please have the following information handy.

  • Presentation title
  • Contact information (speaking name, organizational affiliation, email)
  • Abstract, including the following information:

- Presentation overview
- Format (lecture, group panel, live demo, audience participation, etc.)
- Objectives and outcomes

  • Speaker background, including the following information:

- Previous conference speaking experience - Links to videos of past speaking engagements

  • Anything else we should know about you or your presentation

Judging Criteria
All content assessments will be performed blind. Content reviewers will have no knowledge of the presenter’s identity. All uploaded materials must be sanitized of author names and affiliations, email addresses, and other personally-identifiable information.

  • Strength of presentation
  • Vendor neutrality
  • Topicality (fresh research, innovative solutions, relevance to current events, etc.)
  • Depth of content (deeply technical talks are preferred to high-level talks)
  • Relevance to conference tracks
  • Relevance to industry trends
  • Relevance to OWASP or OWASP projects
  • Presentation length (45-50 minute talks are preferred)

A second evaluation will occur based on speaker experience. The final presentation score will be a composite of the two evaluations. The following criteria will be used during evaluation.

  • Strength of speaker
  • Clarity of submission: Demonstrated speaking ability (previous experience, videos of prior speaking engagements, etc.)
  • Bonus points:

- Integration of live demonstrations into the presentation
- Free and open distribution of source code, exploits, tools, and other materials relevant to the talk

All speakers must provide written agreement to the OWASP Speaker Agreement after notification of acceptance.

AppSec USA is pleased to offer the following training courses. Register today!

  • Advanced Web Penetration Testing (2 day)

Presented by Secure Ideas Learn more…

  • Cryptography for the Modern Developer (1 day)

Presented by Blindspot Security LLC Learn more…

  • Malware Analysis Crash Course (2 days)

Presented by Mandiant, a FireEye Company Learn more…

  • Managing Web & Application Security – OWASP for Senior Management (1 day)

Presented by Tobias Gondrom Learn more…

  • OWASP Top 10 – Explotation and Effective Safeguards

Presented by Albero Solutions Learn more…

  • Ruby on Rails – Auditing & Exploiting the Popular Web Framework (2 days)

Presented by Recurity Labs Learn more…

  • Securing Mobile Devices and Applications

Presented by Aspect Security Learn more…

Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of 12 books — including Liars and Outliers: Enabling the Trust Society Needs to Thrive — as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc.

Gary McGraw shares his insights on Software Security. Dr. McGraw is CTO of Cigital, Inc., a software security consulting firm for some of the world’s best-known companies. An author of multiple best-selling books, many know of him through his contributions to publications, journals and his monthly security podcast. Gary knows where computer security started and provides valuable insight to where it is going. His advice is sought by company directors, federal government, academia and technologists alike. Gary is firmly rooted in country living. Growing up in the woods of Tennessee, he lives near the Appalachian trail in Virginia.

Steve Crusenberry joined Rackspace in August 2013 as Vice President of Public Cloud Engineering and Operations, but his relationship with the company started much earlier. In 2008, a startup that Steve co-founded, RElistive, chose Rackspace as its hosting partner. The team was wowed by Fanatical Support®, and RElistive remains a Rackspace customer today. Steve heads up the Rackspace product organization. He leads teams that define, design, and launch all of the products and services that comprise the Rackspace Hybrid Cloud portfolio.

Steve is fiercely committed to serving customers, and has two decades of leadership experience in product, engineering, and infrastructure operations. He has held executive positions at several well-known Internet and media companies including Yahoo, OpSource, Inktomi, and Netscape.

Denver Marriott City Center

1701 California St.
Denver, CO 80202-3402
Phone: 1-303-297-1300 / 1-800-228-9290


Denver Marriott City Center is centrally located in the heart of Downtown Denver within walking distance of many of the city’s best attractions, to include entertainment, cultural venues and shopping and dining. With views of the Rocky Mountains and easy access to all that Colorado has to offer, your stay at the Denver Marriott City Center is sure to make you fall in love with our fine city!
This hotel does not provide shuttle service.

Travel & Transportation

  • Valet parking, fee: $32 USD daily
  • Off-site parking fee: $15 USD hourly, $32 USD Daily
  • Amtrak-DEN: 1 mile
  • Denver International Airport – DIA

Hotel direction: 26 mile(s) SW Driving directions: Take Interstate 70 West to Interstate 25 and follow Interstate 25 South to the 20th Street exit in downtown Denver. Turn left onto 20th Street and continue to Arapahoe Street. Turn right and proceed to 19th Street. Turn left and travel four blocks to Califronia Street. Turn right and the hotel entrance is the first right after 18th Street.

Alternate transportation:

  • SuperShuttle; fee: 23 USD (one way) ;on request
  • Bus service, fee: 11 USD (one way)
  • Estimated taxi fare: 65 USD (one way)

City Attractions and Activities

  • Coors Field
  • Sports Authority Field at Mile High
  • Denver Convention Center
  • Denver Performing Arts Center
  • Buell Theatre
  • 16th Street Pedestrian Mall
  • Larimer Square
  • LoDo District
  • Denver Mint
  • Cherry Creek Mall
  • Molly Brown House
  • Denver Zoo
  • Denver Museum of Natural History

Want to sponsor this event? Click here to Access the Sponsorship Prospectus

Open Web Application Security Project (OWASP) is an open-source, not-for-profit application security organization made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidance, the organization is the de-facto standards body for web application security used by developers and organizations globally.

Join 1,500+ attendees. Executives from the Fortune 500, thought leaders, security architects and developers, gather to share cutting-edge ideas, initiatives and technology advancements.

  • Two days of training and two day conference
  • Keynote addresses by world renowned Industry experts
  • Exhibit area offering solutions to your application security challenges

Global Reach: OWASP supports 30,000+ individual participants, more than 65 organizational and 60 academic supporters via 200 local chapters in 75+ countries across 6 continents.

  • Important to all Industries: Access to key representatives and decision-makers from major Financial Services, Insurance, e-Commerce, Retail, Pharmaceutical, and Government sectors
  • World renowned speakers
  • Conference is exclusively focused on Application Security to provide solutions to your problems
  • Downtown Denver – With views of the Mountains – what more could you ask for?
  • Discounts for OWASP Corporate Supporters

AppSec USA would not be possible without the hard work of the following volunteers and staff:

General Conference Chair:
Mark Major
Email:: mark dot major at owasp dot org

Speaker and Trainer Selection Chair:
Steve Kosten
Email: steve dot kosten at owasp dot org

Conference Volunteers:
Chris Campbell
Rob Jepson
Sunil Kollipara
Brad Carvalho
Ann Marie Ronan

Sarah Baso @OWASPgirl
Kelly Santalucia @KellySantalucia
Kate Hartmann @kate_hartmann
Laura Grau
Alison Shrader
Matt Tesauro @matt_tesauro

Discount Codes

Opt-In Notice: OWASP events would not be possible without the help of our sponsors who are also provided the opportunity to offset the cost for attendees as well. Per OWASP agreement with event sponsors, your registration information is provided to the sponsor associated with the code used. If you do not wish to share your registration information with the associated sponsor, please do not use the code.


OWASP events are open to the public, and OWASP does not restrict attendees (including OWASP staff, volunteers, sponsors, and media) from taking photos or videos at our events. By attending out events, you acknowledge that you are in a public space and that attendees (including OWASP staff, volunteers, sponsors, and media) may capture your image in photos and videos. Nevertheless, OWASP encourages event attendees to exercise common sense and good judgment, and respect the wishes of other attendees who do not wish to be photographed at the Events.

OWASP reserves the right to use images taken at the conference with your photograph and/or likeness in future marketing materials.

Anti Harassment Policy

OWASP is dedicated to providing a harassment-free conference experience for everyone , regardless of gender, sexual orientation, disability, physical appearance, body size, race, or religion. We do not tolerate harassment of conference participants in any form.

Conference participants violating these rules may be sanctioned or expelled from the conference without a refund at the discretion of the conference organizers. Harassment includes offensive verbal comments related to gender, sexual orientation, disability, physical appearance, body size, race, religion and actions such as deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention.

Participants asked to stop any harassing behavior are expected to comply immediately.

Exhibitors in the expo hall, sponsor or vendor booths, or similar activities are also subject to the anti-harassment policy. In particular, exhibitors should not use sexualized images, activities, or other material. Booth staff (including volunteers) should not use sexualized clothing/uniforms/costumes, or otherwise create a sexualized environment.

If a participant engages in harassing behavior, the conference organizers may take appropriate action, including warning the offender or expulsion from the conference with no refund.

If you are being harassed, notice that someone else is being harassed, or have any other concerns, please contact a member of conference staff immediately.

Conference staff will be available to help participants contact hotel/venue security or local law enforcement, provide escorts, or otherwise assist those experiencing harassment to feel safe for the duration of the conference. We value your attendance.

Privacy Policy

OWASP is committed to ensuring that your privacy is protected. OWASP will not sell or otherwise distribute your personal information to third parties (including but not limited to: sponsors and partner organizations) unless we have your permission or are required by law. OWASP Supporters are advised that no conference attendee lists will be provided to them before, during, or after the event.

During the course of conference registration and related communication, OWASP may collect the following information:

  • name and job title
  • contact information including email address
  • demographic information such as postcode, preferences and interests

We collect this information to communicate with you about this event and related OWASP matters. Additionally, we hope to better understand the interests and needs of our community.

OWASP Code of Ethics

All participants in OWASP events must adhere to the OWASP Code of Ethics.

Breaches of the Code of Ethics may result in the Foundation taking disciplinary action.

  • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
  • Promote the implementation of and promote compliance with standards, procedures, controls for application security;
  • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
  • Discharge professional responsibilities with diligence and honesty;
  • To communicate openly and honestly;
  • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association;
  • To maintain and affirm our objectivity and independence;
  • To reject inappropriate pressure from industry or others;
  • Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers;
  • Treat everyone with respect and dignity; and
  • To avoid relationships that impair — or may appear to impair — OWASP's objectivity and independence.

Cancellation Policy

Cancellations, Refunds, and Substitutions All ticket sales are final and our general policy is no refunds.

Registration and Badges

All persons attending must have a badge visible at all times. Spouses, friends, peers, etc. are not granted access any conference areas or events without a badge. If you wish for anyone to accompany you to any of the conference events including meals, reception, breaks or sessions, you must register them and pay the appropriate fees. Lost, misplaced, stolen, forgotten badges will incur a replacement fee equal to the current, on-site rate of your pass type. If your badge was complimentary, the fee will be the current, on-site rate.

If you have any further questions or concerns regarding the above policies, please contact us at








  Whitehat.490x81.png       HP Blue RGB 150 MD.png     SponsorshipAvailable.490x245.png  




  AspectSecurity.320x76.png     Astech.320x160.png     Accuvant.320x48.png    

Checkmarx.320x32.png     Cigital.320x105.png     NetSpi logo.png    

Qualys.320x93.png     ShapeSecurity.320x46.png     Sonatype.320x80.png    

Tenable T.png       SponsorshipAvailable.490x245.png   -  



    Acunetix.235x35.png     Coalfire Labs Logo Resized.png     Codelogo.png     Coverity Logo.png    

Imperva.235x32.png     Trustwave logo RGB -Resized (1).jpg     link‎:    




  Versprite.300x121.png     Coalfire Labs Logo Resized.png     SponsorshipAvailable.490x245.png    




AppliedTrust.300x150.png     SponsorshipAvailable.490x245.png    




NCCDC.320x128.png     Ismg.320x160.jpg     Council-on-CyberSecurity.320x87.png     ISSA Marketing Partner Logo.jpg     ISC2MainLogoGreen.jpg    

    EC-Council.2.320x180.png         MetzgerAlbee.320x57.png