Difference between revisions of "2010 BASC Speakers"

From OWASP
Jump to: navigation, search
 
(17 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{2010_BASC:Header_Template | Speakers}}
+
{{2010_BASC:Header_Template | Speakers/Panelists}}
 
__FORCETOC__
 
__FORCETOC__
We would like to thank our speakers for donating their time and effort to help make this conference successful and free.
+
We would like to thank our speakers for donating their time and effort to help make this conference successful.
  
=== Josh Corman (The 451 Group) ===  
+
=== Josh Corman ===  
Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman’s research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics.
+
'''The 451 Group'''<br/>
 +
''Panelist''<br />
 +
Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman’s research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics. Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a [http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html top innovators of IT] for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded [http://rugedsoftware.org RuggedSoftware.org] – a value based initiative to raise awareness and usher in an era of secure digital infrastructure.
  
Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a [http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html top innovators of IT] for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded [http://rugedsoftware.org RuggedSoftware.org] – a value based initiative to raise awareness and usher in an era of secure digital infrastructure.
+
=== Ming Chow ===
 +
'''Tufts University, CS Department'''<br/>
 +
Ming Chow is a scholar of science and technology and a Lecturer at the Tufts University Department of Computer Science.  His areas of interests are computer security, game development, web application security, and Computer Science in Education. Ming co-edited a special issue of IEEE Security & Privacy on securing online games with Gary McGraw of Cigital, Inc. published in May 2009. Ming is a frequent guest speaker, and have spoke at numerous organizations, including New England Association of Insurance Fraud Investigators (NEAIFI), and the New England Chapter of the High Technology Crime Investigation Association (HTCIA-NE), the Greater Boston Chapter of the Association of Certified Fraud Examiners (ACFE), John Hancock, and the Massachusetts Office of the Attorney General (AGO). Finally, Ming is a SANS GIAC Certified Incident Handler (GCIH).
  
=== Ming Chow (Tufts University, CS Department) ===
+
=== Andrew Gronosky  ===
'''HTML5  Security'''<br/>
+
'''Raytheon/BBN Technologies'''<br/>
The power of HTML5 allows developers to create
+
web applications not just structured content, but its new features has increased the attack surface.  This presentation will demo and discuss new attack opportunities, particularly on client machines, including abusing the offline application cache and SQL injection via file-based client-side databases.
+
 
+
=== Andrew Gronosky (Raytheon/BBN Technologies) ===
+
 
Mr. Andrew Gronosky is a staff engineer at Raytheon BBN Technologies. He has experience developing software for a variety of applications including data analysis and visualization, digital signal processing, and parallel and distributed systems. He holds a Master of Science degree in mathematics from Rensselaer Polytechnic Institute and is a member of the IEEE and the ACM. <br/>
 
Mr. Andrew Gronosky is a staff engineer at Raytheon BBN Technologies. He has experience developing software for a variety of applications including data analysis and visualization, digital signal processing, and parallel and distributed systems. He holds a Master of Science degree in mathematics from Rensselaer Polytechnic Institute and is a member of the IEEE and the ACM. <br/>
'''A Crumple Zone for Service-Oriented Architectures'''<br/>
 
We present a new architectural construct analogous to the crumple zone in an automobile.  It consists of a layer of intelligent service proxies that work together to provide both signature-based and non-signature based defenses. We present our initial design
 
for Java RMI based services and compare it with  web application firewalls.
 
  
=== Joshua "Jabra" Abraham, Will Vandevanter (Rapid7) ===
+
=== Joshua "Jabra" Abraham, Will Vandevanter ===
Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.<br/>
+
'''Rapid7'''<br/>
'''Hacking SAP BusinessObjects'''<br/>
+
Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.<br/><br/>
BusinessObjects is a very widely deployed business intelligence tool. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server using vulnerabilities that we have found during our research.
+
Mr. Vandevanter joined Rapid7 in 2008. Will has IT Security experience with a focus in web application security and secure software engineering. Will specializes in penetration testing, web application security assessments, and secure code development. In the past Will has also worked on a few different Open Source security projects including porting SELinux to OpenMoko and other Linux based mobile platforms. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science from James Madison University.
  
=== Christien Rioux (SOURCE Conference) ===
+
=== Christien Rioux ===
'''The Exploit Arms Race'''<br/>
+
'''SOURCE Conference/Veracode'''<br/>
As defenses have become more sophisticated, so have the attacks required to circumvent them. Learn about the roots of techniques like Stack cookies/Stackguard/Run-Time
+
Christien Rioux is co-founder and chief scientist of Veracode, the world's only binary-analysis powered online application risk management service. Prior to Veracode, he was a founder at security consulting firm @stake, a member of the hacker think-tank L0pht Heavy Industries, and a graduate of Massachusetts Institute Of Technology.
Stack Checking, DEP and ASLR, from attacks like trampolining,
+
Today, he focuses on algorithms to automate the difficult task of reverse-engineering and analyzing binaries for security vulnerabilities.
return-oriented programming, the evolution of fuzzing techniques, static and dynamic analysis for attacking and defending software.
+
  
=== Paul Schofield (Imperva) ===
+
=== Paul Schofield ===
 +
'''Imperva'''<br/>
 
With broad business and technical experience ranging from mergers and acquisitions to incident response and investigations, Paul Schofield is a frequent and energetic public speaker.
 
With broad business and technical experience ranging from mergers and acquisitions to incident response and investigations, Paul Schofield is a frequent and energetic public speaker.
<br/>
 
 
With over fourteen years of experience in Information Security and Risk Management, his diverse background he brings insightful perspectives to security and risk management discussions.
 
With over fourteen years of experience in Information Security and Risk Management, his diverse background he brings insightful perspectives to security and risk management discussions.
<br/>
+
Paul is currently a Senior Security Engineer with Imperva,  an award winning application Security company.
Paul is currently a Senior Security Engineer with Imperva,  an award winning application Security company.<br/>
+
'''Business Logic Attacks – BATs and BLBs'''<br/>
+
Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. Concluding this session we will discuss using multiple advanced techniques to battle these attacks, rather than relying exclusively on application code.
+
  
=== Rob Cheyne (CEO, Safelight Security Advisors) ===
+
=== Rob Cheyne ===
Rob was one of a select few at security consulting company @stake who regularly led and conducted full-blown enterprise-level architecture assessments for Fortune 500 companiesDrawing from his experience with dozens of real-world architecture assessments over the past 12 years, and his 20 years as a software developer, architect, and consultant, Rob teaches students to challenge assumptions that frequently lead to long-term security and reliability problems. <br/>
+
'''Safelight Security Advisors'''<br/>
'''OWASP Basics 1 and 2'''<br/>
+
''Expert Panel Moderator''<br/>
Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve.  Participants will come away with a foundation for further security learning. Those already knowledgeable on application security issues will learn some new techniques for presenting and teaching this information in a clear, concise and effective manner.
+
Rob is the CEO of Safelight Security, a leading provider of both instructor-led and computer-based security trainingHe is a Boston-based information security expert who has taught information security training classes to over ten thousand students, including developers, architects, and managers for industry-leading organizations.  He has 20 years of experience in the information technology field and has been working in information security since 1998. Over the years, he has played the role of software developer, systems integrator, security consultant and trainer.  Rob was a co-founder of @stake, a highly regarded pioneer in information security consulting.  In this role, he led and conducted secure architecture and design reviews, secure code reviews, application penetration tests, security assessments, and training for numerous Fortune 500 companies. Rob worked on @stake's SmartRisk Analyzer team, building software that automatically scans applications for vulnerabilities, and he was the author of LC4, a version of the award-winning L0phtCrack password auditing tool. @stake was acquired by Symantec Corporation in October 2004.
 +
Rob regularly speaks at security conferences, and frequently presents to the Boston OWASP chapter on a variety of security topics. His specialties are application security architecture and information security training.  
  
=== John Carmichael (Safelight Security Advisors) ===
+
=== John Carmichael ===
'''Coffee Shop Warfare: Protecting Yourself in Dark Territory'''<br/>
+
'''Safelight Security Advisors'''<br/>
A lighthearted look at the real threats that people face in personal computing, specifically when connected to unknown network at coffee shops and airports. John will cover many of these threats and discuss tools and best practices everyone can engage in to ensure they protect their machine and information from these risks.  
+
John Carmichael applies his software security expertise to the creation and delivery of world class security training for some of the world’s largest organizations.  At Safelight Security Advisors, he is an integral part of the product team creating best of breed computer-based training courses. Prior to joining Safelight Security Advisors, John was a security trainer and consultant at both Security Innovation and Cigital. His software security experience is rooted in a background of software development with deep expertise in a myriad of languages and environments.  He has developed enterprise class software for large organizations such as Massachusetts Executive Office of Health and Human Services and Computer Science Corporation. John earned his B.S. degree in Computer Science and Business Administration from the University of Vermont and an M.S. degree in Computer Information System Security from Boston University.
 
+
=== Dan Crowley (Core Security)===
+
'''URL Enlargement'''<br/>
+
URL shorteners are ubiquitous in today's Internet culture. This talk will aim to demonstrate them. Come see what's behind the short URLs: personal documents, parasitic storage, authentication credentials, attacks and more!
+
  
 +
=== Dan Crowley ===
 +
'''Core Security'''<br/>
 +
Dan Crowley is an independent security researcher and lecturer also working for Core Security Technologies. Dan runs a security education group called CSEC, which is in the process of becoming a hackerspace. In his free time, he can frequently be found playing with Web-based technologies and locks.
 
=== Kenneth Smith ===
 
=== Kenneth Smith ===
'''Web Applications and Data Tokenization'''<br/>
+
Ken Smith, CISSP, CISA, GCIH is an Enterprise Information Security Architect with 15 years of experience in the information security spaceHe currently leads efforts related to IT risk management, compliance, and privacy for a private $1B e-Commerce, Catalog, and Retail organization.  As a consultant, and former QSA, Ken has an extensive background in PCI DSS and has helped many organizations in the area of strategic planning, assessment, remediation plan development, and security program design.  
Tokenization has become increasingly popular as a method to protect sensitive data and reduce the scope of security requirements such as PCI DSS.  Many solutions now integrate directly with web applications, tokenizing data before it ever reaches internal corporate systems.  As developers, you may be tasked with integrating tokenization into your applicationsIf done correctly, this can be a big win for your organization.  This talk will cover the types of tokenization solutions, seeing through the marketing hype and vendor claims, and how to avoid some common mistakes that could greatly reduce tokenizations effectiveness.  
+
  
=== Shakeel Tufail (Fortify) ===
+
=== Zach Lanier ===
Shakeel Tufail is a Managing Consultant at Fortify, an HP company, where his responsibilities include refining customer security requirements, managing Fortify product deployments and delivering security services.
+
'''Intrepidus Group'''<br/>
+
Zach Lanier is a Senior Security Consultant with the Intrepidus Group, a firm specializing in security assessment services. Zach's areas of focus
 +
are network and application penetration testing, intrusion analysis, and general hackery, with frequent dabbling in security and privacy research.
 +
 
 +
=== Shakeel Tufail ===
 +
'''Fortify'''<br/>
 +
''Panelist''<br/>
 +
Shakeel Tufail is a Federal Practice Manager at Fortify, an HP company, where his responsibilities include refining customer security requirements, managing Fortify product deployments and delivering security services.
 
Mr. Tufail brings over 18 years of experience to the IT industry in the areas of network engineering, software development, quality assurance, risk management, and security.
 
Mr. Tufail brings over 18 years of experience to the IT industry in the areas of network engineering, software development, quality assurance, risk management, and security.
 
Recently, he led over 30 enterprise security assessments for DoD and Fortune Top 50 commercial organizations that directly led to improvement of their risk profile.
 
Recently, he led over 30 enterprise security assessments for DoD and Fortune Top 50 commercial organizations that directly led to improvement of their risk profile.
 
 
Prior to joining Fortify, Mr. Tufail held positions such as Deputy Program Manager for the Pentagon Force Protection Agency, Managing Partner for Insyte, General Manager of CompUSA, and Lead Release Engineer for AOL Time-Warner’s AOL Instant Messenger development team and HOST Servers QA group.
 
Prior to joining Fortify, Mr. Tufail held positions such as Deputy Program Manager for the Pentagon Force Protection Agency, Managing Partner for Insyte, General Manager of CompUSA, and Lead Release Engineer for AOL Time-Warner’s AOL Instant Messenger development team and HOST Servers QA group.
+
An active software assurance community member, Mr. Tufail contributes to standards-defining efforts including the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC) and other elements of the Software Assurance Programs of the Department of Homeland Security, NSA, and the Department of Defense. He has accumulated over 25 industry standard certifications and is a member of OWASP, ISACA, ISSA, and IEEE. In his spare time, Shakeel enjoys travel, photography, and technical training at local schools. Recently, he hiked the Himalayas to Mt. Everest BaseCamp.
An active software assurance community member, Mr. Tufail contributes to standards-defining efforts including the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC) and other elements of the Software Assurance Programs of the Department of Homeland Security, NSA, and the Department of Defense. He has accumulated over 25 industry standard certifications and is a member of OWASP, ISACA, ISSA, and IEEE.
+
 
+
=== Justin Peavey ===
In his spare time, Shakeel enjoys travel, photography, and technical training at local schools. Recently, he hiked the Himalayas to Mt. Everest basecamp.<br/>
+
'''Omgeo, LLC'''<br/>
'''Open SAMM (Security Assurance Maturity Model)'''<br/>
+
''Panelist''<br/>
SAMM is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.
+
Justin S. Peavey is the Chief Information Security Officer for Omgeo LLC, the market leader in allocation, confirmation/affirmation, settlement notification, enrichment, operational analytics and counterparty risk management services between trade counterparties..  Prior to joining Omgeo, Justin was a VP at State Street performing security architecture and enterprise security program development with a specialization in application security.  Justin has been working in the information security field for over 15 years primarily for the finance and defense industries and has worked with such companies as Lockheed Martin, Pratt & Whitney, Fidelity Investments, John Hancock, IBM Scientific Research Center, and RSA Security. Justin’s background is in security program development, security architecture, software development, and service delivery management.
 +
 
 +
=== Adriel Desautels ===
 +
'''NetRagard, LLC'''<br/>
 +
''Panelist''<br/>
 +
Adriel T. Desautels is the President and CTO of Netragard, LLC. Among other things Adriel specializes in the delivery of advanced, high-threat anti-hacking services and covert network penetration methodologies. Prior to founding Netragard Adriel founded the internationally recognized SNOsoft Research Team, which quickly became the think tank for Secure Network Operations, Inc. Today SNOsoft is owned and operated by Netragard LLC. Adriel also has extensive experience and expertise in the design and deployment of sophisticated Intrusion Detection and Intrusion Prevention (IDS/IPS) systems. In early 2002 Adriel designed an IDS/IPS technology with powerful event correlation capabilities capable of accurately identifying real events buried in a high volume of noise. That technology was later acquired by a private third party. As a result of his expertise Adriel has acted as an expert witness in U.S. Federal Court. Today Adriel’s responsibilities at Netragard include but are not limited to the design and management of all of Netragard’s professional services. Adriel’s secondary responsibility is to run and maintain Netragard’s Exploit Acquisition Program (EAP). EAP is designed to acquire bleeding edge, high value research and intelligence from the hacking community.
  
 +
=== Brian Weekes ===
 +
'''GMO'''<br/>
 +
''Panelist'' <br/>
 +
Brian Weekes is an Infrastructure Team Lead at GMO managing the Linux Engineering group with over 14 years of experience in Information Technology.  He played a major role in developing the foundation for the market data plant and trading platforms used for quantitative trading and research.  Prior to joining GMO, Brian worked at Wyeth as a Senior Systems Architect to build a new infrastructure and migrate scientific discovery research to high performance computing environments on the Linux platform.
  
 
{{2010 BASC:Section Template | Conference Organizers}}
 
{{2010 BASC:Section Template | Conference Organizers}}

Latest revision as of 16:24, 19 November 2010

Platinum Sponsors (Listed Alphabetically)
  CORE Security Rapid7  
SafeLight Security
  Security Innovation SOURCE  


We kindly thank our sponsors for their support. Please help us keep future BASCs free by viewing and visiting all of our sponsors.

Contents

Speakers/Panelists

We would like to thank our speakers for donating their time and effort to help make this conference successful.

Josh Corman

The 451 Group
Panelist
Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman’s research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics. Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a top innovators of IT for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded RuggedSoftware.org – a value based initiative to raise awareness and usher in an era of secure digital infrastructure.

Ming Chow

Tufts University, CS Department
Ming Chow is a scholar of science and technology and a Lecturer at the Tufts University Department of Computer Science. His areas of interests are computer security, game development, web application security, and Computer Science in Education. Ming co-edited a special issue of IEEE Security & Privacy on securing online games with Gary McGraw of Cigital, Inc. published in May 2009. Ming is a frequent guest speaker, and have spoke at numerous organizations, including New England Association of Insurance Fraud Investigators (NEAIFI), and the New England Chapter of the High Technology Crime Investigation Association (HTCIA-NE), the Greater Boston Chapter of the Association of Certified Fraud Examiners (ACFE), John Hancock, and the Massachusetts Office of the Attorney General (AGO). Finally, Ming is a SANS GIAC Certified Incident Handler (GCIH).

Andrew Gronosky

Raytheon/BBN Technologies
Mr. Andrew Gronosky is a staff engineer at Raytheon BBN Technologies. He has experience developing software for a variety of applications including data analysis and visualization, digital signal processing, and parallel and distributed systems. He holds a Master of Science degree in mathematics from Rensselaer Polytechnic Institute and is a member of the IEEE and the ACM.

Joshua "Jabra" Abraham, Will Vandevanter

Rapid7
Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.

Mr. Vandevanter joined Rapid7 in 2008. Will has IT Security experience with a focus in web application security and secure software engineering. Will specializes in penetration testing, web application security assessments, and secure code development. In the past Will has also worked on a few different Open Source security projects including porting SELinux to OpenMoko and other Linux based mobile platforms. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science from James Madison University.

Christien Rioux

SOURCE Conference/Veracode
Christien Rioux is co-founder and chief scientist of Veracode, the world's only binary-analysis powered online application risk management service. Prior to Veracode, he was a founder at security consulting firm @stake, a member of the hacker think-tank L0pht Heavy Industries, and a graduate of Massachusetts Institute Of Technology. Today, he focuses on algorithms to automate the difficult task of reverse-engineering and analyzing binaries for security vulnerabilities.

Paul Schofield

Imperva
With broad business and technical experience ranging from mergers and acquisitions to incident response and investigations, Paul Schofield is a frequent and energetic public speaker. With over fourteen years of experience in Information Security and Risk Management, his diverse background he brings insightful perspectives to security and risk management discussions. Paul is currently a Senior Security Engineer with Imperva, an award winning application Security company.

Rob Cheyne

Safelight Security Advisors
Expert Panel Moderator
Rob is the CEO of Safelight Security, a leading provider of both instructor-led and computer-based security training. He is a Boston-based information security expert who has taught information security training classes to over ten thousand students, including developers, architects, and managers for industry-leading organizations. He has 20 years of experience in the information technology field and has been working in information security since 1998. Over the years, he has played the role of software developer, systems integrator, security consultant and trainer. Rob was a co-founder of @stake, a highly regarded pioneer in information security consulting. In this role, he led and conducted secure architecture and design reviews, secure code reviews, application penetration tests, security assessments, and training for numerous Fortune 500 companies. Rob worked on @stake's SmartRisk Analyzer team, building software that automatically scans applications for vulnerabilities, and he was the author of LC4, a version of the award-winning L0phtCrack password auditing tool. @stake was acquired by Symantec Corporation in October 2004. Rob regularly speaks at security conferences, and frequently presents to the Boston OWASP chapter on a variety of security topics. His specialties are application security architecture and information security training.

John Carmichael

Safelight Security Advisors
John Carmichael applies his software security expertise to the creation and delivery of world class security training for some of the world’s largest organizations. At Safelight Security Advisors, he is an integral part of the product team creating best of breed computer-based training courses. Prior to joining Safelight Security Advisors, John was a security trainer and consultant at both Security Innovation and Cigital. His software security experience is rooted in a background of software development with deep expertise in a myriad of languages and environments. He has developed enterprise class software for large organizations such as Massachusetts Executive Office of Health and Human Services and Computer Science Corporation. John earned his B.S. degree in Computer Science and Business Administration from the University of Vermont and an M.S. degree in Computer Information System Security from Boston University.

Dan Crowley

Core Security
Dan Crowley is an independent security researcher and lecturer also working for Core Security Technologies. Dan runs a security education group called CSEC, which is in the process of becoming a hackerspace. In his free time, he can frequently be found playing with Web-based technologies and locks.

Kenneth Smith

Ken Smith, CISSP, CISA, GCIH is an Enterprise Information Security Architect with 15 years of experience in the information security space. He currently leads efforts related to IT risk management, compliance, and privacy for a private $1B e-Commerce, Catalog, and Retail organization. As a consultant, and former QSA, Ken has an extensive background in PCI DSS and has helped many organizations in the area of strategic planning, assessment, remediation plan development, and security program design.

Zach Lanier

Intrepidus Group
Zach Lanier is a Senior Security Consultant with the Intrepidus Group, a firm specializing in security assessment services. Zach's areas of focus are network and application penetration testing, intrusion analysis, and general hackery, with frequent dabbling in security and privacy research.

Shakeel Tufail

Fortify
Panelist
Shakeel Tufail is a Federal Practice Manager at Fortify, an HP company, where his responsibilities include refining customer security requirements, managing Fortify product deployments and delivering security services. Mr. Tufail brings over 18 years of experience to the IT industry in the areas of network engineering, software development, quality assurance, risk management, and security. Recently, he led over 30 enterprise security assessments for DoD and Fortune Top 50 commercial organizations that directly led to improvement of their risk profile. Prior to joining Fortify, Mr. Tufail held positions such as Deputy Program Manager for the Pentagon Force Protection Agency, Managing Partner for Insyte, General Manager of CompUSA, and Lead Release Engineer for AOL Time-Warner’s AOL Instant Messenger development team and HOST Servers QA group. An active software assurance community member, Mr. Tufail contributes to standards-defining efforts including the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC) and other elements of the Software Assurance Programs of the Department of Homeland Security, NSA, and the Department of Defense. He has accumulated over 25 industry standard certifications and is a member of OWASP, ISACA, ISSA, and IEEE. In his spare time, Shakeel enjoys travel, photography, and technical training at local schools. Recently, he hiked the Himalayas to Mt. Everest BaseCamp.

Justin Peavey

Omgeo, LLC
Panelist
Justin S. Peavey is the Chief Information Security Officer for Omgeo LLC, the market leader in allocation, confirmation/affirmation, settlement notification, enrichment, operational analytics and counterparty risk management services between trade counterparties.. Prior to joining Omgeo, Justin was a VP at State Street performing security architecture and enterprise security program development with a specialization in application security. Justin has been working in the information security field for over 15 years primarily for the finance and defense industries and has worked with such companies as Lockheed Martin, Pratt & Whitney, Fidelity Investments, John Hancock, IBM Scientific Research Center, and RSA Security. Justin’s background is in security program development, security architecture, software development, and service delivery management.

Adriel Desautels

NetRagard, LLC
Panelist
Adriel T. Desautels is the President and CTO of Netragard, LLC. Among other things Adriel specializes in the delivery of advanced, high-threat anti-hacking services and covert network penetration methodologies. Prior to founding Netragard Adriel founded the internationally recognized SNOsoft Research Team, which quickly became the think tank for Secure Network Operations, Inc. Today SNOsoft is owned and operated by Netragard LLC. Adriel also has extensive experience and expertise in the design and deployment of sophisticated Intrusion Detection and Intrusion Prevention (IDS/IPS) systems. In early 2002 Adriel designed an IDS/IPS technology with powerful event correlation capabilities capable of accurately identifying real events buried in a high volume of noise. That technology was later acquired by a private third party. As a result of his expertise Adriel has acted as an expert witness in U.S. Federal Court. Today Adriel’s responsibilities at Netragard include but are not limited to the design and management of all of Netragard’s professional services. Adriel’s secondary responsibility is to run and maintain Netragard’s Exploit Acquisition Program (EAP). EAP is designed to acquire bleeding edge, high value research and intelligence from the hacking community.

Brian Weekes

GMO
Panelist
Brian Weekes is an Infrastructure Team Lead at GMO managing the Linux Engineering group with over 14 years of experience in Information Technology. He played a major role in developing the foundation for the market data plant and trading platforms used for quantitative trading and research. Prior to joining GMO, Brian worked at Wyeth as a Senior Systems Architect to build a new infrastructure and migrate scientific discovery research to high performance computing environments on the Linux platform.

Conference Organizers



We kindly thank our sponsors for their support.
Please help us keep future BASCs free by viewing and visiting all of our sponsors.

Gold Sponsors
Auric Systems International Fortify Palo Alto Networks WhiteHat Security

You can find out more about this conference at the BASC homepage: http://www.owasp.org/index.php/2010_BASC_Homepage.
Conference Organizer: Jim Weiler