The University of Texas at Austin's AT&T Conference Center
1900 University Ave.
Austin
TX
78705
Event Description
The FTC’s second “Start With Security” event will take place on November 5, 2015, in Austin, Texas, and will be co-sponsored by the University of Texas Robert S. Strauss Center and the Center for Identity.
This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. "Start with Security" will run from 9:30 AM to 4:00 PM.
-
8:30 am Doors Open 9:30 am
Welcome
Professor Robert Chesney
Director, Robert Strauss Center for International Security and Law University of TexasIntroductory Remarks
Dama Brown
Regional Director, Southwest Region, Federal Trade Commission
Opening Remarks
Terrell McSweeny
Commissioner, Federal Trade Commission10:00 am Panel 1: Starting up Security: Building a Security Culture
How can startups build a culture of security? Examining some of the most common design flaws and vulnerabilities found in applications today, this panel will explore how startups can model these threats, train their developers in secure coding practices, and use secure frameworks to help minimize their application security debt.
Moderator:
-
Laura Riposo VanDruff
Division of Privacy and Identity Protection, FTC
Panelists:
- Christophe Borg
Vice President of Engineering Operations
RetailMeNot
- Alan Daines
Chief Information Security Officer
Dell - Josh Sokol
Information Security Owner
National Instruments
11:00 am Break 11:15 am Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth
How can startups test and review their applications for security when they are experiencing exponential user growth, hiring new engineers at a rapid clip, and shipping code on a weekly, daily, or even hourly basis? This panel will discuss how security testing can be automated and adapted for a world of continuous delivery in a high-growth startup environment.
Moderator:
- Laura Berger
Division of Privacy and Identity Protection, FTC
Panelists:
- Matt Johansen
Director of Security
Honest Dollar - Matt Tesauro
Senior Software Security Engineer
Pearson - James Wickett
Engineer of Awesome
Signal Sciences Corp
12:15 pm Lunch Break 1:10 pm
Investing in Security: Fireside Chat with Co-founder of LiveOak Venture Partners Venu Shamapant
Moderator:
- Commissioner Terrell McSweeny
1:30 pm Panel 3: Third-party AppSec: Dealing with Bugs, Bug Reports, and Third-party Code
Out of the gate, third parties have big implications for startups’ security: Applications are comprised of third-party components; third-party services provide critical functionality; and before long, third-party researchers come calling with vulnerability reports about your own code. This panel will address how startups can manage risks from third-party code and services, and harness the security community’s work to improve their secure development lifecycle.
Moderators:
-
Jarad Brown
Division of Privacy and Identity Protection, FTC
Panelists:
- HD Moore
Chief Research Officer
Rapid7 - Katie Moussouris
Chief Policy Officer
HackerOne - Wendy Nather
Research Director
Retail Cyber Intelligence Sharing Center
2:30 pm Break 2:50 pm Panel 4: Beyond Bugs: Embracing Security Features
How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TLS, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.
Moderator:
- Katherine McCarron
Division of Privacy and Identity Protection, FTC
Panelists:
- Robert Hansen
Vice President of WhiteHat Labs
WhiteHat Security - Clare Nelson
CEO
ClearMark Consulting - Caleb Queern
Manager
KPMG Cyber
3:50 pm
Concluding Remarks -
-
Panel 1: Starting up Security: Building a Security Culture
Christophe Borg is Vice President of Engineering Operations at RetailMeNot, Inc. He brings 15 years of broad operational and industry experience as an executive of growing technology companies. A veteran of the high tech industry, Christophe specializes in understanding and forecasting technology trends for real-world applications and translating those market requirements into engineering product. Prior to RetailMeNot, Christophe was founder and CEO of BorgSolutions, Inc., a leading provider of fleet maintenance management software. In this role, Christophe led development of the company's operations software. He continues to serve as the company's chairman.
Alan Daines is Dell’s Chief Information Security Officer and Executive Director of the company’s Compliance and Information Security organization. Alan and his team manage risk, maintain compliance, and secure the enterprise environment. Alan has been with Dell since 1999 and has over 20 years of experience in IT Security and Infrastructure roles. Previously, he was the company’s Director for IT Security Engineering, Operations & Identity Management. He has worked on many facets of information security, including incident management, forensics, compliance, policy risk, identity management, vulnerability management, and security infrastructure. Alan has also led several infrastructure practice areas at the company, including IT outsourcing, engineering, IT architecture, support and program/project management. Alan was born and educated in the United Kingdom. He currently is based in Dell’s headquarters in Round Rock, Texas.
Josh Sokol is the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Previously, he worked for several large companies, including AMD and BearingPoint, and as a military contractor. Josh is the founder and creator of the free and open source risk management tool, SimpleRisk. He currently serves on the OWASP Global Board of Directors. Josh graduated from the University of Texas at Austin, with a BS in Computer Science.
Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth
Matt Johansen is the Director of Security at Honest Dollar, an Austin financial tech startup, where he is charged with building an information security program from the ground up. Previously, he was the Director of Services and Research at WhiteHat Security, where he oversaw product development, and a Senior Manager for WhiteHat’s Threat Research Center, where he built and managed a team working to prevent website security attacks. In an earlier role, Matt was an Application Security Engineer at WhiteHat, overseeing and assessing security for more than 35,000 web applications for WhiteHat’s clients, including many Fortune 500 companies across a range of technologies.
Matt Tesauro is a Senior Software Security Engineer at Pearson. Previously, he was a Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor in the University of Texas Computer Science department, teaching the next generation of computer scientists about Application Security. Matt has spent 15 years specializing in application and cloud security. His work has included security consulting, penetration testing, threat modeling, and code reviews. He also has extensive experience teaching and providing training, including at the University of Texas, Texas A&M University, and numerous industry events. He is a former board member of the OWASP Foundation and project lead for the OWASP AppSec Pipeline & Web Testing Environment project, a collection of application security testing tools. He holds two degrees from Texas A&M University.
James Wickett is Engineer of Awesome at Signal Sciences. He is a leader in the DevOps and InfoSec communities and a supporter of the Rugged Software movement. He coined the term “Rugged DevOps” and founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of Hands-on Gauntlt: Security Testing for Developers. He also created and founded the Lonestar Application Security Conference, the largest annual security conference in Austin. He is a chapter leader for OWASP Austin and serves on the Global Information Assurance Certification (GIAC) Advisory Board. James got his start in technology when he founded a Web startup as a college student. Since then, James has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups.
Investing in Security: Fireside Chat with LiveOak Venture Partners co-Founder Venu Shamapant
Venu Shamapant is a co-founder of LiveOak Venture Partners, an Austin, TX based early stage venture capital firm that focuses on technology and technology driven services companies based in Texas and the Southwest. At LiveOak, Venu focuses on investments across a wide variety of sectors including Software, Security and Tech-enabled services. His current investments include Veros Systems, NSS Labs, InforcePro, Capsenta and InfoCyte.
Prior to LiveOak, Venu was a General Partner at Austin Ventures where he invested in over ten companies producing more than $1.5 Billion in exit values to date. He was an early investor in and sat on the Board of Directors of LifeSize Communications (acquired by Logitech), Spatial Wireless (acquired by Alcatel-Lucent), Navini Networks (acquired by Cisco Systems), Mavenir Systems (NYSE:MVNR), Blacksand Semiconductors (acquired by Qualcomm) and Sipera Systems (acquired by Avaya Communications). Prior to joining Austin Ventures, he was with McKinsey & Co. serving clients in the enterprise systems and software markets. He started his professional career as a software developer and engineering lead at Mentor Graphics.
Venu received his MBA from the Harvard Graduate School of Business, MS in Computer Engineering from the University of Texas at Austin, and a BS in Electronics and Communications Engineering from Osmania University, India.
Venu is also a founding Board Member of Austin Speech Labs, a non-profit focused on providing affordable speech and cognitive therapy for stroke survivors.
Panel 3: Third-party AppSec: Dealing with Bugs, Bug Reports, and Third-party Code
HD Moore is Chief Research Officer for Rapid7. He is responsible for leading the company’s research into real-world threats and providing guidance on how to address them. In addition, he drives technical innovation across Rapid7's products and services, applying technology to the challenge of identifying and defending against current and emerging threats, as well as heading the development of experimental prototypes and free tools. He is the creator of Metasploit, the world's leading open source penetration testing framework, and remains deeply involved in Metasploit's evolution. He was named one of Business Insider magazine’s 50 most powerful people in technology.
Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response and structured bounty programs. She is a noted authority on vulnerability disclosure and advises lawmakers, customers, and researchers to legitimize and promote security research and help make the internet safer for everyone. Katie’s earlier work at Microsoft encompassed industry-leading initiatives such as Microsoft's bounty programs and Microsoft Vulnerability Research. She is also a subject matter expert for the U.S. National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), vulnerability handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market, and a New America Foundation Fellow. She is an ex-hacker, ex-Linux developer, and persistent disruptor.
Wendy Nather is Research Director at the Retail Cyber Intelligence Sharing Center (R-CISC), advancing the state of resources and knowledge to help organizations defend their infrastructure from attackers. She was previously Research Director of the Information Security Practice at independent analyst firm 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), as well as for the Texas Education Agency. Wendy is co-author of The Cloud Security Rules, and was listed as one of SC Magazine's Women in IT Security "Power Players" in 2014.
Panel 4: Beyond Bugs: Embracing Security Features
Clare Nelson is CEO of ClearMark Consulting, where she specializes in multi-factor authentication (MFA). She has more than 30 years of experience in high tech. Her background includes working on encrypted TCP/IP variants for the NSA and a focus on mobile security. She has published journal articles on multi-factor authentication (MFA). In a recent assessment of more than 200 MFA vendors, she uncovered a number of suboptimal technology choices. She is a cofounder of C1ph3r_Qu33ns, and is active in the OWASP community. Clare has held executive positions at EMC, Dell, DEC, and Novell, as well as startups including TeaLeaf Technology. She has a degree in mathematics from Tufts University. Clare can be found on Twitter: @Safe_SaaS.
Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. Previously, he was the Chief Executive of SecTheory and Falling Rock Networks. Robert began his career in banner click fraud detection at ValueClick. He has worked for Cable & Wireless doing managed security services, and at eBay as a Senior Global Product Manager of Trust and Safety. Robert contributes to and sits on the boards of several startups. He co-authored XSS Attacks: Cross Site Scripting Exploits and Defenses and wrote the eBook Detecting Malice. Robert is a member of numerous nonprofits dedicated to helping organizations develop security best practices, including WASC, APWG, IACSP, and ISSA, and has contributed to several OWASP projects, including by originating the XSS Cheat Sheet. He is a mentor at TechStars Austin. His passion is breaking web technologies to make them better. Robert can be found on Twitter: @RSnake.
Caleb Queern is a Manager at KPMG Cyber. He is a web application security researcher and board member of the San Diego OWASP chapter. For just under a decade, Caleb worked in cyber intelligence at Cyveillance, where he served as the company's Chief Scientist. He recently joined KMPG's Cyber practice to assist organizations in applying appropriate information security measures to provide ongoing confidentiality, integrity, and availability of their most sensitive data. Caleb's goal is to help others quickly minimize the most cyber risk in a sustainable manner and at the right cost. Caleb received his bachelor’s degree in psychology from James Madison University and his MBA from San Diego State University. Caleb can be found on Twitter: @HttpSecHeaders.
-
Event Materials
FilePowerPoint slides (4.72 MB)