University of California Hastings College of the Law
Alumni Reception Center
200 McAllister St.
San Francisco
CA
94102
Event Description
The FTC's first “Start With Security” conference is scheduled for September 9, 2015, in San Francisco, and is co-sponsored by the University of California Hastings College of the Law. It is part of a business education initiative designed to provide companies with practical resources to help them implement effective data security strategies.
Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. "Start with Security" will run from 10:00 AM to 4:00 PM. The event is free and open to the public.
The conference series is part of the agency’s longstanding efforts to provide businesses with guidance about how to put effective security in place.
-
9:00 am Registration 10:00 am
Introductory Remarks
Tom Dahdouh
Regional Director, Western Region, Federal Trade Commission
Opening Remarks
Edith Ramirez
Chairwoman, Federal Trade Commission10:30 am Panel 1: Starting up Security: Building a Security Culture
How can startups build a culture of security? Examining some of the most common design flaws and vulnerabilities found in applications today, this panel will explore how startups can model these threats, train their developers in secure coding practices, and use secure frameworks to help minimize their application security debt.
Moderator:
-
Laura Riposo VanDruff
Division of Privacy and Identity Protection, FTC
Panelists:
- Devdatta Akhawe
Security Engineer
Dropbox
- Jonathan Carter
Project Lead
OWASP Mobile Top Ten - Frank Kim
Chief Information Security Officer
SANS Institute - Window Snyder
Chief Security Officer
Fastly
11:45 am Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth
How can startups test and review their applications for security when they are experiencing exponential user growth, hiring new engineers at a rapid clip, and shipping code on a weekly, daily, or even hourly basis? This panel will discuss how security testing can be automated and adapted for a world of continuous delivery in a high-growth startup environment.
Moderator:
- Laura Berger
Division of Privacy and Identity Protection, FTC
Panelists:
- Michael Coates
Trust and Information Security Officer
Twitter - Zane Lackey
Founder and Chief Security Officer
Signal Sciences - Jeff Williams
Founder and Chief Technology Officer
Contrast Security
12:55 pm Lunch Break 1:10 pm
Investing in Security: Fireside Chat with Accel Partner Arun Mathew
Moderator:
- Ashkan Soltani
FTC Chief Technologist
1:35 pm Panel 3: Bugs and Bounties: Vulnerability Disclosure and Response
How should startups respond when hackers come calling? From the basics of bug triage to running a full-scale bounty, this panel will examine how startups can successfully manage, address, and — perhaps most importantly — learn from vulnerability reports, harnessing the work of the security community to improve their secure development lifecycle.
Moderators:
-
Nithan Sannappa
Division of Privacy and Identity Protection, FTC
Panelists:
- Raymond Forbes
Security Engineer
Mozilla - Paul Moreno
Security Engineering Lead
Pinterest - Katie Moussouris
Chief Policy Officer
HackerOne
2:50 pm Panel 4: Beyond Bugs: Embracing Security Features
How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.
Moderator:
- Jessica Lyon
Division of Privacy and Identity Protection, FTC
Panelists:
- Pierre Far
Product Manager
Google - Jon Oberheide
Co-founder and Chief Technology Officer
Duo Security - Yan Zhu
Security Engineer
Yahoo!
4:00 pm
Concluding Remarks -
-
Panel 1: Starting up Security: Building a Security Culture
Devdatta Akhawe is a security engineer at Dropbox. Before joining Dropbox, he was a graduate student at UC Berkeley working on application security. At Dropbox, Mr. Akhawe is involved in all aspects of the Secure Development Lifecycle and is part of the team that implemented advanced security features like Content Security Policy, pinning, and HTTP Strict Transport Security. He has published at top academic conferences and spoken at top industry conferences such as Blackhat and the Open Web Application Security Project (OWASP) AppSec Cali. He is also an editor of the World Wide Web Consortium’s Subresource Integrity specification.
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, the U.S., Australia, and England. As a software engineer, Mr. Carter produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. Mr. Carter’s technical background in artificial intelligence and static code analysis has led him to a diverse number of security roles: enterprise security architect, web application penetration tester, Fortify security researcher, and security governance lead. He is an active member of the OWASP Mobile Security Group and is project owner of a number of other OWASP security projects.
Frank Kim is the Chief Information Security Officer at SANS Institute where he leads the security risk function for the most trusted source of computer security training, certification, and research in the world. He also helps shape, develop, and support the next generation of security leaders through teaching, developing courseware, and leading the management and software security curricula. Prior to the SANS Institute, Mr. Kim was Executive Director of Cyber Security at Kaiser Permanente, the nation's largest not-for-profit health plan and integrated health care provider. In recognition of his work, Mr. Kim is a two-time recipient of the CIO Achievement Award for business enabling thought leadership. Mr. Kim holds degrees from the University of California at Berkeley and is a SANS certified instructor as well as the author of popular courseware on strategic planning, leadership, and application security.
Window Snyder is Chief Security Officer at Fastly. She previously spent five years at Apple working on security and privacy strategy and features for OS X and iOS. A security industry veteran, Ms. Snyder was the Chief Security Something-or-Other at Mozilla, responsible for security engineering, communication, and strategy. As a senior security strategist at Microsoft, she owned security sign-off for Windows and the outreach strategy for security vendors and security researchers. Ms. Snyder was also a founding team member at Matasano and was Director of Security Architecture at @stake, where she developed application security analysis methodologies and led the Application Security Center of Excellence. Ms. Snyder is co-author of Threat Modeling, a manual for security architecture analysis in software.
Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth
Michael Coates is the Trust & Information Security Officer at Twitter and a member of the OWASP board of directors. Mr. Coates has worked in the security industry for over a decade and has experience building risk and security programs to protect fast moving tech companies, such as Twitter and Mozilla. He is also the founder of the OWASP AppSensor project, an initiative to provide applications with real time defense capabilities to identify and repel threats. Featured as one of SC Magazine’s 2012 Influential IT security minds, Mr. Coates is a frequent speaker at security conferences, government security events, and enterprise security sessions. Mr. Coates also provides security strategy to emerging startups. He holds an MS in Computer, Information and Network Security from DePaul University and a B.S in Computer Science from the University of Illinois.
Zane Lackey is the founder and Chief Security Officer at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the U.S. State Department-backed Open Technology Fund. Prior to Signal Sciences, Mr. Lackey was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, Mr. Lackey has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at Facebook, Goldman Sachs, New York University, and Reykjavik University.
Jeff Williams is the co-founder and Chief Technology Officer of Contrast Security. Mr. Williams brings more than 20 years of security leadership to his role at Contrast. In 2002, Mr. Williams co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Mr. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Mr. Williams has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Investing in Security: Fireside Chat with Accel Partner Arun Mathew
Arun Mathew is from Nashville, TN and joined Accel in 2009. Mr. Mathew is actively involved in Accel's enterprise software, security, big data and consumer internet practices, having led investments in areas like data collection/protection (Qualtrics, Code42), security (Bettercloud, Tenable Network Security), horizonal/vertical SaaS (Squarespace, Yapstone, Dealer.com) and consumer internet (Groupon). He also helps to lead the firm's Big Data and Tech Council initiatives and spends a significant portion of his time in emerging markets, including India, Brazil and Southeast Asia. He is on the board and active with Accel's international investments in Flipkart, BookMyShow, Ola, Freshdesk, MindLab and Portea. Mr. Mathew graduated from the University of Pennsylvania and holds an MBA from Stanford's Graduate School of Business.
Panel 3: Bugs and Bounties: Vulnerability Disclosure and Response
Raymond Forbes is a security engineer at Mozilla working on browser security. Building fuzzing and other tools, Mr. Forbes spends his time looking for vulnerabilities in the Firefox platform. Mr. Forbes is also part of the team that manages the Mozilla Bug Bounty Program. His previous experience includes work at Microsoft, Hewlett-Packard, and Disney. Mr. Forbes has also been a trainer and speaker for Blackhat, Defcon, and other security conferences.
Paul Moreno is the Security Engineering Lead at Pinterest, a visual bookmarking tool for saving and discovering creative ideas. At Pinterest, Mr. Moreno has spent his tenure establishing the Security Engineering foundation and assembling a core security team. As a recognized technology generalist with extensive experience working for startups and public companies, Mr. Moreno delivers data-driven solutions for modern cloud security threats. Prior to joining Pinterest, Mr. Moreno was an early employee at ngmoco:), a breakthrough mobile gaming company acquired for $300 million in October 2010. He has been invited to participate on multiple customer advisory boards, including Digicert and OpenDNS.
Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response and structured bounty programs. She is a noted authority on vulnerability disclosure and advises lawmakers, customers, and researchers to legitimize and promote security research and help make the internet safer for everyone. Ms. Moussouris’ earlier work at Microsoft encompassed industry-leading initiatives such as Microsoft's bounty programs and Microsoft Vulnerability Research. She is also a subject matter expert for the U.S. National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), vulnerability handling processes (30111), and secure development (27034). Ms. Moussouris is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market, and a New America Foundation Fellow. She is an ex-hacker, ex-Linux developer, and persistent disruptor.
Panel 4: Beyond Bugs: Embracing Security Features
Pierre Far is a product manager at Google for an upcoming ad product for publishers. Previously, he was part of Google Search as a Webmaster Trends Analyst, helping site owners build better websites that are secure, mobile-optimized, and follow best practices for user- and search-friendliness. Prior to joining Google, Mr. Far held several roles in the technology sector, including community and product management, innovation consulting, and online marketing. He has a PhD in bacterial genetics from the University of Cambridge, U.K.
Jon Oberheide is the co-founder and Chief Technology Officer of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Mr. Oberheide was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Mr. Oberheide enjoyed offensive security research and generally hacking the planet. Mr. Oberheide was recently named to Forbes "30 under 30" list for his mobile security hijinks.
Yan Zhu is a security engineer at Yahoo, mostly working on end-to-end email encryption and improving TLS usage. She is also a Technology Fellow at EFF and a core developer of Let's Encrypt, HTTPS Everywhere, Privacy Badger Firefox, and SecureDrop. She got a BS from MIT in 2012 and is a proud PhD dropout from Stanford. Ms. Zhu has been a speaker at HOPE, DEFCON 22, jQuerySF, Real World Crypto, SXSW, and various other human gatherings.
-
Event Materials
DocumentPowerPoint (936.19 KB)