SOURCE Boston 2014
April 8-10, 2014
Marriott Courtyard
275 Tremont St
Boston, MA, USA
SOURCE Dublin 2014
May 22-23, 2014
Trinity College
Dublin, Ireland
CFP Status: CLOSED
SOURCE Seattle 2013
October 23-24, 2013
Bell Harbor Maritime Museum
Seattle, WA, USA
CFP Status: CLOSED
SOURCE Boston 2008 - Speakers And Publications
WEDNESDAY, MARCH 12th, 2008
Time Business And Security Application Security Security And Technology
9:00am Registration Desk Opens
11:00am - 11:45am Informal Advisory Board Meet and Greet
11:45am - 12:00pm Welcoming Remarks
Tito Jackson
Director of Information Technology
Massachusetts Office of Business Development
12:00pm - 12:50pm Keynote Speaker - Richard Clarke
The Current State of the War on Terrorism and
What it Means for Homeland Security and Technology.
1:00pm - 1:50pm Mike Rothman
How Compliance Can Get You Killed
Matt Moynahan
Your Car Passed Inspection...
But What About Your Software?
Roger Dingledine
How To Make Tor Play Well
With The Rest Of The Internet

2:00pm - 2:50pm Rich Mogull
Christofer Hoff
Disruptive Innovation and the
Future of Security
Robert Martin
Having a Defined Target for
Software Security Testing
Michael Rash
Advanced Linux Firewalls
3:00pm - 3:30pm Snack Break
3:30pm - 4:20pm CEO Panel
Click here for panel members
Steve Patton
Investigation Techniques for
Social Networking Sites
John Amaral
Content Awareness – A Cornerstone to Data Protection
4:30pm - 5:30pm Entrepreneur Panel
Click here for panel members
Andrew Jaquith
Not Dead But Twitching:
Anti-Virus Succumbs to the
Scourge of Modern Malware
James Atkinson
Telephone Defenses Against
the Dark Arts
* this session will end at 6:30pm


7:00pm - 10:00pm Speaker Party


THURSDAY, MARCH 13th, 2008
Time Business And Security Application Security Security And Technology
8:00am - 9:00am Breakfast
9:00am - 9:50am Keynote - Dan Geer
Text HTML
10:00am - 10:50am Rich Mogull
Understanding and Preventing Data
Breaches,The Real World Edition

Panel Discussion
Web Applications
Click here for panel members
Ryan Permeh
Vulnerability in the Real World:
Lessons From Both Sides of the Fence

11:00am - 11:50am Panel Discussion
The end of our rope:
The tug-o-war between
business and security

Steven Dewhurst
The CERT C++ Secure Coding Standard
David Dittrich
Bruce Dang
Understanding Emerging Threats:
The case of Nugache

12:00pm - 1:00pm Lunch
1:00pm - 1:50pm Lee Kushner
Michael Murray
Managing Your Career in Infosec
Nish Bhalla
Krish Raja
Detailed Threat Modeling
Cédric Blancher
Deperimeterization - Dream or
Nightmare for Network Security?
2:00pm - 2:50pm Keynote - Steven Levy
3:00pm - 3:30pm Snack Break
3:30pm - 4:20pm Carole Fennelly
Developing an Incident Response Plan
Jeremiah Grossman
Business Logic Flaws
Gary Sevounts
Critical Infrastructure Protection:
SCADA in the Internet World
4:30pm - 5:30pm Jeff Richard
Rob Cheyne
Banking on Education: A case study on security training programs
Steve Lipner
A Security Metric for Software Developers
Eugene Kuznetsov
SOA Security
8:00pm Pub Crawl


FRIDAY, MARCH 14th, 2008
Time Business And Security Application Security Security And Technology
9:00am - 10:00am Breakfast
10:00am - 10:50am Andy Sudbury
Establishing a Security Metrics Program
Sinan Eren
Information Operations
Frank Rieger
Current and future security issues
in mobile devices and networks
11:00am - 11:50am John Nye
Avoiding Audit Overlap
Sandy Bird
Don't Tell Me What, Tell Me Who:
Correlating User Identity and
Application Data to Threats
Raffael Marty
All the Data That's Fit to Visualize
12:00am - 12:50am SOURCE Feedback Session Ero Carrera - Zynamics, GmbH
Automated Structural
Malware Classification

Rick Wesson
Bots -- The Global Infection Rate
1:00pm - 2:00pm L0pht Panel
2:00pm Closing Remarks


Special Guests

Special guests include Richard Clarke and former members of L0pht Heavy Industries, including Mudge, Weld Pond, DilDog, Space Rogue, Silicosis, and John Tan, speaking together for the first time in 10 years.



Richard Clarke

Richard A. Clarke is an internationally recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. He is currently Chairman of Good Harbor Consulting and an on-air consultant for ABC News. Clarke served the last three Presidents as a senior White House Advisor.

Over the course of an unprecedented 11 consecutive years of White House service, he held the titles of Special Assistant to the President for Global Affairs, National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security. His published works include the New York Times #1 bestseller Against All Enemies, Scorpion's Gate, and Breakpoint.

Mr. Clarke will be discussing the current state of the war on terrorism and what it means for homeland security and technology.



L0pht Heavy Industries

L0pht Heavy Industries, the reknowned Boston-area hacker think-tank, will reunite for a panel discussion to discuss the last decade of the security industry and how it has evolved.

Discussion will include insights on new security technologies and their predictions on the future of the industry. Panel members will include:

  • DilDog
  • John Tan
  • Mudge
  • Silicosis
  • Space Rogue
  • Weld Pond
  • ...more to be announced...


Keynote Speakers

Dan GeerDaniel Earl Geer, Jr., Sc.D.

Dr. Dan Geer is currently Vice-President and Chief Scientist at Verdasys, a software solutions company designed to protect and manage the flow of data essential to the operation of businesses on a global basis. Geer is considered to be an expert in computer security and has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice and the Institute for Information Infrastructure Protection.

Steven Levy Steven Levy

Steven Levy is one of the pioneers of technology journalism, writing on the subject for over 20 years. At Newsweek since 1995, Levy joined the magazine as a contributing editor and columnist, and was promoted a year later to senior editor and main technology writer. He writes a biweekly column there, 'The Technologist,' in which he talks about trends, news, personalities and oddities.

A talented and respected author of six books, Levy is responsible for making 'hackers' a household word with 'Hackers,' which PC Magazine named the best Sci-Tech book written in the last twenty years and is considered a classic computer history. His book 'Crypto' won the grand eBook prize at the 2001 Frankfurt Book festival. His most recent book, 'The Perfect Thing' is the definitive book on Apple's iPod.


Speakers

Matt Moynahan - CEO, Veracode, Inc.
(Details)
Bio: From his days running the $2 billion consumer and small business products division at Symantec to his tenure at Goldman Sachs, Matt Moynahan has developed a deep understanding of the challenges individuals and corporations face in protecting their digital assets. His leadership experience at top software and finance companies has given him a unique perspective of what it takes to secure software applications across increasingly complex software development lifecycles in order to provide protection against an increasingly hostile and targeted threat environment

Topic: Your car passed inspection…but what about your software?
Today, millions of purchases are based on rankings and certifications published by third parties like Consumer Reports, and yet the $230 billion dollar software industry lacks any universal standard for evaluating the security of applications running across enterprises, government agencies, and financial businesses.

Matt Moynahan will explore how an independent scoring and rating system can help software developers and buyers understand how secure their software is. Matt will discuss the benefits of third-party validation and will illustrate how industry standards, such as the Common Vulnerability Scoring System (CVSS), can serve as the foundation for a concrete rating and scoring system.


Robert Martin - MITRE
(Details)
Bio: Robert A. Martin is a Principal Engineer at MITRE. For the past 16 years, he has focused on the interplay of risk management, cyber security, quality assessment and the use of software-based technologies. The majority of this time has been spent working on security initiatives and assessing the quality and security risks within software systems. Robert is a frequent speaker on quality and security issues surrounding software systems and he has published numerous papers on these topics. Robert joined MITRE in 1981 with a bachelor's and master's in EE from RPI, later he earned an MBA from Babson College.

Topic: Having a Defined Target for Software Security Testing
Learn about the new efforts surrounding application security assessment technology that are dramatically accelerating the use of tool-based assurance arguments in assessing the secureness of software systems. This session will describe how the government, industry, and academia are working together to develop standards for assessment that is reshaping the code assessment industry to better support the certification of software systems.

Stephen C. Dewhurst - Co-Founder and President of Semantics Consulting, Inc.
(Details)
Bio: Steve Dewhurst is the co-founder and president of Semantics Consulting, Inc. Steve is the author of numerous technical articles on C++ programming techniques and compiler design, is the author of C++ Common Knowledge (Addison-Wesley, 2005), C++ Gotchas (Addison-Wesley, 2003), and is the co-author of Programming in C++ (Prentice Hall, 1989, 1995). He is a frequent speaker at industry conferences such as Software Development and Embedded Systems , a member of the advisory board for The C++ Source , and a visiting scientist at the Software Engineering Institute (SEI), at Carnegie Mellon University. Steve has mentored and consulted with C++/OO projects ranging in size from 1 to over 100 developers, in areas ranging from compiler design to embedded telecommunications to ecommerce to derivative securities trading.

As a Member of Technical Staff in the UNIX Development Laboratory at AT&T Bell Laboratories, Steve worked with Bjarne Stroustrup, the designer and first implementer of C++, on the first public release of the language and cfront C++ compiler, then served as the lead designer and implementer of the first non-cfront C++ compiler. As a compiler architect at Glockenspiel, Ltd., he designed and implemented a second C++ compiler.

Steve was a contributing editor for The C/C++ User's Journal , a principal lecturer at /The/ C++ Seminar, has served as a principal on the ANSI/ISO C++ standardization committee, was the C++ training series adviser for Technology Exchange Company (Addison-Wesley), was a member of the editorial board of and columnist for /C++ Report/, and was co-founder and member of the editorial board of /The C++ Journal. /He has taught extensively in both university and commercial settings. He has also written C, COBOL, and Pascal compilers, was a principal on the ANSI/IEEE Pascal Standardization Committee, and a reviewer for ACM /Computing Reviews/.

Topic: The CERT C++ Secure Coding Standard
An essential element of secure coding is a well documented and enforceable coding standard. Coding standards encourage programmers to follow a uniform set of rules and guidelines determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). This presentation describes efforts in the Secure Coding Initiative in the CERT/Coordination Center to develop secure coding standards for C, C++, and other programming languages.

Bruce Dang - Microsoft
Dave Dittrich - University of Washington
(Details)
Bio: Bruce Dang is a Security Software Engineer in the Secure Windows Initiative (SWI) Defense team. Prior to joining SWI, he worked as an analyst handling numerous security incidents at Microsoft and elsewhere. In another life, he provided rapid malware analysis for large corporate customers. Some of his geek interests include reverse engineering and reading.


Topic: Understanding Emerging Threats: The case of Nugache
Distributed intruder attack tools have evolved from the original "handler/agent" DDoS tools of 1998, to very large and powerful botnets in the early 2000's. Methods of command and control (C2) have also evolved, from direct client/server, to central C2 mechanisms, and today to using advanced peer-to-peer mechanisms that are significantly harder to detect and react to.

In this talk, we will cover some reverse engineering methods used to understand advanced malware, and discuss a successful "proof of concept" P2P malware network known as Nugache. Some observations of the ways Nugache has been propagated and used will be covered.

Ero Carrera
(Details)
Bio: Ero Carrera is currently a reverse engineering automation researcher at zynamics GmbH (was SABRE Security Gmbh), home of BinDiff and BinNavi. He is a recurring trainer at the trainings held by Black Hat conference. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods.

Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.

While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking. Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering tools such as pydot, ida2sql, Pythonika and the broadly used pefile.

Topic: Automated Structural Malware Classification
With the advent of an economy relying on large bases of infected computers and collection of personal information, malware has become an essential tool for the "harvesters". Such needs and a ready availability of financial resources have propelled the development of families of malware and protection techniques. This talk will outline methodologies to attempt to tackle the large amount of otherwise very similar families, or strands, of malware in a generic and automated manner.


Carole Fennelly - Tenable Network Security
(Details)
Bio: Carole Fennelly is an information security professional with over 25 years of hands-on experience in the computing technology field. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine. A frequent speaker at security conferences, such as the Black Hat Briefings, her technical background includes in-depth security and administration knowledge of UNIX operating systems. Ms. Fennelly is presently a Security Information Specialist with Tenable Network Security.

Tenable Network Security is the leader in unified security monitoring.

Tenable provides agentless solutions for continuous monitoring of vulnerabilities, configurations, data leakage,log analysis and compromise detection. Tenable's award-winning products are utilized by many Global 2000 organizations and Government agencies to proactively minimize network risk. For more information, please visit: http://www.tenablesecurity.com.

Topic: Developing an Incident Response Plan
It's Monday. You've got mail! A lot of it… 60 Minutes is holding on line 1, the DA is on line 2, the CEO is on line 3, and somebody claiming to be the Omnipotent Stomper is texting your cell. It's going to be a bad day… The worst time to plan for Incident Response is when you're in the middle of an incident. This may seem obvious, but it usually takes painful experience to get this point across to management. This presentation provides guidance to develop an Incident Response plan that covers Preparation, Detection, Evidence Collection, Investigation and Recovery.

Cédric Blancher - EADS Innovation Works
(Details)

Bio: Cédric Blancher is head of Computer Security Research Lab at EADS Innovation Works. He's been working in the field of network security for the last 7 years, first as a security consultant, performing audits, penetration tests and trainings, then as research engineer at EADS Innovation Works since 2004. His research focuses on network security, especially wireless links. He is an active member of Rstack team, having worked on honeypots, network traffic diversion, segregation and analysis. He's been delivering presentations, workshops and trainings worldwide, and writing papers and articles on network and wireless security.
Cédric's website : http://sid.rstack.org/

Topic: Deperimetrisation - Dream Or Nightmare For Network Security?
As perimeter based network security approach seems to be failing at protecting our infrastructures and is more and more felt as a blocage for network applications by most users, the idea of switching to a perimeter-less model is becoming popular. This presentation will discuss this complete approach reversal best known as deperimetrisation pros and cons, both from information protection and technical perspectives.

Mike Rothman - President and Principal Analyst, Security Incite
(Details)

Bio: Mike Rothman is Security Incite's President and Principal Analyst. Mike’s bold predictions and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike deedp security experience includes spearheading META Group’s initial security research, founding SHYM Technology and serving as VP Marketing for CipherTrust and TruSecure.

Topic: How Compliance Can Get You Killed
The reality is compliance has become the “goal” for many security professionals. Keep the auditors happy and the CEO out of jail and there are no worries. Unfortunately, being compliant does not mean that an organization is secure. You need to look no further than TJX to prove that. This session focuses on three aspects of managing a security operation, based on the Pragmatic CSO methodology, and is targeted towards security managers and those that want to be a manager.


Chris Hoff - Chief Security Strategist at Unisys and Internet blogger
(Details)
Bio: Christofer Hoff has over 15 years of experience in network and information security architecture, engineering, and operations. Hoff's expertise is focused on developing strategies for innovation in the area of information assurance, resilience, and rational risk management. Hoff is Unisys Corporation's chief architect of security innovation. He is tasked with architecting innovative security strategies, delivering differentiated solutions and collaborating with Unisys' global business unit leaders to unlock maximum value for the corporation and customers. Prior to Unisys, Hoff served as Crossbeam Systems' chief security strategist, responsible for the company's global security strategy and product management efforts, serving some of the most demanding and innovative customers on the planet.

Prior to joining Crossbeam, Hoff served as the chief information security officer and director of enterprise security services for a $25 Billion financial services cooperative where he leveraged his prior experience gained as founder and CTO of a national security consulting company which provided services to the Fortune 500 and service provider customers.

Hoff has raised venture capital, founded two startups and served on the board of directors and technical/customer advisory boards of several prominent companies. He is a prolific blogger (rationalsecurity.typepad.com,) a featured speaker at numerous information security conferences, holds several security credentials and is an accomplished and accredited instructor in multiple security disciplines.

Topic: Disruptive Innovation and the Future of Security
IT departments have spent the last 10+ years enabling users by delivering revolutionary technology and delegating ownership and control of intellectual property and information in order to promote agility, innovation and competitive advantage on behalf of the business. Meanwhile IT Security has traditionally focused on reigning in the limits of this technology in a belated compliance-driven game of tug-of-war to apply control over the business. The bad guys innovate farmorerapidly than even the average tech startup; advancing to support their business at the expense of ours. Christofer Hoff, chief architect for Security Innovation at Unisys and former Security 7 winner, and Rich Mogull, Founder of Securosis, L.L.C. and former Gartner analyst, will highlight the emerging face of information security as business, attacker, and defensive innovation clash in a mosh pit of technology, process, strategy, tactics, and survival.

Hoff and Mogull will debate the future of information security as they discuss emerging architectures, technologies, and how to predict and harness emerging innovation.


Rich Mogull - Securosis, LLC
(Details)

Bio: Rich Mogull is the founder of Securosis, L.L.C., an independent consulting practice. He has over 17 years experience in information security, physical security, and risk management. Prior to founding Securosis, Rich spent 7 years as one of the leading security analysts with Gartner, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies and has covered issues ranging from vulnerabilities and threats, to risk management frameworks, to major application security.

Topic: Understanding and Preventing Data Breaches, The Real World Edition
Just a quick glance at the headlines shows that the onslaught of data breaches and inadvertent disclosures is far from over. Yet despite all the attention in the press, little real information is available on how these breaches actually occur, never mind how to prevent them in the future. In this session Rich Mogull, Founder of Securosis L.L.C. and former Gartner analyst, will dig beyond the headlines to analyze the leading causes of data exposures. Using real world examples and public information, he'll name names as we walk through a series of major exposures to determine the root causes. The session will then recommend the top specific, corrective actions to prevent these types of breaches in the future.


Raffael Marty - Splunk
(Details)

Bio: As chief security strategist and senior product manager, Raffy is customer advocate and guardian - expert on all thingssecurity and log analysis at Splunk. With customers, he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions. Inside Splunk, he is the conduit for customer issues, new ideas and market requirements to the development team. Fully immersed in industry initiatives, standards efforts and activities, Raffy lives and breathes security and visualization. His passion for visualization is evident in the many presentations he gives at conferences around the world.

Topic: All the Data That's Fit to Visualize:
What the New York Times teaches us about visualization.


With the ever-growing amount of data collected in IT environments, we need new methods and tools to deal with them. Event and Log Analysis is becoming one of the main tools for analysts to investigate and comprehend the state of their networks, hosts, applications, and business processes. Recent developments, such as regulatory compliance and an increased focus on insider threat have increased the demand for analytical tools to help in the process.

Visualization is offering a new, more effective, and simpler approach to data analysis. To date, security visualization, has mostly failed to deliver effective tools and methods. This presentation will show what the New York Times has to teach us about effective visualizations. Visualization for the masses and not visualization for the experts. Insider Threat, Governance, Risk, and Compliance (GRC), and Perimeter Threat all require effective visualization methods and they are right in front of us - in the newspaper.


Lee Kushner - President of LJ Kushner and Associates, LLC
(Details)

Bio:Lee Kushner is the President of LJ Kushner and Associates, LLC, an Executive Search firm dedicated exclusively to the Information Security industry and its professionals. Founded in 1999, LJ Kushner has successfully represented Fortune 2000 companies, Information Security Software Companies, Information Security Services Companies and large technology firms in enabling them to locate, attract, hire, and retain top level Information Security talent. He has been an invited speaker on the subjects of recruitment, retention, and industry trends at Information Security Conferences that include The Black Hat Briefings, The RSA Security Conference, Information Security Decisions, and a variety of ISSA Chapter Conferneces.

Topic: Managing Your Career in Infosec
Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn't necessarily thriving. We're going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like "get certified"), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.


Frank Rieger - CTO of GSMK CryptoPhone
(Details)

Bio: Frank Rieger, 36, is working as the CTO of GSMK CryptoPhone in Berlin, Germany on the forefront of mobile device and network security. He also provides consulting on mobile device and communication security issues to international enterprise clients as well as to human rights and environment NGOs. He has been working in security consulting and application development for mobile platforms for more than 10 years now and is in his sparetime active in the defense of digital civil rights in Germany.

Topic: Current and future security issues in mobile devices and networks

Mobile devices and networks, such as GSM and 3G present a significant risk for the security minded enterprise. Interception of communications, attacks against mobile devices and device theft are becoming more and more common. Learn about todays and tomorrows attack techniques and the necessary defense strategies to protect your data and communications.

The talk will discuss the technology behind todays and tomorrows attacks on mobile phones, communications and networks (mostly GSM and 3G). Special focus will be on the security issues that arise from new technologies like software radio and picocells, the vulnerabilities of mobile devices against software and network attacks and the problems arising from the architecture of todays mobile networks. Realistic insights into the security of todays mobile phone operating systems are provided. The latest trends in interception technology will be discussed to give an up to date perspective on the risks of information loss. Real world cases from various fields of business are used to illustrate the dangers and often overlooked developments that may lead to serious loss of information and confidentiality. Finally, the core strategies that can be used to preempt or minimize the effects of attacks against mobile systems are discussed.


Jeff Richard - Vice President, State Street Bank
Rob Cheyne - Chief Executive Officer, Safelight Security Advisors
(Details)

Bio: Jeff Richard is the Vice President of Corporate Information Security at State Street Bank, a financial holding company that provides a range of products and services serving the specialized needs of institutional investors. As of June 30, 2007, assets under custody totaled $13 trillion and assets under management totaled $1.9 trillion. The Company's clients include mutual funds and other collective investment funds, corporate and public pension funds, investment managers and others.

Jeff's current responsibilities include defining, implementing and executing an enterprise-wide Application and Technology Security Assessment Program. The focus of this program consists of performing technical vulnerability assessments against high-risk applications and technologies, identifying risk mitigating solutions, and assisting in the implementation of said recommendations.

Assessment methodologies typically include:

  • Performing technical penetration testing of Web applications
  • Performing architectural reviews of applications and infrastructures, both internally developed and purchased from 3rd parties
  • Assessing 3rd party service providers
  • Developing and delivering best-practice training regarding secure application development

Jeff has been an information security professional since 1990 and has 8 years of IT audit experience. His past roles include divisional Information Security Officer for Institutional Investment business at Fidelity, and manager of Application Risk Assessment at Fidelity Investments Corporate Security.

Bio: Rob Cheyne is founder and chief executive officer of Safelight Security Advisors, a leading security education and consulting company in the Boston Area. He is a strong advocate for proactively addressing security issues and he has taught information security training classes to thousands of developers, architects and managers over the past four years.

Rob has 17 years of experience in the information technology field and has been working in the information security field since 1998. He has played the role of software developer, systems integrator, security expert, consultant, trainer and entrepreneur, which gives him a unique and balanced blend of business and technical expertise.

Rob was one of the founding employees of @stake, a highly regarded pioneer in information security consulting. He helped develop application security assessment methodologies that are still in use today and led @stake's Application Security Center of Excellence for two years. He has led and conducted secure architecture and design reviews, secure code reviews, application penetration tests, and various types of specialized security audits for Fortune 500 companies.

Rob was also a co-author of the award-winning L0phtCrack password auditing software and he worked on @stake's SmartRisk Analyzer team, which was eventually spun-off as Veracode.

Topic: Banking on education: A case study on security training programs

Many organizations find themselves needing to create a security training program, but do not know where to begin. Educating architects, developers, and project managers on how to properly deal with security issues creates a solid foundation for secure development and is critical in today's high-risk online environment.

Four years ago, State Street Bank created a pioneering security education program for its internal employees and contractors. State Street and its partner, Safelight Security Advisors, will present a case study on how to properly implement an internal security training program. We will discuss the unique challenges State Street faced, how we addressed them, and the process we went through to create a successful training program that is now mandatory for all staff involved in systems development worldwide.

The topics covered include gaining management buy-in, building the curriculum, and implementing the program. We will share successes and lessons learned, discuss the future of our security education programs, and map out general guidelines that can be applied to any organization's security program.


John Amaral - CTO of Vericept
(Details)

Bio: As Chief Technology Officer, Amaral's primary responsibilities include driving the creation, development and overall management of Vericept's product line and leading the company's research and development efforts in continuing to deliver market leading technology. Amaral joins Vericept from Network Engines, where he served as CTO and was responsible for advancing the organizations technology and product development as well as managing its products teams. While at Network Engines, he also led the creation of the business plan and development of the NS Series Secure Application Layer Gateway product family. Amaral also served as CTO and Engineering Director at Artel where he managed technology definitions, product concepts and development of products. Prior to its acquisition by Artel, Amaral served as CTO of ITS Corporation, which he also founded. Before ITS, Amaral spent time at some of the world's premier technology companies including, Digital Equipment Corp, Raytheon Corp., Submarine Systems Group and Polaroid Advanced Technology Laboratory. Amaral was also recognized by American Venture Magazine as a top 40 under 40 executive. Amaral holds a Bachelor of Science in Software Engineering from the University of Massachusetts Dartmouth.

Topic: Content Awareness – A Cornerstone to Data Protection

The perimeters of a corporate network are expanding. Mobile devices and ubiquitous network access have blurred the network edge. Uninhibited information flow is critical to business continuity; however, as information flows freely across these boundaries, the task of securing that information becomes increasingly difficult. Loss of sensitive information can put an organization at risk of non-compliance, hamper competitive advantage, and bring risk to an organizations brand and reputation.

Traditional asset based security technologies no longer sufficiently address the risks of data loss in modern enterprise networks, because they lack the inherent ability to protect data as it flows freely through an organization. Providing adequate protections requires a content-aware approach to securing critical business information. This approach acts on data based on its unique content and therefore can protect it across a variety of platforms in an IT environment. A truly distributed, content aware data protection solution can assert content-specific policies at the point of data origin or at every other touch point in the network. This kind of solution represents a new class of data protection systems - systems that require broad content analysis and classification capabilities.

In this presentation, the speaker will explore the escalating challenge of protecting a company's digital assets and identifying content awareness as a major cornerstone of data protection.


Nish Bhalla - Founder of Security Compass
Krish Raja - Application Security Consultant with Security Compass

(Details)

Bio: Nish Bhalla is the Founder of Security Compass, and is a specialist in product, code, web application, host and network reviews. He has authored multiple books including "Buffer Overflow Attacks: Detect, Exploit & Prevent" and Hacking Exposed: Web Applications 2nd Edition. He is a frequent speaker on emerging security issues. He has spoken at reputed Security Conferences such as "BlackHat Amsterdam", "Reverse Engineering Conference", "HackInTheBox" "ISC2's Infosec Conference" and many others. He regularly creates and teaches classes on Application Security with Security Compass; he is also SANS instructor for Secure J2EE Development.

Rohit Sethi, Manager at Security Compass, is a specialist in building application security into the SDLC. He is a SANS instructor, has spoken and taught at SecTor, CSI National, Infosecurity New York and Toronto as well as written articles for Security Focus and WASC. He is a noted expert on application security and has been quoted in both ITWorldCanada and Computer World.

Topic: Detailed Thread Modeling Threat Modeling is quickly becoming a popular technique used to assess the security posture of an application's architectural components. But is there a way to perform such an assessment to an application's developmental framework?

A traditional threat model is an effective tool for determining the threats that pose a risk to the architectural components of an application. But what if we wish to enumerate the threats that face the developmental components? Detailed Threat Modeling is an approach that speaks to the development staff by examining the underlying object model of an application. In this talk, Nischal Bhalla and Krishna Raja of Security Compass explain how detailed threat modeling works, its benefits, and how it can be implemented by presenting a case study.


Rick Wesson - CEO, Support Intelligence, LLC and CEO Alice's Registry, Inc.
(Details)

Bio: Coming Soon...

Topic: Bots -- The Global Infection Rate A review of where botnets and insider threats have come from since 2006 We will review some of the exploited fortune 1000 companies we outed and will out some more.

We are loosing big time to internet bandits and this talk will explore how cheap security could detect and deter the rising criminal environment.


Gary Sevounts - Senior Director, Industry Solutions, Symantec Corporation
(Details)

Bio: Coming Soon...

Topic: Utilities, Oil & Gas, and Process Manufacturing companies increasingly rely on the benefits introduced by interconnections of PCS (Process Control Systems) that include SCADA systems with other internal and external networks. However, the SCADA security model is very different from the model for corporate IT networks. In fact, some commonly accepted and widely-used security measures can cause availability issues for PCS networks. During this session, the speaker will discuss unique security challenges for SCADA networks and effective practices for addressing these challenges.


Eugene Kuznetsov - IBM
(Details)

Bio: Eugene Kuznetsov was most recently an executive at IBM, with responsibility for product management and marketing of SOA appliances. In addition to his P&L management duties, Kuznetsov is also a member of IBM Software Group Architecture Board and IBM AIM (WebShere) Strategy Council. Kuznetsov joined IBM through acquisition of DataPower in October 2005, with substantial returns for all shareholders. Both Kuznetsov's business and technical leadership has received recognition, including the prestigious InfoWorld Top 25 CTOs of 2005 and regional Ernst & Young Entrepreneur of the Year 2006 awards.

Eugene founded DataPower in 1999 based on his idea of combining dynamic compilation and network hardware technology to simplify the process of connecting disparate applications and served as President until spring 2003. The company developed the first "XML-aware networking" hardware, then unique in delivering message-level processing functions within a secure network device. DataPower's broad product family ensures award-winning security, performance and manageability for XML, Web Services and SOA applications. Kuznetsov served as President, VP of Marketing, CTO and Chairman at various points in the company's six year history as it grew from one to 75 employees, raising over $20M from investors and building a customer list of household names.

Topic:Founder of Datapower
This talk will provide an overview of SOA security today, from the technological building blocks of XML security and Web services to the wider implications for security architecture. It should serve both as a concise introduction to SOA/XML security for a technical audience and as an intermediate-level discussion of implementation practices. Aspects of XML/SOA processing vulnerabilities and secure enablement for SOA will be covered, followed by discussion of the potential for positive and negative impacts of SOA on application-level security overall. Additional topics will include message-level security and positive ("known-good") security models as they relate to XML/SOA security technology.

James Atkinson - Granite Island Group
(Details)

Bio: James M. Atkinson, is the President and Senior Engineer of Granite Island Group and has earned the respect of the most prestigious public and private global client base specializing in the protection of classified, confidential, privileged, or private information against technical attack, eavesdropping, or exploitation. http://www.tscm.com/

Topic: Telephone Defenses Against the Dark Arts
Exploration of the modern eavesdropping threat posed by telephone equipment, common penetration points exploited by eavesdroppers and spies, methods of detecting such penetrations, and how to secure both classified and unclassified telephone communications against eavesdropping both through technical means of operational trade-craft. Will include methods of properly auditing telephone instruments, wiring, transmission paths, and switching systems to detect and counter eavesdropping. The use, misuse, and exploitation of secure communications systems will also be presented including examples of prior penetrations, hacks, and attacks. Will include information on VOIP attacks, mechanisms to detect and defeat VOIP attacks and exploits, and methods to secure VOIP systems.

Steve Lipner - Microsoft
(Details)

Bio:Steve Lipner is Senior Director of Security Engineering Strategy at Microsoft. He has over thirty-five years' experience in computer and network security, and joined Microsoft in 1999. Steve is responsible for the development and application of Microsoft's Security Development Lifecycle or SDL, and is Coauthor with Michael Howard of a book on the SDL.

Topic: A Security Metric for Software Developers
Steve's presentation will introduce a predictive metric that Microsoft has applied to the development of new software products. The metric gives developers an understanding of the quality of their products' security before the products are released and exposed to hostile attack.

Lee Kushner - LJ Kushner
(Details)

Bio: Coming soon...

Topic: To be announced...

Ryan Permeh
(Details)

Bio: Ryan Permeh currently leads McAfee's Security Architecture Group as Manager of Product Security. He has been in the information security field for over 10 years. He previously worked for eEye Digital Security and a large Midwest ISP. He wrote the Retina Vulnerability scanner, was the first to port NMAP to windows, and reverse engineered and co-named the Code Red worm. He has been published in books and has spoken at several large security conferences on research topics from nt boot infectors to reverse engineering worms.

Topic: Vulnerability in the Real World: Lessons from both sides of the fence
There is a distinct rift between software vendors and security researchers. Common ground between these camps is sometimes difficult to find. From experience, both sides have much to offer the other. By utilizing researcher techniques, software vendors can build safer software. By understanding software vendors, researchers can better work to make the Internet a safer place. Building a better bridge between these two distinct groups can help advance the state of current software security.

Sinan Eren
(Details)

Bio: Sinan Eren (Palo Alto, CA) is VP of Research at Immunity, where he has worked since 2003. Prior to joining Immunity Sinan was a senior research scientist with Entercept. Sinan is an expert at finding new software vulnerabilities and developing the state of the art in exploitation techniques. Sinan's specialty lies in the analysis and exploitation of operating systems, server software, and software infrastructure applications. More recently Sinan has focused on hardware-based and alternative attack technologies. He is a regular speaker and trainer at industry conferences and is a co-author of the popular book "The Shell-coders Handbook".

Topic: Information Operations This presentation will discuss techniques to attack secure networks and successfully conduct long term penetrations into them. New Immunity technologies for large scale client-side attacks, application based backdoors will be demonstrated as will a methodology for high-value target attack. Design decisions for specialized trojans, attack techniques, and temporary access tools will be discussed and evaluated.

Andy Sudbury
(Details)

Bio: Coming Soon...

Topic: Establishing a Security Metrics Program This presentation will cover the process used and critical lessons learned in the design and implementation of successful security metrics programs, including addressing what should be measured, how it should be measured, and how to communicate with the organization beyond the IT & security departments. Examples from current implementations of security metrics programs will be used throughout.

Andrew Jaquith
(Details)

Bio: Andrew Jaquith is a program manager in Yankee Group's Enabling Technologies Enterprise group with expertise in portable digital identity and web application security. As Yankee Group's lead security analyst, Jaquith drives the company's security research agenda and researches disruptive technologies that enable tomorrow's Anywhere Enterprise™ to secure its information assets.

Jaquith has 15 years of IT experience. Before joining Yankee Group, he co-founded and served as program director at @stake, Inc., a security consulting pioneer, which Symantec Corporation acquired in 2004. Before @stake, Jaquith held project manager and business analyst positions at Cambridge Technology Partners and FedEx Corporation.

His application security and metrics research has been featured in publications such as CIO, CSO and the IEEE Security & Privacy. In addition, Jaquith is the co-developer of a popular open source wiki software package. He is also the author of the recently released Pearson Addison-Wesley book, Security Metrics: Replacing Fear, Uncertainty and Doubt. It has been praised by reviewers as both "sparking and witty" and "one of the best written security books ever."

Jaquith holds a B.A. degree in economics and political science from Yale University.

Topic: Not Dead But Twitching: Anti-Virus Succumbs to the Scourge of Modern Malware
The security of PCs is no longer a tractable problem that can be solved by better engineering, more thorough code reviews, user education or bigger budgets. Financially motivated malware is forcing anti-malware vendors to dramatically change strategies. By 2010, vendors will largely abandon the signature-based technologies that have been the mainstay of the anti-virus industry for 20 years.

Michael Rash - Enterasys Networks, Inc.
(Details)

Bio: Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" published by No Starch Press. Mr. Rash works professionally as Security Architect for the Dragon Intrusion Detection and Prevention System developed by Enterasys Networks, and is a frequent speaker at computer security conferences. He is the founder of Cipherdyne.org, a website dedicated to open source security software for Linux systems, and is the lead developer for the psad, fwsnort, and fwknop projects.

Topic: Advanced Linux Firewalls
This talk will concentrate on advanced topics in Linux firewall infrastructures including Single Packet Authorization, application content inspection, and iptables log visualization. The latest techniques employed by the 'psad', 'fwsnort', and 'fwknop' projects will be presented, and a new software release of one of these projects will be made at the conference.


Roger Dingledine - The Tor Project
(Details)

Bio: Roger Dingledine is project leader for The Tor Project, a US non-profit working on anonymity research and development. While at MIT he developed Free Haven, one of the early peer-to-peer systems that emphasized resource management while maintaining anonymity for its users. He works with the Electronic Frontier Foundation, the US Navy, Voice of America, and other organizations to design and develop systems for anonymity and traffic analysis resistance. He organizes academic conferences on anonymity, speaks at such events as Blackhat, Defcon, Toorcon, CCC congresses, and What the Hack, and also does tutorials on anonymity for national and foreign law enforcement. Roger was honored in 2006 as one of the top 35 innovators under the age of 35 by Technology Review magazine.

Topic: How To Make Tor Play Well With The Rest Of The Internet
Tor is used by several hundred thousand people daily: ordinary citizens who want protection from identity theft and prying corporations, corporations who want to look at a competitor's website in private, law enforcement, and soldiers and aid workers in the Middle East who need to contact their home servers without fear of physical harm.
But it's still pretty darn hard to use correctly, and it turns out not every site on the Internet likes anonymity. How should Slashdot and Wikipedia handle anonymous users? How can we help individual and corporate users have an easier interface to secure their communications without upsetting their network admins? What about policy and legal issues? Roger will explain the roadblocks for simple anonymity online, and discuss directions for solutions.


Steve Patton
(Details)

Bio: Stephen Patton, CISSP, is a security architect for a large New England financial services firm. He has been interested in social networking sites since 2006 when a Columbine-style school attack plan in Riverton, Kansas was found on MySpace and foiled.

Topic: To be announced...
Social Networking Sites are incredibly popular. Hundreds of millions of profiles across these sites provides a rich environment for researchers of all types including sociologists, investigators and detectives. The size of this personalized communication environment can be daunting. This presentation will provide techniques for effective searching and thorough probing of such sites. Additionally, we will review necessary precautions for browsing these sites safely, which can have a high proportion of malware and illegal content.


Sandy Bird - CTO, Q1 Labs, Inc.
(Details)

Bio: Sandy Bird, co-founder and CTO of Q1 Labs, is responsible for the company's strategic technology direction. Sandy has extensive technology experience specializing in database design and development for web applications. Prior to Q1 Labs, he held a variety of technical positions at the University of New Brunswick in support, development and administration. Sandy studied Electrical Engineering at the University of New Brunswick.

Topic: Don't Tell Me What, Tell Me Who: Correlating User Identity and Application Data to Threats

Insider threats, compliance violations, policy break-downs, and general malicious activity are detected all the time by your security devices. But how do you investigate an IP address and application usage … particularly in remote access environments?

Binding user identity and application identity to the threats detected in your environment enables you to answer the question: "Who is attacking my network and how?" " or "Who is out of compliance?"

Join Sandy Bird, CTO at Q1 Labs, Inc. to learn how correlating user identity sources with network application and security event data:

  • Shortens time to problem resolution
  • Provides greater accuracy in detecting the insider threat · Improves user accountability · Simplifies tracking down threats in remote access environments


John Nye
(Details)

Bio: John Nye is Assistant Vice President of Vendor Information Risk(VIR) for Moody's Risk Service Corporation. John is the lead analyst on VIR ratings. He is responsible for the VIR rating methodology as well as for managing assessment and rating monitoring operations. Previously, John was a Senior Manager at Symantec Corporation where he managed the Infrastructure Security Advisory Services team in the Northeast. He joined Symantec when the company acquired @stake, Inc., an information security consulting company based in Cambridge, MA. While at @stake and Symantec, John developed numerous assessment methodologies, served as the lead PCI assessor in the Northeast, served as a technical lead for the Infrastructure Security Center of Excellence, and launched @stake's Chicago office. Prior to joining @stake, John worked in a variety of information security product development and support positions at Nortel Networks and GTE CyberTrust Solutions, worked as a Business Continuity and Disaster Recovery consultant to financial services firms in Tokyo, Japan, and worked as a software engineer and systems analyst for Boston Treasury Systems.

John holds a BS in Computer Engineering from Boston University.

Topic: Avoiding Audit Overlap
Whether driven by PCI, GLBA, client requirements, or internal standards, the demand for security assessments and audits never ends. As a result, information security leaders spend valuable time and resources reacting to overlapping external audit requests that often fail to meet their internal needs. This never-ending cycle of repetitive security assurance activity is not only unnecessarily costly but can be dangerously distracting from other responsibilities.

This presentation will help unravel the differences between various security tests, assessments, and audits and explore how information security professionals can use security reviews that complement one another to build a structured security assurance program that reduces or eliminates duplicate efforts while meeting internal and external requirements. In addition, we'll look at tools and techniques that help streamline audit readiness with primary information security activities like policy development, solutions deployment, and change management.

Proper planning and preparation will not only simplify and reduce the cost of these security assurance efforts but also improve confidence in ones information security program.


Panelists

CEO Panel

Matt Moynahan - CEO, Veracode, Inc.
Philippe Courtot - CEO, Qualys, Inc.
Josh Pennell - CEO, IOActive, Inc.
Patrick Morely - CEO, Bit9, Inc.
(Details)

Topic: CEO Panel

Moderator: Mike Murray
Panelists:

Matt Moynahan - CEO, Veracode, Inc.
Philippe Courtot - CEO, Qualys, Inc.
Josh Pennell - CEO, IOActive, Inc.
Patrick Morely - CEO, Bit9, Inc.


Entrepreneur Panel

Maria Cirino - .406 Ventures
Jeff Fagnan - Atlas Venture
Simeon Simeonov - Polaris Ventures
David Gammell - Brown Rudnick
(Details)

Topic: Entrepreneur Panel

Moderator: To Be Announced...
Panelists:

Maria Cirino - .406 Ventures
Jeff Fagnan - Atlas Venture
Simeon Simeonov - Polaris Ventures
David Gammell - Brown Rudnick


Web Application Panel

Robert Hansen - CEO and Founder of Web Application and Internet Security Consulting Company, SecTheory
Jeremiah Grossman - Founder and Chief Technology Officer (WhiteHat Security, Inc.)
Mark Kraynak - Senior Director of Strategic Marketing (Imperva)
Nick Selby - Director, Enterprise Security Practice (The 451 Group)
Jeff Williams - CEO (Aspect Security) and volunteer Chair (OWASP)
Grant Bourzikas - Director of Information Security and Business Continuity (Scottrade)
(Details)

Topic: Web Application Security from the Frontlines

Moderator: Robert "RSnake" Hansen (SecTheory)

Robert Hansen (CEO and Founder of Web Application and Internet Security Consulting Company, SecTheory): Mr. Hansen (CISSP) has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen authors content on Dark Reading and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also speaks at Toorcon, APWG, ISSA, OWASP/WASC, Microsoft's Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.

Panelists:

Jeremiah Grossman - Founder and Chief Technology Officer (WhiteHat Security, Inc.)
Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of universities. He has authored of dozens of articles and white papers, credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

Mark Kraynak - Director Product Marketing (Imperva)
Mark Kraynak is the Senior Director of Strategic Marketing at Imperva. Before joining Imperva, Mr. Kraynak held marketing and consulting positions at Check Point, CacheFlow (now BlueCoat Systems) and Ernst & Young's Center for Technology Enablement. Mr. Kraynak is a regular speaker on application and database security and participates in industry efforts to define the role of application firewalls in security architectures.

Nick Selby - Director, Enterprise Security Practice (The 451 Group)
Nick Selby leads The 451 Group's Enterprise Security Practice, providing objective analysis of enterprise security business and trends. Nick is The 451's Director of Research Operations, leading the coordination of 451 analysts' research agendas and coverage. Nick is on the faculty of the Institute for Applied Network Security, and speaks regularly at industry events such as RSA, Security Standard, CXO Interchange and SANS WhatWorks. Prior to joining The 451 Group in 2005, Nick was an IT security consultant to firms subject to regulatory compliance. Based in Eastern Europe and Europe from 1990 to 2004, Nick spent a decade covering various emerging technologies, including open source and wireless technologies, and software piracy. He was Editor at Large for Amsterdam-based Tornado Insider/Tornado Investor, and has reported on technology and tech-based financial news for the International Herald Tribune. An IFR pilot, Nick published pilot resource Flyguides from 2001-2005. Nick is also an avid Linux hacker and member of the Capital District Linux Users Group, and a PHP/MySQL enthusiast.

Jeff Williams - founder and CEO of Aspect Security, volunteer Chair of OWASP
Jeff Williams is the founder and CEO of Aspect Security (http://www.htmlectsecurity.com), which specializes exclusively in application security services. Jeff also serves as the volunteer Chair of OWASP, the Open Web Application Security Project (http://www.owasp.org). Jeff has made extensive contributions to the application security community through OWASP, including the OWASP Top Ten, WebGoat Learning Application, Software Security Contract Annex, AppSec Desk Reference, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown University Law Center.


Panel Discussion - The end of our Rope: The tug-o-war between business and security

John Amaral - Chief Architect at Retail Convergence, LLP
Dennis Devlin - Chief Information Security Officer at Brandeis University
Gene Meltser - Lead Technical Architect for Symantec Corporation
Reggie Sommer - Former Chief Financial Officer for Netegrity, Inc.
Rob Cheyne - CEO of Safelight Security Advisors
(Details)

Topic: The end of our rope: The tug-o-war between business and security
Are you the developer or security professional who is struggling to secure your application within tight timeframes? Or are you the manager who needs to complete a project on time and under budget, and meeting the release date is more important than security? Or perhaps you are the executive who must balance budgets across many initiatives, and security is only one of a dozen competing priorities?

In real-world situations, we often find ourselves struggling to find a reasonable balance between business and security requirements. The end result is that we sometimes make compromises that result in severe vulnerabilities and we now have more computer security incidents than ever. With recent security breaches potentially costing billions, we can no longer afford to allow this tug-o-war to continue.

Sometimes the best thing to do is to step back and look at the big picture in order to gain some perspective. At this session, you will hear industry leaders from across the entire business spectrum share their valuable experience in a discussion of the delicate balance between business, technical & security requirements, and together we will find an acceptable middle-ground.

Moderator: Rob Cheyne
Rob Cheyne has 17 years of experience in the information technology field and has been working in the information security field since 1998. He has played the role of software developer, systems integrator, security expert, consultant, trainer and entrepreneur, which gives him a unique and balanced blend of business and technical experience.

Rob was one of the founding employees of @stake, a highly regarded pioneer in information security consulting. He helped develop application security assessment methodologies that are still in use today and led @stake's Application Security Center of Excellence for two years. He led and conducted secure architecture and design reviews, secure code reviews, application penetration tests, and various types of specialized security audits for Fortune 500 companies.

Rob was a co-author of the award-winning L0phtCrack password auditing software and he worked on @stake's SmartRisk Analyzer team, which was eventually spun-off as Veracode. Over the past four years, he has taught information security training classes to thousands of students. Rob is currently the CEO of Safelight Security Advisors, a leading security education & consulting firm based in the Boston area.


Panelists:

John Amaral - Chief Architect at Retail Convergence, LLP
John Amaral is currently the chief Architect at Retail Convergence, LLP, and has over fourteen years of experience in software and systems analysis, design, development and implementation of solution components and systems integration. From small client/server to large N-tier systems across numerous industry verticals, John has proven skills in resource planning, team management, and numerous architectural designs encompassing many development technologies. John's early years as a consultant opened his eyes to the requirements and desires of Fortune 100 companies. Since the late 90's, John has brought, through his technical aptitude and constant desire to expand technical knowledge, thorough hands-on, no-nonsense design and management of solution development to several internet startups.

Most notably, John was instrumental in developing B2B solutions and requirements as first employee of Celarix, now owned by GXS (formerly Global eXchange Services), an Internet-based supply chain service provider. Now in the retail industry, B2C security is at the forefront of all his new initiatives.

Dennis Devlin - Chief Information Security Officer at Brandeis University
Dennis Devlin is currently Chief Information Security Officer at Brandeis University. He has over 36 years of information technology leadership experience in private industry and higher education. Prior to his current role Dennis was Vice President and Chief Security Officer of the Thomson Corporation, a member of the senior IT management team at Harvard University, and began his career as a software developer and systems analyst for American Hoechst Corporation.

Dennis is a graduate of the University of Pennsylvania and has completed extensive continuing education in information technology and management. He has been a frequent presentor on information security at universities and conferences including the RSA Security Conference, SC Magazine US Forum and Gartner IT Security Summit. Dennis has also served on CSO advisory boards for RSA, Qualys, Verdasys, GeoTrust, ChosenSecurity and SC Magazine.

Gene Meltser - Lead Technical Architect for Symantec Corporation
Gene Meltser is a Lead Technical Architect for Symantec Corporation. He is a seasoned security consultant, having led and performed many security assessments, penetration tests, architecture and design reviews for numerous companies across multiple industries. As a security adviser, he has unique visibility into various IT and security structures and organizations, and has helped many clients in correctly balance security with business and regulatory requirements. In 2005, Gene co-founded the Symantec Vulnerability Research group, which was responsible for the first vulnerability advisory release in 20 years of Symantec's history.

Reggie Sommer - Former Chief Financial Officer for Netegrity, Inc.
Reggie Sommer has been a leader in the high technology and accounting industries for more than twenty-five years. Most recently, she served as Chief Financial Officer for Netegrity, Inc., a publicly held provider of enterprise security software. Ms. Sommer currently serves on the Board of Directors of Wright Express Corporation, a publicly held provider of payment processing and information management services to the U.S. commercial and government vehicle fleet industry, SoundBite Communications, a publicly held provider of automated customer contact solutions that are fully hosted and available on-demand and ING Direct, a subsidiary of ING and the largest direct bank in the United States. Reggie is a CPA and member of the National Association of Corporate Directors, Women Corporate Directors, Financial Executives Institute, the AICPA and the Massachusetts Society of Certified Public Accountants.

Previously, as Vice President of Finance for the Olsten Corporation, Reggie assisted with the integration and reorganization of this $2 billion, publicly held provider of staffing and healthcare services, following its merger with Lifetime Corporation in 1993.

Reggie Sommer graduated Magna cum Laude from the College of the Holy Cross, where she earned a bachelor's degree in Economics / Accounting.


Keep In Touch

Mailing List Sign-Up

Email
Name
 


Boston 2014 Sponsors


















Session Videos Channel

SOURCE YouTube