| || |
<div align="left" style="float: left; margin: 0 4px 0 0; padding: 4px; border: 1px solid #aaa;">[[File:
IMG_5720-1. JPG|150px]]</div><div style=“text-align:justify”>Matthew Chalmers has been doing information security and related work his entire professional career, since earning his bachelor's degree from MST. Matt has worked for large organizations in the defense, financial and manufacturing industries including the US Navy, the National Security Agency, JPMorgan Chase and, presently, Rockwell Automation. Matt currently performs risk, threat, control and vulnerability assessments; regulatory & policy/standard compliance audits; process improvement audits; and general & application control audits. Matt holds the CISA, GSNA, GCFA, CEH and CHS certifications and is ITIL v3 Foundation certified. Matt has been involved with OWASP since about 2002 and can be reached at matthew dot chalmers at owasp dot org. |+|
<div align="left" style="float: left; margin: 0 4px 0 0; padding: 4px; border: 1px solid #aaa;">[[File:.|150px]]</div><div style=“text-align:justify”>Matthew Chalmers has been doing information security and related work his entire professional career, since earning his bachelor's degree from MST. Matt has worked for large organizations in the defense, financial and manufacturing industries including the US Navy, the National Security Agency, JPMorgan Chase and, presently, Rockwell Automation. Matt currently performs risk, threat, control and vulnerability assessments; regulatory & policy/standard compliance audits; process improvement audits; and general & application control audits. Matt holds the CISA, GSNA, GCFA, CEH and CHS certifications and is ITIL v3 Foundation certified. Matt has been involved with OWASP since about 2002 and can be reached at matthew dot chalmers at owasp dot org.
| || |
Revision as of 17:36, 15 February 2011
- 0–9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Back to Attendee List | Back to main Summit 2011 page
Add a bio using the page edit link; change a bio using the section edit link.
Lucas Adamski heads up the product security team at Mozilla, works on security architecture and features, and generally tries to make the Internet a happier and safer place. Previously, Lucas was a Security Architect at Adobe focused on Flash Player and AIR. He also worked at @stake and developed security managed services software at Breakwater Security.
Anurag Agarwal, the founder of MyAppSecurity, has proven record in providing customers with solutions related to security risk management. Anurag is a former Director of Education Services at WhiteHat Security and has over 15 years of experience designing, developing, managing and securing web applications with companies like Citigroup, Cisco, HSBC Bank, and GE Medical Systems to name a few. He is an active contributor to the web application security field and has written several articles on secure design and coding for online magazines. A frequent speaker on web application security at various conferences, Anurag is actively involved with organizations such as the WASC (Web Application Security Consortium) and OWASP (Open Web Application Security Project). He started the project on Web Application Security Scanner Evaluation Criteria and is currently a project leader for OWASP developer’s guide and OWASP Common Vulnerability List.
Born in Badalona (Spain), Vicente is the OWASP Spain Chapter Leader, co-founder of Internet Security Auditors and member of the Technical Advisory Board in the RedSeguridad magazine. He is an enthusiastic of the application security, a regular speaker at industry conferences and has published several articles and vulnerabilities in specialized media.
I am senior lecturer and currently academic coordinator
of Informatics Faculty at the Catholic University of Rio Grande do Sul (PUCRS). I have a Ph.D. in Computer Science from Universidade Nova de Lisboa (2006) and my primary research interest is in Natural Language Processing, acting on the following topics: text mining, machine learning, syntactic and semantic analysis of natural language.
Born in Jakarta, Indonesia, 1982, Zaki holds a master degree from
Bandung Institute of Technology, Indonesia, with major Electrical
Engineering. Currently he works at indocisc, a small consultant
company focus on information security, as a Junior Security Analyst.
On professional certification, he had passed the CISA exam which he took on June 2010. He has lead the OWASP Indonesia Chapter since December 2008. The first translation project completed by OWASP Indonesia Chapter team is the Top 10 OWASP 2010. He enjoys very much working on information security industry. On the leisure time, Zaki loves reading, writing, listening to music and for some time taking photos. He also enjoy sports, especially running and swimming. He can be contact at za at owasp dot org.
Lorna is a consultant at a large financial institution and resides in Minneapolis, Minnesota, USA. She is Vice President of the Minneapolis OWASP Chapter, a member of the Global Industry Committee, Editor of the OWASP Newsletter, and a member of the Summit Planning Committee.
Application Development Management, Application Security Consultation (GWAPT Certified)
Alremh company at ICT Incubator
Product Manager at Innovaive Solutions
OWASP Involvement: Syria Chapter Leader
• Presenter for Internet Security at ITDigest
• Senior Developer at King Faisal Specialist Hospital
• Senior Developer at KFSHRC
• Damascus University
Portal Development with J2EE technology
IBM Websphere portal server, application server (with clustering)
SMS, MMS and Mobile Banking projects
Application Security (SANS GIAC standards, OWASP standards, (ISC)2 CSSLP standards)
J2EE, Websphere clustering, Weblogic, JBoss, Struts, JSF
SMS, MMS, Mobile Banking
Rajeev currently works as an Architect at Oracle (Sun Microsystems) and lives in the San Francisco Bay Area, California, USA.
• Founder & VP Engineering at Intellifabric Inc
• Director of Technology at Infospace Inc
• Architect, Portal Server at SUN Microsystems
• University of California, Santa Cruz
• IIT Delhi
• Delhi Public School - R. K. Puram
Information Security Consultant, CISSP, CISM, CISA, ISO27001/LA
Partner at Willway, S.A.; Lisbon Area, Portugal
Senior Security Consultant at Glintt
Security Advisor at Archeocelis, Lda
Security & Systems Engineer at Nokia Siemens Networks
Royal Holloway, U. of London ,
(ISC)² , ISACA - Information Systems Audit and Control Association
Information Security Management
Security Architecture Design & Implementation
Auditing and Regulatory Compliance
Having Honors in Engineering (CS & Mech. Engg.) enriched by MBA (finance), have been working in Information Security space for the last 10+ years in the fields of Application Security, State Assessment, Data cum Network Security, Security Governance and Compliance areas. Currently part of McAfee family for the last 5+ years, providing technical expertise and support in the performance of architecture and application risk assessments for IT developed applications and third party solutions, review of applications for security vulnerabilities, perform penetration tests and enforcing Secure QA cum Coding practices. Key achievements include providing technical support to Department of Defence to install a Common Criteria lab in India for the first time, and established Vulnerability Accessment Center as per SSE-CMM Guidelines. Providing organisation wide trainings and conducting secure code reviews, as a Secure Core Team member of McAfee. Has played a key role in Application security in various CMM companies like Microsoft (v-id), Mahindra BT..etc.
Barbato, L. Gustavo C.
Gustavo is Ph.D. (application security) and M.Sc. (intrusion detection) in Information System Security as well as Bachelor in Computer Science. He has worked in security projects for the Brazilian Government for many years involving software programming, network and systems administration, computer and network security, application and network penetration testing, software security assessments, code review, malware analysis, intrusion detection, forensics analysis and others activities. During that time, he has also worked as security professor at college and postgraduate by teaching subjects about network and information security. In the beginning, he used to work as software developer and system administrator. However, the last years were dedicated to security consulting on areas aforesaid. Nowadays, he is the Technical Application Security Lead at Dell and Secure Programming Professor at UNISINOS University. As voluntary work, he is the Porto Alegre (Brazil) OWASP Chapter Founder/Leader and member of OWASP Global Chapter Committee.
Ryan Barnett is a Senior Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security where he focuses on web application defensive research and serves as the ModSecurity web application firewall project lead. In addition to his work at Trustwave, Ryan is also a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. He is also a Web Application Security Consortium (WASC) Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects, as well as, the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache and is a frequent speaker at industry conferences such as Blackhat and OWASP.
Sarah is a licensed attorney living in Minneapolis, Minnesota, USA. She currently works as a teacher for at risk youth (grades 5-8) at an after school and summer kids program, in addition to volunteering at an ESL school that provides English, computer, math, and citizenship classes to immigrants and refugees. Most recently, Sarah has been involved with OWASP, providing logistical support, travel planning and wiki foo for the Global Summit and serving as the secretary for the Global Industry Committee.
Marco is a 26 year old from Portugal with a Network and Communications Engineer degree. He has worked for 2 years in Carrier Sales Support / Customer Premises Equipment (CPE) Broadband Access (xDSL, FTTH), and is currently taking a MSc in Information Security.
Mattias Bergling works as a Senior Security Consultant at 2Secure in Stockholm, Sweden. Mattias has been working with IT security for 12 years and has been focusing on security testing for the last 8 years. Mattias is the co-leader for the Swedish OWASP chapter and was on the Organizing Committee for AppSec EU 2010.
Mr. Bernik is the Chief Information Security Officer for Fifth Third Bank, responsible for protecting Fifth Third Bank and its clients’ information systems from risks. He is also responsible for defining and implementing Enterprise-wide information security strategies for the Bank.
Mr. Bernik has more than 16 years of experience as a risk professional. He has developed risk management practices, procedures and standards for several Fortune 100 companies including several global banking organizations.
Prior to his role at Fifth Third Bank, Mr. Bernik served in roles including Director of Operational Risk at the Royal Bank of Scotland and Chief Information Security Officer of ABN AMRO, and its subsidiary, LaSalle Bank.
Mr. Bernik received his bachelor’s degree from the University of Mary Washington in Fredericksburg, Virginia, and completed graduate work in business administration at the City University of New York.
Mr. Bernik currently serves as an advisor to the Federal Reserve on matters of information security and is on the steering committee of the Financial Services Sharing and Analysis Center (FS-ISAC).
Project Manager and Business Developer of consulting activities for network and application security analyses concerning Ethical Hacking, Secure Software Development Lyfecycle, Security Processes, Risk Analyses and Business Impact Analyses. Since 2009 is also responsible of the Internship Program of Business-e.
Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks. Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.
Rex is a Senior Manager in Grant Thornton’s Public Sector practice and leads their Cybersecurity Solution group. He has over ten years of experience providing application development, risk management and information security services to government agencies, private industry, and financial institutions.
Since joining Grant Thornton, Rex has led various information security and risk management engagements including FISMA, IV&V, SOX, and OMB A-123 engagements as well as identity management and system certification and accreditation efforts. During his tenure at previous employers, Rex designed and developed complex distributed web-based applications. As a member of a managed security services team performing research and development, he co-architected and implemented a scalable information detection and prevention information aggregation solution for use in a real-time 24/7 information security monitoring system, correlating and reporting on thousands of devices. He has presented on the topic of information security and assessment methodologies to various institutions and is currently a global committee member for the Open Web Application Security Project (OWASP).
Brennan started with technology in 1986 when 8-bit and CP/M was cool <grin>. After a career ending injury with United States Marines Corps., during Gulf War I Era he has dedicated his life to information security. Was elected and served with the FBI Infragard program 2002-2004 and then founded the OWASP New Jersey Chapter that today includes NYC Metro. In 2007 Brennan was appointed by his application security peers to the OWASP Global Board of Directors. Tom was the managing partner of Proactive Risk that routinely assessed technology, people and process used in finance, e-commerce, oil/gas, power generation/transmission, water, and global enterprise networks before joining Trustwave Spiderlabs in 2011. A father of 4 great kids and is a frequent and entertaining speaker at information security conferences and bars around the world ;)
LXstudios Inc., Owner/Director
Deb has provided branding, corporate identity and collateral design solutions to institutional and retail clients for over twenty years. On a Fine Arts Scholarship, she obtained a bachelor of Fine Arts in Graphic Design with a Minor in Professional Writing from Carnegie Mellon University in Pittsburgh, PA. She began her career as a Senior Designer in the Creative Services department at Thomson Financial in Boston, MA. After Thomson, Deb became a partner at Patric Ward Design in Boston, managing accounts such as Janus Institutional, Reebok, Standard & Poor’s, and Thomson Financial. In 1999, Deb opened LXstudios, providing branding, corporate identity, print collateral, advertising, web and event support to financial services, medical, technology, management consulting, mortgage/banking and retail clients.
Mark Bristow works as an Industrial Control Systems (ICS/SCADA) Security consultant with Securicon LLC for a US Government client. Before getting involved with ICS, Mark was heavily involved in web application vulnerability research, penetration testing and building application security programs as a consultant with SRA International. Mark is an active member of the Open Web Application Security Project (OWASP) as Global Conferences Committee Chair, AppSec DC Organizer, and Co-Chair of the OWASP DC chapter.
Daniel is a web security enthusiast with broad knowledge in web applications development and web security. He has been working in banking and financial industry for the last few years. He is doing his Masters Degree in Artificial Intelligence at Warsaw University of Technology. He is currently working on his final master’s thesis, whose title is “Web Application Penetration Tests”. Right now he is based in London, UK and works for a worldwide financial company. His interests covers all aspects of web security, web development and public speaking. In his free time he enjoys practicing Krav Maga, listening to music and following Web Security news.
Founder and CEO, Compass Security AG (since 1999)
Founder of Swiss Cyber Storm Security Conference (since 2007)
Founder of Hacking-Lab community site / Alias E1 (since 2006)
Founder and board member of Cyber Tycoons foundation (since 2010)
Board member Information Security Society Swizerland ISSS (since 2010)
Member /ch/open foundation. After completing his degree in Electrical Engineering at the Technical College of Rapperswil focusing on computer science, control technology, electronics, energy engineering, and motion technology, Ivan Buetler worked for 2 years in St.Gallen at AGI Service, a company which provides services for banks. He provided plans for high-availability Unix and NT server systems including, among other things, a platform for the stock market and foreign exchange dealers based on Reuters, Bloomberg and FIMS (Telekurs). Afterwards, while working for 3r security engineering ag/Entrust Technologies, Ivan supported security consultants in technical matters, analysed clients' technical problems, local network and computer systems throughout Europe. This security work included penetration tests, security reviews, the development of secure architectures, Internet and Intranet security, as well as security solutions for e-Commerce. In particular, he was involved in the cross-certification of the Canadian Entrust PKI with Europe. During these activities he completed post-graduate studies at the Management School of St.Gallen/Zurich in Business Management.
Calderon, Juan Carlos
Juan currently works as Application Security Research Leader/Sr Auditor at Softtek and lives in the Aguascalientes Area, Mexico. Prior to this he was a Project Leader at Softtek, as well as a Sr Application Security Auditor and Sr Web Developer at Soft tek. Juan also worked as a Web Application Security Specialist and Web Developmer at GE DDEMESIS and as the IT Manager at Gabatti. Juan received his education from the Instituto Tecnológico y de Estudios Superiores de Monterrey and the Instituto Tecnológico de Zacatecas. Juan Specializes in: Application Security, Security Source Code Review, Vulnerability assessments, security trends analysis, Penetration Testing, Secure SDLC, App
Founder and Principal Consultant, Electric Alchemy
DC has been immersed in technology since elementary school. Early experiences with Microsoft Flight Simulator on an 4.77MHz 8086 IBM got him interested in computers as well as aviation. Campbell went on to become a well respected figure in the information security community as well as a FAA certificated pilot.
DC joined Andersen Consulting after graduating from University and his aptitude for hacking quickly led him to the forefront of the Firm's then nascent information security practice. At Andersen, Campbell worked as a security architect for a series of high profile projects while simultaneously providing penetration testing expertise on short engagements all over the world.
Since founding EA Campbell has embraced application security and mobile security and continues to be involved in the community. DC leads the Denver chapter of the Open Web Application Security Project and organizes the successful annual FROC application security conferences.
Director of IT, OWASP.
Brad Causey is an active member of the security and forensics community
worldwide. Brad tends to focus his time on Web Application security as
it applies to global and enterprise arenas. He is currently employed at
a major international financial institution as a security analyst. Brad
is the President of the OWASP Alabama chapter, a member of the OWASP Global Projects Committee and a contributor to the OWASP Live CD. He is
also the President of the International Information Systems Forensics
Association chapter in Alabama. Brad is an avid author and writer with hundreds of publications and several books. Brad currently holds certifications in the following arenas: MCSA, MCDBA, MCSE, MCT, MCP, GBLC, GGSC100, C|EH, CIFI, CCNA,IT Project Management+, Security+, A+, Network+, CISSP, CGSP.
Matthew Chalmers has been doing information security and related work his entire professional career, since earning his bachelor's degree from MST. Matt has worked for large organizations in the defense, financial and manufacturing industries including the US Navy, the National Security Agency, JPMorgan Chase and, presently, Rockwell Automation. Matt currently performs risk, threat, control and vulnerability assessments; regulatory & policy/standard compliance audits; process improvement audits; and general & application control audits. Matt holds the CISA, GSNA, GCFA, CEH and CHS certifications and is ITIL v3 Foundation certified. Matt has been involved with OWASP since about 2002 and can be reached at matthew dot chalmers at owasp dot org.
Pravir Chandra is Director of Strategic Services at Fortify where he leads software security assurance programs for Fortune 500 clients in a variety of verticals. He is responsible for standing up the most comprehensive and measurably effective programs in existence today. Creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project, Pravir also works extensively with OWASP and on other open projects to promote effective application security practices. As a thought leader in the security field for over 10 years, Pravir has written many articles, whitepapers, and books and is routinely invited to speak at businesses and conferences world-wide.
Steven Cheng is currently the product manager for CodeSecure at Armorize Technologies, Inc. He has been with the company for more than five years spanning early from the development phase to current product management role. His job primarily involves requirement gathering and specification design. Recently the focus also shifted into development process in order to have better control of release schedule.
In the past year Steven had led the CodeSecure team to undergo a major product transformation in terms of distribution method from appliance to pure software based, and complete UI redesign. The beta version is now available for download and final release date is scheduled
on 4th March.
Justin is a Director and Co-Founder of Gotham Digital Science, based in London. Justin has extensive international risk management, security and secure development consulting and testing experience in the United Kingdom, United States and New Zealand. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress), co-author of "Network Security Tools" (O'Reilly), and a contributor to "Network Security Assessment, 2nd Edition" (O’Reilly), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter, and a member of the OWASP Connections Committee, he has a Bachelors degree in Computer Science from the University of Canterbury in New Zealand. He’s also a CISSP, CISM, CISA, CEH, and still has his MCSE if you have a Windows NT 4.0/Exchange 5.5 network.
Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a master's degree in Computer Security from DePaul University and a bachelor's degree in Computer Science from the University of Illinois.
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at OWASP security conferences in the US and Europe and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat.
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day.
Paulo has begun working for OWASP in July 2007 assuming the Spring of Code closing process. In the beginning of 2008, he has become OWASP part-time employee assuming the role of Project Manager. After completing his IELTS course, his status has changed again when in July 2008 he moved into a full-time position. He answers directly to the OWASP Board and has been working closely with the OWASP Global Projects Committee since it has been institutionalized in November 2008.
A few of his OWASP’s heterogeneous contributions are as follows:
• OWASP Spring of Code 2007,
• OWASP Summer of Code 2008,
• OWASP EU Summit 2008,
• OWASP Assessment Criteria 1.0 & 2.0,
• OWASP 'Project About' Templates,
• OWASP Projects Dashboard,
• OWASP Project Reviewers Database,
• OWASP Training.
Paulo Coimbra has a M.S. in Management (Technical University of Lisbon), a Post-Graduation in Political Science (University of Lisbon), and a B.S. in Management and Social Development (Portuguese Catholic University).
He has worked in management since 1992. He has performed different roles, from Economist (IAPMEI/Portuguese Ministry of Economy) to Teacher of Finances, Accountancy and M&A (Polytechnic Institutes of Setúbal and Santarém), to Marketing Director and Teacher of Project Finance, Corporate Communication and Political Science (Piaget Institute).
Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.
Information Security Engineer at PayPal
I have extensive experience in information security, information technology and web application development. I bring integrity and accountability to all of my projects. Beyond my technical skills, I also have experience managing people and resources, budgeting, metrics, legal issues, strategic planning, and public speaking.
Information Security: access controls, disaster recovery, network security, web application security, HIPAA, PCI, application lifecycle, penetration testing, auditing, security research and more.
Information Technology: server administration, hardware/software installation/configuration, help desk/technical support, product evaluation, and more.
Web Application Development: entire development cycle, from design to implementation to quality assurance to deployment.
Specialties: Contributor to HTML5 (http://www.whatwg.org/specs/web-apps/current-work/multipage/acknowledgements.html#acknowledgements)
Contributor to WASC Threat Classification v2 (http://projects.webappsec.org/Threat-Classification-Authors)
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers). Past industry experience include: running a small Software/Consultancy business, acting as CTO for a Portuguese University, being part of a Security Assessment team (Pentesting and Source Code Assessment) for a global Bank (ABN AMRO), taking the role of Directory of Advanced Technologies at Ounce Labs (acquired by IBM) performing Web Application security assessments on a large number of languages/technologies/frameworks and being a very active participant and enabler at OWASP.
Sarah Cruz is an award winning graphic designer working in London for Lewis Moberly www.lewismoberly.com. She Is responsible for the design of such global icons as Glenmorangie whisky, Johnnie Walker director’s blend, Sport England, and the new Gatwick Airport identity. She designed the OWASP Summit '08, and the OWASP Summit 2011 identity. In 2008 she founded the charity Abundance London www.abundancelondon.com, which works with school groups to harvest surplus local fruit from city gardens and parks, and supplies it to local restaurants. English by birth, she grew up in the US. Sarah went to Choate and has a BA (hons) from Carnegie Mellon University. She can speak a bit of Portuguese. Sarah has two daughters 7 and 5 with husband Dinis Cruz.
I am interested in all forms of application/network security. I mainly
enjoy trying to think of unique ways of breaking applications from a
business logic stand point.
I have published the following papers:
• Blind Buffer Overflows in ISAPI extensions:
http://www.securityfocus.com/infocus/1819 - This article was released
on the main page of the leading security news and information site,
Security Focus in January 2005.
• The Benefits of Combining Automated and Manual Penetration Testing
(Japanese Only): https://www4.symantec.com/Vrt/offer?_requestid=22090&a_id=42747 – This
white paper was written to aid our sales team in educating our customers as to the benefits of combining manual testing with automated tools. I felt that the Japanese market relied too heavily on tool based analysis so the paper was written to show what automated tools cannot find.
Specialties: application assessments, network assessments, some reverse engineering
De Win, Bart
Bart is a security enthusiast with an extensive academic background. He is a master in Computer Science. Afterwards, he has spent over a decade researching and improving techniques for the analysis and development of secure software, among others in the context of his Ph.D. He authored more than 60 articles published in international journals or conferences. He is specialized in methodological and constructive software security techniques, with a specific focus on application security. Because of his background, he has an in-depth knowledge of the state-of-the-art in the area. Bart currently works as a security consultant in the domain of application security. He works on a daily basis on application assessments and on helping customers improving their software security practices. Bart is one of the OWASP chapter leaders of the Belgian OWASP chapter. He co-organizes the OWASP BeNeLux events.
Sebastien Deleersnyder (Seba), Managing Technical Consultant SAIT Zenitel. Starting up the ICT Security bussines line for SAIT Zenitel BeNeLux-France (www.saitzenitel.com). I started the Belgian OWASP Chapter in 2005, have started the OWASP Education project and participate in the global chapters committee and the Board of the OWASP Foundation. I co-organize the yearly security & hacker BruCON conference and trainings in Brussels (www.brucon.org). As security project leader and information security officer for multiple customers I have build up extensive experience in Information Security related disciplines, both at strategic and tactical level. I specialise in (Web) Application Security, combining both my broad development and information security experience.
Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In the past years he released several advisories including the ones that are not publicly disclosed but patched and several open source tools. He has also contributed to OWASP testing guide and is also the Research & Development Director of OWASP Italian Chapter.
Fred is an application security researcher and the founder of Attack Logic, a U.S. based AppSec consultancy. He spent 3 years as a private researcher on campus at UNL’s Technology Park in the field of InfoSec and for the past 11 years has provided executive level IT services to public and private organizations. Application Security has been his exclusive focus for the past seven with a general focus on information warfare and the uses of counter intelligence for purposes of corporate defense. He is a regular guest lecturer and speaker at Universities, Conferences, and professional organizations. Mr. Donovan is alumni of the University of Missouri -- Columbia (Mizzou) and the American Military University (AMU).
Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN is the principal security consultant and president of Durkee Consulting, Inc since 1996. Ralph founded the OWASP Rochester, NY chapter since 2004 and currently serves as a member of the OWASP Global Conferences Committee. Ralph also serves as president of the Rochester ISSA Chapter and chairs the annual Rochester Security Summit. He performs a variety of security audits and software security assessments and software development consultations for clients in the Rochester, NY area. His expertise in penetration testing, incident handling, secure software development and secure Internet and web applications is based on over 30 years of both hands-on and technical training experience. He has developed and taught a wide variety of professional security seminars including custom web application security training, and SANS SEC401 & SEC504 - Hacker Techniques and Incident Handling and CISSP bootcamp courses since 2004. Ralph regularly leads development of a wide variety of security standards such as application security, database encryption and security consulting for compliance with the Payment Card Industry Data Security Standard.
I am co-founder and Director at SecuRing - company specializing in security testing services, based in Krakow, Poland. During last 8 years at SecuRing, I was managing many projects in domain of security testing for leading financial companies and public organizations. Considering OWASP,
I am especially interested in:
• Security testing management.
• OWASP Testing Guide, etc.
• Risk assessment vs. (web) applications.
• Security development lifecycle (OpenSAMM).
• Penetration testing & code review.
• Frameworks security.
OWASP Poland board member. ISMS Lead Auditor / BS7799 certified.
Sao Paulo Brazil
CBCP - Certified Business Continuity Professional
SANS GIAC GHTQ
• Application Security
• Penetration Test
• BCMS (Business Continuity Management System)
• DRP (Disaster Recovery Plan)
• ISMS (Information Security Management System)
• DMS (Data Management System)
• Risk Analysis & Mitigation
• Pre-Sales & Customer Interface
• Risk-Critical Solution Design & Deployment
• Public Speaking & Writing Talents
Chris Eng is Senior Director of Research at Veracode, where he helps define and implement the security analysis capabilities of Veracode’s service offerings. He has over 12 years of experience in information security, including senior technical positions at Symantec and @stake, where he specialized in software security assessments, penetration testing, reverse engineering, and vulnerability research while also leading the development of @stake’s WebProxy product. During this time, he advised numerous Fortune 100 companies on software security and served as a global leader for Symantec’s Attack and Penetration Center of Excellence. He began his career with the US Department of Defense working on a variety of offensive-minded infosec projects.
Chris speaks regularly at top information security conferences including BlackHat, OWASP, and RSA, discussing topics such as cryptographic attacks, application security metrics, secure coding, and the SDLC. He also serves on the advisory board for the SOURCE Boston and SOURCE Barcelona security conferences. Along with experts from more than 30 US and international cyber security organizations, he helped develop the CWE/SANS Top 25 Most Dangerous Programming Errors.
Arian Evans is the VP of Operations at WhiteHat Security. In this role, Arian leads a team of application security engineers integral to delivering the WhiteHat Sentinel SaaS-based website vulnerability management service, currently assessing over 3000 production websites around the globe, primarily in e-commerce, financial services and healthcare verticals, and including many Fortune 500 companies. Arian's team also verifies all vulnerabilities identified by WhiteHat Sentinel, a unique feature of the service.
Arian has worked at the forefront of Web application security for more than 10 years. His global projects include work with the Center for InternetSecurity, NIST, the FBI, the Secret Service, and many large commercial organizations in analyzing Web application security and providing hacking incident-response. Arian also researches and discloses new attack techniques and vulnerabilities in Web application software including commercial platforms like Cisco and Nokia.
Previously, Arian led the Application Security Practice at FishNet Security, working with Fortune 500 clients and delivering software security services globally.
Arian is a frequent speaker at industry conferences including Black Hat, Hacker Halted, OWASP, RSA, and WASC events, and was also a contributing author for "Hacking Exposed: Web Applications."
Student at the Chair for Network and Data Security, Ruhr University Bochum Germany.
Research interests include:
- Web Service Security
- Web Service Attacks
Fazli Azran, Mohd
Mohd Fazli Azran was OSS evangelist and are active use OSS from 1996. Join many OSS community and spread about OSS to public. Work as System Administrator almost 10 years and believe on OSS spirit "Sharing is Caring". Now move into Open Source Security for make awareness to public what is OSS security can do for community. Currently was Fedora Ambassador & openSUSE Ambassador. He also was CyberSafe Ambassador for Security Awareness by CyberSecurity Malaysia. He also was Secretariat for Open Source Developer Club Malaysia (OSDCMY) that organized Malaysia Open Source Conference (MOSC). Now active being OWASP Malaysia Chapter Leader.
Giorgio Fedon is the COO and a cofounder of Minded Security, where he is responsible for running daily operations of the company and managing Professional Services. Prior to founding Minded Security, Giorgio was employed as senior security consultant and penetration tester at Emaze Networks S.p.a., delivered code auditing, Forensic and Log analysis, Malware Analysis and complex Penetration Testing services to some of the most important Companies as Banks and Public Agencies in Italy. He participated as speaker in many national and international events talking mainly about web security and malware obfuscation techniques. He was also employed at IBM System & Technology Group in Dublin (Ireland).
Felipe Ferraz is PhD candidate, has a Master Degree and Post Graduation on Software Engineering with emphasis on: Software Engineering, system architectures and Information Security. Worked with computer system for the last 8 years, experience in design and develop applications both web and mobile, specially with J2ME and Android Technologies. Has been Teaching Software Security Engineering on CESAR.EDU and FBV.
Ferreira, Lucas C.
Lucas has been a security professional for more than 15 years. He began working on network security and then security management. As he has several developers in the family, he got interested in secure development techniques. In 2008, he answer a Call for Trainings to be delivered at the first OWASP Summit and got the opportunity to go to Portugal and to know OWASP and its leaders. In 2009 he managed to put together the first AppSec Conference in South America and did it again in 2010. He is now more involved in OWASP than ever, having a seat at the Global Conferences Committee, leading the OWASP local chapter in Brasilia, DF, Brazil and leading the newborn OWASP Portuguese Project.
Product Manager on the Google Chrome team. Responsible for ensuring
the APIs we add to Google Chrome and to web standards provide a
coherent development platform that meets the needs of Google's
application developers and web developers at large. Experience
managing large globally distributed products, currently managing a
group split between N. America, Europe, and Asia.
Engineer with the U.S. Government, working on large highly available
database applications, with security clearance.
Specialties: Product management, web standards, contract negotiations, security, phishing, malware
"I spent many years on the development side of the fence working on both thick client and web-based applications. That was mainly in the financial sector in Ireland and Switzerland. In the early noughties somebody asked me if I had heard of this thing called "SQL Injection". That was when I began the transition from poacher to gamekeeper, working on the security end of things. I continue to do a good deal of development.
My first contact with OWASP was the AppSec Europe conference at Royal Holloway outside of London in 2005. Since then I have mainly been a consumer of OWASP resources, apart from giving a few talks at various chapter meetings. My goal with OWASP is to help development teams build "enough" security into their projects and to raise general awareness about OWASP and application security. That is why I believe that outreach and education type initiatives must be key aspects in the future direction of OWASP."
Justin Fitzhugh is the VP of Engineering Operations for the Mozilla
Corporation. He's responsible for all Mozilla’s production and
corporate infrastructure, including serving the Firefox product to
more than 150 million users. In addition to Firefox distribution, his
team designs, implements and supports the infrastructure for one of
the largest open source organizations in the world. Prior to Mozilla,
Justin managed Macromedia’s global datacenter environment. He spends his spare time as an avid pilot, snowboarder and father in the Bay Area.
I start working on security stuff at the age of 18 disassembling viruses
and helping to develop AV technologies. After that I work as a developer
for companies related to the financial industry where I help to develop
credit card related applications, home bankings and stuff like that.
Then I move to the administration phase of my life where I work as a
security network administrator for the main TMT company of my country.
At the same time I did security research and develop for companies on
the United Kingdom and Brasil.
Now I work as a security consultant in Deloitte Uruguay.
A.F. has over 10 years experience in the field of software development
and risk management with private organizations. Member of the OWASP
Switzerland board, he leads the Geneva chapter and contributes in
several reference software security projects such as the "CWE Top 25
most dangerous programing errors."
Antonio currently works at L7 Sécurité, a swiss security & risk
consultancy company he founded in 2010. His work strongly emphasizes
on helping organizations better understand Internet threats and manage
Fort, Julio Cesar
As you can see, my name is Julio Cesar Fort, 24, yet another guy living in Recife, Pernambuco, a very beautiful state located in northeast of Brazil. Currently I am an undergraduate student of Computer Engineering at CIn/UFPE (Pernambuco Federal University) and former undergraduate student in Mechanics Engineering at the same university. I also have a parallel activity as self-proclaimed (haha) editor-in-chief of The Bug! Magazine, the only active hacking-related e-zine in Brazil nowadays. By the second half of 2005 and early 2006 I was a schoolarship holder of CNPq and acted as intern at C.E.S.A.R. learning secure coding techniques in C. I confess I had a great time there but I could have learned much more. After my time in C.E.S.A.R. was over, I worked, also as intern, in coadmin team at Tempest Technologies, a very nice market-leading company Brazilian information security industry. Tempest was nice because, it doesn't sell fear and lies like other companies that make this industry so filthy. I asked to leave the company because I had no time to study and my grades were dropping as hell. By the way, Recife is also a brazilian technological pole. Cases like Porto Digital and C.E.S.A.R. are the living proof of it. Because of these initiactives we have now based in Recife major companies such as Motorola, Intel, Samsung, LG Electronics, Nokia research institute and even Microsoft.
Holds a degree in Computing Engineering and a MSc in Computer Networks. Extensive knowledge and professional experience in R&D projects and software development, both at academic and industrial levels. Teached at the Faculty of Engineering of the University of Porto, and also gave training in computer security. Currently, teaches Networks and Computer Security at the Engineering School of the Polytechnic Institute of Porto. He is also a member of INESC Porto L.A., a National R&D Laboratory, where he is working towards his PhD.
Tilman Frosch works as a researcher for the Horst Görtz Institute for IT-Security at Ruhr University Bochum, Germany. He is interested in everything that leverages the browser to compromise the system. In his spare time he stares at passive-DNS data and Ruby code. In the time left he creates noises from various instruments or spends said time outdoors.
I have a five years degree in Information System and Computer Engineering (IST - Technical University of Lisbon), being a Oracle OCP (Oracle Certified Professional), about 7 years of experience as Oracle DBA and about 14 years of IT experience. Besides this, through my professional career, I had been in several roles such as Trainer, Systems Administrator, Project Manager, and as a Programmer.
Helen Gao has worked in the field of information security since 1991. She has worked as an application developer, manager as well as a software architect. Her employment history includes a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is a senior architect in TIBCO Software Inc. Her job duties include designing and developing complex event processing software. Protect information security in such systems is challenging because of their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage the life cycle of projects. |Helen has taught math, physics and computer science in colleges in both United States and China. Helen graduated from Sun Yat-sen University in China. She continued her studies of physics and computer science after she came to the United States. Helen has masters degrees in both physics and computer science. Helen founded the Long Island OWASP chapter in 2006. Besides volunteering for OWASP, she serves as the president of Sun Yat-sun University Alumni Association. Helen helped found the Long Island Chinese School.
Information security professional with global experience in diverse environments. I hold a Msc in Information Technology - Information Security by Carnegie Mellon University. I’m currently the Security Practice Leader of Professinal Services & Innovation for Logica Iberia.
Vishal Garg is the Founder and Principal Security Consultant for AppSecure Labs Limited, a UK based company offering application security and penetration testing services. He specialises in conducting network and application security reviews, design reviews, and vulnerability research and analysis for web-based applications, cloud-based systems and COTS applications. In his 12-year career, he has offered software development and expert security advice to several recognised Fortune 500 and FTSE 100 companies including international financial institutions, retailers and multinationals. He has a masters degree in Information Security from Royal Holloway, University of London and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA) and currently the project leader for the OWASP Development Guide.
Gomes, Leandro Resende
Leandro Resende Gomes lives in Brasília, capital of Brazil. He works at SERPRO, Brazilian Federal Data Processing Service, organization that creates and maintains huge computer systems for critical public companies. Leandro works on a security development group, responsible to address corporative security aspects during the SDLC. This group was created in 2006, and they discovered OWASP on that same year. The main contribution to OWASP was the translation of ASVS and QuickRef Guide. The work of this group includes the dissemination of technical orientation, source code analysis and pen testing coordination and definition of security components/frameworks to be adopted.
The last events Leandro participated was BlackHat 2009 conference in Las Vegas, OWASP AppSec 2009 and ICCyber 2010, Brazil. He wrote an article about "Securing web applications with fuzzing tests" for a SERPRO internal conference.
Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK, Germany, and India.
Since 2003 he is the chair of the IETF working group „LTANS“ in the security area, member of the IETF security directorate, and since 2010 chair of the web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008. Tobias is the author of the international standard RFC 4998 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6), and frequent presenter at conferences and publication of articles (e.g. ISSE, Moderner Staat, IETF, VOI-booklet “Electronic Signature“, iX).
Security Engineer at Facebook. Development. Security. Security Development.
Recently focusing on building static and dynamic analysis tools and getting them used within an organization.
Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.
Mr. Hansen wrote Detecting Malice authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES, OWASP Appsec Asia and OWASP Appsec Brazil. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.
Operations Director at OWASP
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.
Enter bio here.
Jeff Hodges is a practicing Security Engineer and Protocol Architect, working at PayPal in the areas of web security, identity, and distributed infrastructure. His interests lie in the areas of web security as well as the nature of "online identity" and its realization via composition of authentication, security, directory, and other technologies.
He participates in various IETF working groups including those whose topics involve HTTP, TLS/SSL, and those that touch upon security/identity. He also participates in various other Internet-based fora, e.g. Internet Identity Workshop (IIW), OASIS (SSTC/SAML committee), Kantara, Identity Commons, etc.
In the recent past, he contributed to the Liberty Alliance effort as an editor and co-author of several of the Liberty ID-WSF and ID-FF protocol specifications. Earlier, he served as co-chair of the OASIS Security Services Technical Committee (SSTC/SAML), shepherding and contributing to the development of SAMLv1.0, as well as subsequently contributing to v1.1 and v2.0.
His prior work has included contributions to the design of the LDAPv3 directory access protocol (in the areas of authentication and security), as well as contributing to the design and deployment of Stanford University's SUNet ID and Registry/Directory infrastructure. He's held architecture, engineering, and management positions at NeuStar, Sun Microsystems, Oblix, Stanford University, and Xerox.
Jerry Hoff is a Senior Application Security Engineer at Aspect Security. Jerry
has led and performed numerous application security code reviews for clients
across multiple industries. Jerry also provides training services for clients,
and has over 10 years teaching and development experience. Jerry is also
involved in the Open Web Application Security Project (OWASP) and was the lead developer of AntiSamy.net project. He has a master's degree in
Computer Science from Washington University in St. Louis.
"some" Security ..
It's difficult to describe my knowledge in the security world without being subjective, hence replace some by whatever your feel happy with. The official title on the v-card will be senior security and network consultant, which means something too.
I'm doing software development since early '80s, used to networking all the time, and focused on web application security starting this millenium. Meanwhile I've seen coming, have evaluated, have configured and used, and have seen disappearing a lot of WAFs and web application security scanners. Founded sic[!]sec GmbH in 2010.
• Participating in the German Chapter, German Chapter Board Member
• Project leader, maintainer, developer of OWASP EnDe Project
• Reviewer on some other OWASP projects (SoC 2008)
• CAL9000 (added some en-/decoding and request/response functionality; 2006)
• OWASP papers:
o Best Practices: WAF
o Best Practice: Projektierung der Sicherheitsprüfung von Webanwendungen
Public Papers / Work
• HTTP State Management Mechanism (Cookie) current httpstate working group (contributor 2009/2010)
• Best Practice: Projektierung der Sicherheitsprüfung von Webanwendungen (author 2009)
• Web Application Security Threat Classification v2 (contributor 2008/2009/2010)
• Best Practices: Einsatz von Web Application Firewalls (co-author, 2008)
• Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices (author, 2005/2006)
• Web Application Firewall Evaluation Criteria (contributor, 2005)
• Web Application Security Threat Classification v1 (contributor and German translation, 2004/2005)
As Director of Engineering and then Special Projects at the Mozilla Foundation and Corporation since 2003, Chris Hofmann has spearheaded the research and development work of thousands of open source contributors around the world. A Netscape employee before joining Mozilla, Chris contributed to every Netscape and Mozilla browser release since 1996.
As the first employee at the Mozilla Foundation in August 2003, Chris led a small but devoted team of the original ten engineers that established the Mozilla Foundation as an independent and self-sustaining organization.
In 2004, Chris managed and executed the first worldwide release of Mozilla Firefox 1.0. Firefox 1.0 helped to fulfill the Mozilla Foundation’s goal of supporting open Web standards and provide innovation and choice for Internet client software and set Firefox on a path to remarkable market share growth over the last several years.
Chris now helps to build and strengthen Mozilla communities around the world. These contributors and communities are involved with localization of Firefox in to over 70 languages, extend Firefox with Addons, and provide support to Firefox users. He engages with security researchers to help improve browser security and manages Mozilla's Security Bug Bounty Program. He is also interested in engaging, helping, and promoting the work done in companies and large institutions to deploy Firefox use and Mozilla technology.
Dr Giles Hogben is programme manager for secure services at the European Network and Information Security Agency in Greece. He has led numerous studies on Network and Information security, including on topics such as Smartphone security, Cloud computing, Social Network security and European Identity card privacy. Before joining ENISA, he was a researcher at the Joint Research Centre in Ispra, Italy and led work on private credentials. He has a PhD in Computer Science from Gdansk University of Technology in Poland and graduated from Oxford University, UK in 1994 in Physics and Philosophy.
Principal Architect at SuccessFactors
Jimenez, Juan Jose Rider
CEO at WUL4, Spain
• Finantial industry: designer of computer solutions(ecommerce, PCI-DSS, etc)
• Healthcare system architect: ChipCard (https://www.chipcard-salud.es/)
• SOA-related technologies expert
• Web Services expert
• High-performance required application architect
• J2EE related-technologies expert
• IBM Websphere expert
• Payment methods and protocols, ecommerce, Internet, 3D-Secure, 3DSET, SPA/UCAF, etc
• JSF, RichFaces, Ajax
• Team Leadership.
• Business Development.
Specialties: E-Invoice expert(facturae, etc), PCI-DSS, Security for Web Applications, Web Services, e-commerce, SOA, J2EE,...
Enter bio here.
Work for financial institution in their code review group
Have been working on application security issues for over 8 years
(focused on security code review for last 3+ years). Published
articles related to enterprise application integration, scalability,
and security. Been recently focused on XSS remediation and DOM based
XSS. Also interested in Unicode exploits and filter bypassing using
character set mismatches. Recently contributed the candidate chapter
for Output Encoding for the Web App Security Guide 3.0. Looking to
contribute more to XSS, AJAX security, Unicode content on the OWASP site.
Eoin is a senior manager with Ernst & Young Risk Advisory Services responsible for Attack and Penetration services for EMEIA. He is a member of the Global Board of OWASP, the founder of the Irish chapter of OWASP and also editor/lead of the published OWASP Code Review (2007/2008) and Testing (V2.0) Guides 2007. He specializes in global large scale penetration testing services. He is also a coordinator for OWASP EU 2011 (to be held in June 2011) and previously organized OWASP Ireland 2009 & 2010
Martin Knobloch is a independent Security Consultant at http://www.pervasec.nl
. In his previous employment at Sogeti Netherlands B.V., Martin founded and lead the Information security task-force PaSS (Proactive Security Strategy) addressing organization, infrastructure and software. Martin is member of the OWASP Netherlands Chapter Board and Chair of the Global Education Committee. He is leading and contributing to various OWASP Project and is member of the OWASP Summit organization team.
Vlatko Kosturjak is security consultant delivering his services in Europe, Middle East and Africa (EMEA) region. He holds multiple certs like PCI QSA, CISSP, CISA, C|EH, LPIC-3...
He likes to contribute to open source (security) software and you can find his code in snort, OpenVAS, Nmap, Metasploit and w3af. He is OWASP Croatia chapter leader and OWASP favicon project leader.
Sherif Koussa is an application security independent consultant. Founder and Leader of OWASP Ottawa since 2006. Founder and principal consultant for Software Secured; an application security boutique shop.
Marinus Kuivenhoven works as a Senior Security Specialist at Sogeti Nederland BV. He has experience in developing for and administration of multi-tier systems.
He is one of the founders and an active member of the Sogeti taskforce PaSS (Proactive Security Strategy), which focuses on implementations of the secure development lifecycle.
Marinus developed and teaches several courses in application security for colleagues, educational institutes and customers.
He is actively involved in OWASP. In the past years he has written articles for magazines like Computable and We Love IT. And he spoken on several international events including OWASP, ROOTs, Open Source Developer Conference and Engineering World.
Nishi Kumar Systems Architect, FIS. Nishi is an Architect with 20 years of broad industry experience. She is part of OWASP Global Education Committee and project lead for OWASP CBT (Computer based training) project. She is a committed contributor of OWASP. She has spearheaded Secure Code Initiative program in FIS Electronics Payment division. As part of that program, she has delivered OWASP based training to management and development teams to various groups in FIS. She has been involved with PA-DSS certification of several applications in FIS. Since joining FIS in 2004 she has worked as an architect and team lead for several financial payment and fraud applications. She has hands-on accomplishments in design, development and deployment of complex software systems on a variety of platforms. Prior to joining FIS Nishi Kumar has worked for Pavilion, HNC, Fair Isaac, Trajecta, Nationwide Insurance and Data Junction as Senior Software Engineer, Architect and in Project Management roles.
• Application security professional with experience in leading code review, penetration testing, and regulatory compliance assessments.
• Proficient software developer including time spent as technical lead for Java and Java EE applications.
• Broad training background including development of courses about software development and application as well as delivery in live, virtual and eLearning formats.
• Heavy involvement in the Open Web Application Security Project (OWASP) Foundation including:
- Co-Chair of the OWASP Global Projects and Tools Committee
- Frequent speaker at OWASP Conferences
- Project Lead for the OWASP JSP Testing Tool
- Core Contributor to the OWASP AntiSamy Project
David Lindsay is a Senior Security Consultant with Cigital. His
primary areas of interest include web application vulnerabilities,
cryptography and web standards. His primary area of disinterest is
Jeremy Long is an Information Security Engineer for a large financial institution. He has been involved in drafting secure coding policies, delivering secure development training, and performing security code reviews. He has a MS in Information Security from James Madison University and currently holds the CISSP and GSSP-J certifications.
Nuno has a MSc in Information Technology - Information Security from Carnegie Mellon University and currently works for SAPO where he's leading the Security Team. Besides his passion for Security and Web Security, he loves hiking and traveling.
Pavol gained his MSc in Computer Science at the Czech Technical University in Prague / Czech Republic with master thesis focused on ultra-secure systems. He holds many prestigious security certifications including CISSP and CEH, he is Slovak OWASP chapter leader, co-founder of the first Slovak hackerspace Progressbar and Society for Open Technologies (SOIT) where he is main responsible for IT security.
Pavol uses to have regular presentations at various worldwide security conferences (in Netherlands, Luxembourg, Berlin, Warsaw, Krakow, Prague). In the past, he demonstrated vulnerabilities in the public transport SMS tickets in all major cities in Europe, together with his colleague Norbert Szetei he practically demonstrated vulnerabilities in Mifare Classic RFID
cards. He has 14 years experience in IT security, penetration testing and comprehensive OWASP security audits including social engineering and digital forensic analysis.
He is one of the co-author of the OWASP Testing Guide v3, has a deep knowledge of the OSSTMM, ISO17799/27001 and many years experience in seeking vulnerabilities.
At this time he is focused on web application obfuscation and GSM security.
Chris Lyon is the Director of Infrastructure Security at Mozilla.
Jim Manico is the producer and host of the OWASP Podcast Series. He is also the project manager of the OWASP ESAPI project, a contributor to the OWASP Cheat-sheet Series, the chair of the OWASP Connections committee, and a member of the OWASP mobile project.
Jim is currently an independent Application Security Architect and Educator. He has 15 years of experience developing Java‐based data‐driven web applications for organization such as FoxMedia (MySpace), GE, CitiBank, Sun Microsystems and Aspect Security. For more information, please see http://www.manico.net. Jim has also provided Application Security Developer Education services for Fortune 10, Government, and NGO Institutions.
CTO, Hacktics, Chairman, OWASP Isarel
Ofer Maor has over fifteen years of experience in the Information Technology and Security. Mr. Maor is a pioneer in the Application Security field: he has been involved in leading research initiatives, has published numerous papers, appears regularly at leading conferences and is considered a leading authority by his peers. He also currently serves as the Chairman of OWASP Israel. Before founding Hacktics, Mr. Maor led Imperva's Application Defense Center, a research group focused on application security services and education. In this capacity, he advanced research activities and was responsible for all the application security services conducted by the company. He was previously a Senior Security Consultant at eDvice, an application security consulting firm, and served for three years as an Information Security Officer in the Israeli Defense Forces.
Degree in Economics and large experience in finance, trading and derivatives.
Later I joined this experience with ICT matters; and now after having worked for some years for Getronics both in Italy and in worldwide groups, now I lead in Business-e e the consulting team of about 25 persons.
Main activities are in Governance, Audit and Ethical hacking with a group of 10 testers.
My main certificates are Cisa, Lead auditor ISO27001, Itil v3, CRISC , Cobit
Many years of experience in a variety of challenging Senior Information Security, Risk Management, Business Continuity Planning and Consultancy roles. Up to the moment I have been working at Tata Consultancy Services as the Information Security Manager since 2007. I´m in charge of the Information Security Area, Implementing ISO 27001, Internal Audit, Security Incidents Management, Architecture & Design Review, Penetration Testing, Software Security for Latinamerican region and in charge of the Advisory of Security Services department. I´m CISSP. BCP and Information Security projects executed in Chicago, US and in Dubai, UAE. I have previous experience working in PricewaterhouseCoopers as a Senior BCP Consultant. I have realized business continuity plans for many of our clients.
Christian Martorella has been working in the field of information security for the last 10 years, starting his career in Argentina IRS as security consultant, now he's Practice Leader in Threat and Vulnerability - EMEA in Verizon Business. He is cofounder an active member of Edge-Security team, where security tools and research is released. He has been speaker at What The Hack!, NoConName, FIST Conferences, OWASP Summit 2008 and OWASP Spain IV & VI, Source Conference Barcelona and Hack.LU. Christian has contributed with open source assessment tools like OWASP WebSlayer and Metagoofil. He likes all related to Information Gathering and Penetration testing. Christian currently holds the President position at the FIST Conferences board, and in the past taught Ethical Hacking at the IT Security Master of La Salle University.
Neil Matatall is a Consultant for FishNet Security as part of the Applicaiton Security team. After starting off as a developer, Neil was asked to investigate application security and he hasn't looked back since. In OWASP, Neil has been a conference organizer (AppSec US 2010 and AppSec Academia '09), chapter leader (Orange County), project committer (ESAPI), and global conference committee member.
Internet threat generalist with a research background. Currently managing the Security Incident Response team at Facebook, handling all high severity security incidents.
Specialties - Phishing, Botnets, Spam, Social Networks, Social Media, Security Team Building, Security Community Engagement, Security Strategy, Security Investigations, Security Management, Web pplication Security, Startup Security
I'm the CTO at DRI, a Portuguese company focused on on open source environments. I have +10 years working with Linux and open source technologies like PHP and Mysql. I've been involved on a large number of projects, both web and non web applications, from small sized to +100 computer clusters both as developer, system administrator and software architect.
I've worked in the security area for a few years, mostly in network security doing traffic analysis and network reverse engineering. I'm a member of the Portuguese Honeynet Project and I'm currently working for SAPO, which is the most visited site in Portugal, in the Web Security team.
Matteo has undergraduate degrees in Computer Science Engineering from the University of Bologna (Italy).
He is the OWASP-Italy Founder and Chair from January 2005 (http://www.owasp.org/index.php/Italy), leads the new OWASP Testing Guide from 2006 (http://www.owasp.org/index.php/OWASP_Testing_Project), and he is starting the OWASP Common Vulnerability list with Anurag Agarwal and Eoin Keary (http://www.owasp.org/index.php/OWASP_Common_Vulnerability_List). He is one of contributor of OWASP SAMM (http://www.opensamm.org). He holds CISSP, CISA certification, Matteo is the CEO and a cofounder of Minded Security, an Application Security Consulting Company, with more than 10 years of specializing in information security and collaborates from several years at the OWASP project. Matteo is invited as speaker at many events all around the world talking about Web Application Security.
Tom "c0redump" Neaves M.Sc, B.Sc (Hons) is a Principal Security Consultant at Verizon Business (formerly NetSec) where he is part of the Threat and Vulnerability Consulting EMEA Practice. Tom is also studying for a Ph.D in Information Security on a part-time basis back at Royal Holloway, University of London. Anything that speaks HTTP or gets transmitted over the air has his full attention!
I have assumed, in October 2010, the position of OWASP Training Manager and will be responsible for managing the OWASP ‘Chapter-lead’ Training activities and operationalising the concept of 'OWASP Academies'. Throughout this process, I will be managed by Dinis Cruz and report directly to the OWASP Board. I was, up to the end of July 2010, Head of Customer Relationship Management (CRM) for Europe, Middle East and Africa at the Mergermarket Group (part of the Financial Times Group), having joined the company in July 2007 as a CRM Executive. I have a graduate degree in Statistics and Management of Information and a post-graduate degree in the same area. Before joining Mergermarket, I worked for two years at Dealogic on the Mergers & Acquisitions and Loan Markets products.
Prior to moving to London in 2004, I have worked in several universities in Portugal where I firstly, for roundly half a dozen of years, taught Maths and Statistics and thereafter, throughout an academic year, worked in the conceptualization, development and production of materials to support academic and scientific events and in the creation of methodologies to repackage contents and support academic and scientific activity.
Dr Konstantinos Papapanagiotou has more than 7 years of experience in
the field of Information Security both as a corporate consultant and
as a researcher. Currently, he is Information Security Risk Management
Services Manager of Syntax IT Inc and leader of the OWASP Greek
Chapter. He holds a BSc from the Department of Informatics and
Telecommunications, University of Athens, an MSc with distinction in
Information Security from Royal Holloway, University of London and a
PhD in Information and Network Security from the Department of
Informatics and Telecommunications, University of Athens. He is the
author of more than 10 scientific publications. He is a member of the
ACM, IEEE and also a founding member of the Institute of Information
Security Professionals (IISP). His current research interests are in
the areas of application security, trust and security in pervasive and
ubiquitous computing and steganography.
Paolo was born in 1976 in Milan, Italy. Since he was 5, he started disassembling toys trying to understand their internals... it was very rare he was able to put
the pieces back in their place. So his infancy was full of broken toys... but at least he discovered what's inside a little car moving by itself. Let's call this Paolo's life phase: 'Breaking the law'
When he discovered computers, Paolo learnt also to repair software he broke. He started patching buffer overflows, format bugs and other crappy C programs. It was 1996, he discovered Linux, the networking and the kernel land. It was the time Pink Floyd were in loop in Paolo's walkman. Let's call this Paolo's life phase: 'So your instruction pointer is full of
0x41?'Nowadays Paolo's interest in reviewing and fixing broken code turn him in an application security specialist. He wrote software for an Italian web agency, and he has a side project as Independent Software Vendor as armoredcode.com. He is involved in Owasp as Project Leader of Owasp Orizon (a code review engine) and Owasp ESAPI for Ruby porting. He is also in the Owasp Italian chapter board. It's the time that Pearl Jam and old school metal music fill Paolo's mp3 player, he is a husband, a proud father, a guitarist and he is close from being black
belt Taekwon-do ITF martial artists. Let's call this Paolo's life phase: 'Stay hungry, stay foolish'
Linda, from the Netherlands, is a Java Programmer in daily life.
Living with an active OWASP member, she's been visiting a lot of
conferences , slowly getting more and more interested in security.This
week, she's on the support team for the OWASP summit, helping out with
whatever needs to be done.
OWASP member and senior consultant focused on web application security living in Munich, Germany. You can find some more specific information at my Xing.com's profile.
I'm organizing once a month the "OWASP regular's table" in Munich, Germany. You might want to have a look at the Stammtisch-Initiative if you are visiting Germany, being fed up with Neuschwanstein and alike and seeking for some nerdy tech talk in combination with Bavarian beer consumption tradition ;-)
Founder of Sic!Sec
Georg Simon Ohm University of Applied Sciences. OWASP University Chapter
Enter bio here.
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, David spent his formative years on the Internet Explorer Security Team and wears the battle scars with pride. David’s blog: http://blogs.msdn.com/dross
I am working as research assistant at the Georg-Simon-Ohm University of Applied Sciences in Nuremberg, Germany.
The research project started in September 2010 with the objection to detect and evaluate the privacy
impact of web-sites based on client-side analysis. The privacy impact should be made user visible.
Prior to the research project, I worked for many years in the mobile communication sector, mostly as system engineer for GSM and UMTS infrastructure.
* Working in a complex and diversified mobile/web environment.
- Member of the board (in 2007) in the Finnish Information Security Association i.e. Tietoturva ry (www.tietoturva.org).
- Founded and chaired the OWASP Helsinki Chapter (www.owasp.org).
Mike Samuel is an engineer in Google's Applied Security group working on programming language based approaches to web application security. He is involved in the EcmaScript standards process and is one of the implementors of Caja, a system that allows for secure composition of web applications using existing standards. Lately he has been working on static type reasoning to make template languages robust against XSS.
Christopher Schmidt: GIS and Web Hacker
I am a professional web application developer, and have spent the past several years developing server and client side tools for the creation of web applications, especially applications which relate to mapping. Some of my most visible work over the past year is in the OpenLayers/TileCache/FeatureServer stack, a collection of open source tools designed to help users build mapping applications.
I've held a variety of different positions across the IT spectrum, with most of my time focused on the security side of the industry. I like interesting technical challenges solving unique problems.
Specialties: Software reverse engineering, security assessment, exploit development. Software development on a wide range of languages, platforms and technologies. Management of software development and security consulting teams.
Enter bio here.
Justin Searle is a Senior Security Analyst with InGuardians,
specializing in the penetration testing of web applications, networks, and embedded devices, especially those pertaining to the Smart Grid. Justin is an active member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid) and led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628. Previously, Justin served as JetBlue Airway’s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).
Application Security Specialist - Trustwave
Assistant Professor at ISCTE-IUL (Lisbon University Institute)/SoTA (School of Technology and Architecture)/DCTI, where I teach several subjects related to Information Systems, Information Security, IT/IS Project Management and Entrepreneurship (both on BSc and MSc programs).
ADETTI-IUL Researcher and Project Manager where I'm working mostly on the following research topics:
- Distributed Systems, Applications and Information Security
- Management and Protection of e-Intellectual Property and e-Contents
- Web-based and Mobile-based Information Systems
Projects. Experience in participation in multiple national and international co-operation IT/IS projects and provision of consulting services to different companies.
OWASP.PT leader. Currently working to evangelize OWASP good practices and OWASP mission in improving the web applications security.
Author. I'm the author and co-author of several articles published on scientific conferences, proceedings, journals and project deliverables. Also the co-author of one of the best selling portuguese books about PHP programming. Geek. Love technology. Huge fan of gadgets.
OS agnostic. Linux, Mac OS X, Windows. Bring them all!!!
Brandon Sterne is the Security Program Manager at Mozilla where he works on security releases and designs and implements browser security features.
John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
Ever since Cecil Su began working in the financial services industry, his interest of information security (and especially of application security) was stoked. For his extra-curricular activities after office hours, he took every opportunity to learn about the craft. Now, ten years on, Cecil’s day job is as a director of Grant Thornton LLP in Singapore. As head of the Technology Advisory unit, he leads various engagement teams on diversified projects across vertical industries. His area of focus is in IT Assurance, IT Security Advisory and Digital Forensics.
Aside from being a committee member of the OWASP GEC, he has also contributed to the OWASP Testing Guide, and coordinated efforts for the internationalisation of Asian languages of OWASP materials. Cecil is also the current Chapter Lead for the Singapore Honeynet Project, ExCo member for the Association of Information Security Professionals (AISP), and a member of the security Controls and Security Services Working Group (Singapore representative body for ISO/IEC JTC 1/SC 27/WG 4).
Dr. Vehbi Tasar, CISSP, CSSLP, Director of Professional Programs Development - Vehbi is in charge of all exam development at (ISC)². His responsibilities include exam question and content development, psychometric oversight of the exam questions, and maintenance of the ANSI certification for all (ISC)² credentials. Vehbi has joined (ISC)² in June 2008 to develop a new security credential called Certified Secure Software Lifecycle Professional (CSSLP). Prior to joining (ISC)², Vehbi worked in software industry for over 30 years. He has a broad spectrum of application development expertise ranging from high performance computing to the database application development, and distributed enterprise computing for the IT infrastructure. Vehbi holds a B.S degree in Electrical Engineering from the Middle East Technical University from his native Ankara, Turkey. He received a M.S degree in Computer Science from the University of Missouri, Rolla, and a Doctor of Engineering Degree in Electrical Engineering from the University of Detroit, Mercy in Detroit, Michigan.
Chief Technology Officer, Secure Innovation
Mr. Taylor leads the strategic direction for all technology initiatives and manages world-class development teams for the company's product lines. He has spent his career focused on application development and testing with a primary focus on application security. His unrivaled understanding of application behavior provided the impetus for Security Innovation’s industry pioneering fault injection tool, Holodeck Enterprise Edition, and critical enhancements to the company’s internal testing and development tools. Mr. Taylor was the visionary and designer of the Company’s “Creating Secure Code” methodology and course which has been taught to several of the world's largest technology organizations.
Prior to joining Security Innovation, Mr. Taylor served as test architect, security lead and development manager at Microsoft for various releases of Internet Explorer and Windows. He was the first member of the Internet Explorer security test team, and as the security team lead, he grew it from a solitary operation to the leading application security test team at Microsoft. Later, he built the Test Model Toolkit which became the standard model-based testing tool at Microsoft, winning a Best Practice Award along the way.
Mr. Taylor is an external reviewer, contributor and primary author for Microsoft patterns & practices security guidance. He has published several whitepapers including “Web Services Risk Assessment and Recommendations” and “Security Threats: Risks, Protection & Limitations" for CIO Update. He is co-author of "Team Development with Visual Studio Team Foundation Server" and “Improving Web Services Security” with J.D. Meier of Microsoft. Mr. Taylor received his C.S. degree from Montana State University.
Matt has been involved in the Information Technology industry for more
than 10 years. Prior to joining Praetorian, Matt was a Security
Consultant at Trustwave's Spider Labs. Matt's focus has been in
application security including testing, code reviews, design reviews and
training. His background in web application development and system
administration helped bring a holistic focus to Secure SDLC efforts he's
driven. He has taught both graduate level university courses and for
large financial institutions. Matt has presented and provided training a
various industry events including DHS Software Assurance Workshop,
AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.
Mark Thomas is a Staff Engineer with the SpringSource division of VMware. The majority of Mark's time is spent on the development of Apache Tomcat but he also provides expert Tomcat advice to the SpringSource support team and he leads the SpringSource security team as well as the integration of Tomcat with tc Server.
Mark has been using and developing Apache Tomcat for more than seven years. He became involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first Bugzilla issue, he started working his way through the remaining Tomcat issues and is still going. Along the way, Mark became a Tomcat committer and PMC member, undertook the majority of the Servlet 3.0, JSP 2.2 and EL 2.2 development for Tomcat 7, created the Tomcat security pages, became a member of the ASF, joined the Apache Security Committee and is an Apache Commons PMC member where he contributes to Commons Pool, DBCP and Daemon. He is currently the Tomcat 7 release manager and also helps maintain the ASF's Bugzilla and Jira instances.
Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.
Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, security program development and management, and other strategic security solutions.
Ben holds a Master of Science in Information Security Management from The George Washington University. He is a Certified Information Systems Security Professional (CISSP), co-vice chair of the American Bar Association Information Security Committee, member of ISSA, member of OWASP, and member of the IEEE Computer Society. He is a published author and an experienced public speaker.
Prior to his current endeavor, Ben has worked in a variety of security roles for companies including BT Professional Services, AOL, Wells Fargo, ICSA Labs, and Ernst & Young.
Over the years I have held a number of positions at The Boeing Company including: Application and Information Security Assessments team leader, lead IT security adviser for international operations, supplier security analyst, engineering systems integrator, software developer and senior manufacturing engineer on the 747 airplane program.
• I represent Boeing at the International Committee for Information Technology Standard's cyber security technical committee.
• I represent the United States as a delegate to the International Standards Organization's (ISO) sub committee on cyber security.
• I recently joined the national Software Assurance (SwA) Working Group
• I am the Director of the HPPV Northwest regional engineering competition.
• My work with college engineering education led to a 2005 national award from the American Society of Engineering Education.
• You can see my OWASP project on secure coding practices here: http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
• The presentation on my OWASP project at AppSec USA 2010 can be found here: http://vimeo.com/17018329
• You can see the video of my AppSec USA 2009 presentation on Building Security Assessment Teams here: http://vimeo.com/8989378
- Selected as Eastern Washington University's 2010 Distinguished Alumni of the Year for service to the community
- Launched new OWASP project: Secure Coding Practices - Quick Reference Guide
- Speaker at AppSec USA
- Speaker at OWASP DC
- Speaker at the Department of Homeland Security's Software Assurance Forum
- Contributor to The Open Group white paper "Trusted Technology Provider Framework"
Enter bio here.
Develop and lead strategic IT & IS solutions for businesses that seek to mitigate IT operational and security risk through robust, cost effective programs, while maintaining a strategic alignment to key business objectives and providing overall value to the enterprise.
Specialties - Security Risk Management, Risk Assessment Methodologies, Business Impact Analysis, Business Process Engineering, Maturity Modeling, Security Training, Vulnerability Assessment, Policy Management, Compliance Audits, Business Continuity Planning, Remediation Management
Platform Security Strategist at Adobe
van der Baan, Steven
I'm Steven van der Baan. I'm a father of two (boy and girl) and I work as a Software Architect and Security Consultant for Sogeti Nederland BV. I am using computers already for 27 years, starting with the ZX81 where I learned to program inside a memory of a whooping 1K. Every other computer thereafter was a bundle of joy and adventure. This adventure is something that I'm now trying to share with my kids.
I started with OWASP through Martin Knobloch, then a colleague of mine. He washosting the CTF at Appsec DC 2009. He called me up due to some minor problems and (ofcourse) I helped. This became somewhat regular that I took over the project leadership form him of the CTF project.
Senior Security Consultant Greece at Atos Origin
WebAppSec Researcher (sirdarckcat)
Experienced web application security researcher, has assisted several companies in the resolution of security issues like Adobe, Apple, Google, Microsoft, Mozilla, Oracle, Symantec, between others.
Imparted courses and security conferences on DNS International, Microsoft Bluehat V8 (October 2008), BlackHat USA (2009), XCon (2009), BlackHat Europe (2010), OWASP day Mexico (2010), OWASP AppSec Sweeden (2010) between others.
Knowledgeable on SQL, PHP, Python and Ruby for web development, and C/C++ for application development with extreme caution on making fast and efficient code, but must of all, secure.
He's also an enthusiast on Internet Culture and Social Networking research, music, literature, as well as a fan on solving algorithmic problems.
Vilares Da Silva, Luis
Luis Vilares da Silva worked in the Portuguese central statistics office (INE) as systems and network engineer, software engineer from 1990 to 1999. Worked as a webmaster, web developer and software engineer in the European police office (EUROPOL) in The Hague from 1999 to 2009. In that period did his MSc in IT Security and CISSP certification, MS training 70-340 and is MSTS for SharePoint 2007. He did some audits and risk mitigation in the finance systems in Portugal in 2010 and is back to The Hague to work as a software architect within the Organisation for the Prohibition of Chemical Weapons (OPCW) where he is trying to leverage some security into the various developed and under development applications. Last but not least, Luis is in the process of finalizing a MSc in forensic computing sand cybercrime investigations from UCD Dublin open to law enforcement only.
Dr. Vasileios Vlachos is lecturer at the department of Computer
Science and Telecommunications of the Technological Educational Institutions (TEI) of Larissa. He was a senior R & D engineer at the Research Academic Computer Technology Institute (R.A.C.T.I.) of Patras, Greece. He was a member of the Digital Awareness and Response to Threats (DART) team of the Special Secretariat for Digital Planning of the Hellenic Ministry of Economy and Finance. Dr. Vlachos holds a Diploma of Engineering in Electronic & Computer Engineering from Technical University of Crete, a MSc in Integrated Hardware and Software Systems from the Department of Computer Engineering and
Informatics of the University of Patras and a PhD in Information Systems Security from the Department of Management Science and Technology of Athens University of Economics and Business. Dr. Vlachos has taught at the University of Thessalia the University of Central Greece and the University of Piraeus.
Security Officer at Nationale-Nederlanden (ING)
Colin Watson is a consultant and co-founder of Watson Hall Ltd. Colin has a production and process engineering background, but has worked in information systems for fourteen years, concentrating exclusively on web application development, security and compliance. His work involves the management of application risk, building security and privacy into systems development and keeping abreast of relevant international legislation and standards. He has a particular interest in creating user trust in web systems and the relationships between security and usability. Colin has spoken at several OWASP chapter meetings and conferences on topics including web content accessibility guidelines, the Open Software Assurance Maturity Model and AppSensor. He contributes to a number of OWASP projects and is a member of the OWASP Global Industry Committee, having been its chair for 2009-2010. He writes a blog about web security, usability and design under the pseudonym Clerkendweller. He holds a BSc in Chemical Engineering, and an MSc in Computation from the University of Oxford.
David Weston is a Security Engineer at Microsoft where he works on the team responsible for the security testing of Windows. David previously worked as a security consultant at a major defense contractor where worked on projects for Department of Defense, Federal, and Enterprise customers. He is an experienced security researcher and has presented at numerous security conferences such as Blackhat and Defcon in addition to discovering vulnerabilities in several major software packages.
Information Security consultant continuously since 1989. Current focus area is in Application Security Consulting, including Developer Training, Security Code Reviews, Application Penetration Testing, Technology Selection, Security Policy Development, Infusing Security into the Software Development Lifecycle, and the development of Standard Security Controls. Particular expertise in Security of Web Applications.
Currently member of the OWASP Board, the OWASP Conferences Chair, and coauthor and project lead of the OWASP Top Ten Most Critical Web Application Security Vulnerabilities (http://www.owasp.org/index.php?Top10).
Early career focused on InfoSec for DoD, including C&A, Trusted Product Evaluations, Multilevel Security, and Cross Domain Solutions (e.g., Guards) for product vendors, large DoD integrators, and the NSA.
Specialties - Application Security Consulting (specialty focus on Web Application Security), Information Security, Certification & Accreditation, Multilevel Security, Cross Domain Solutions (Guards), Secure Software Development in Java
John started the Swedish OWASP Chapter in 2007 and has since been leader and co-leader. In 2010 he chaired the most successful OWASP AppSec EU conference so far – OWASP AppSec Research 2010. John along with the Swedish chapter are listed as contributors to OWASP Top 10 2010.
Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services including code review, penetration testing, training, and eLearning. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP) where he has made extensive contributions, including the Top Ten, WebGoat, Secure Software Contract Annex, Enterprise Security API, Application Security Verification Standard, OWASP Risk Rating Methodology, starting the worldwide local chapters program, and starting the Rugged Software movement. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law. You can contact Jeff at firstname.lastname@example.org.
Doug Wilson is one of the co-chairs of the Washington DC OWASP chapter, and one of the organizers of the OWASP AppSec DC conference in Washington DC. He is a Principal Consultant for MANDIANT, a full service security company based out of the Washington DC area.
Doug has been involved in information security for over a decade. He got his start in the Web 1.0 dot-com years working for web hosting companies, and ended up doing government contracting, with expertise in incident response and multi-tiered application architecture. He currently supports government contracts exploring ways of improving software assurance and confidence in COTS software. He has spoken at a wide variety of professional events in Washington DC, including Shmoocon, and the High Confidence Software and Systems (HCSS) conference.
Starting as soon as he could grip a screwdriver, Stefan spent his formative years hacking and tinkering with anything run by electricity. Later Stefan joined the Boston-area hacker group L0pht, and was a member for five years. In 1998 Stefan and the other L0pht members testified before the United States Senate as part of a series of hearings on "Weak Computer Security in Government: Is the Public at Risk?" For the past 13 years Stefan has been working at Harvard University where he has been involved with security, high-performance research computing, networking, and systems infrastructure. His current role is Senior UNIX Engineer.
Chris Wysopal, Veracode’s CTO and Co-Founder, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of “The Art of Software Security Testing” published by Addison-Wesley.
John Yeo is Director of Trustwave’s SpiderLabs for the EMEA region. SpiderLabs, one of the world’s largest global security practices, is the advanced security division within Trustwave. SpiderLabs is focused on application security, incident response, penetration testing, physical security and security research. At Trustwave John is responsible for managing the various SpiderLabs teams and all aspects of service delivery within the EMEA region.
Michael Zusman is a Managing Principal Consultant with the Intrepidus Group. At Intrepidus, his focus is on assisting clients in architecting secure mobile solutions and applications for various platforms including iOS, Android, and RIM. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Microsoft, Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms.
In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients. He has spoken about mobile application security at a number of top industry events including Black Hat, CanSecWest, OWASP meetings and at local colleges including Polytechnic University.
Mike brings 12 years of security, technology, and business experience to Intrepidus Group. He has attained the CISSP certification, and is a co-leader of the OWASP Mobile Security Project.