The Rochester OWASP Chapter has partnered with the Rochester Security Summit to bring a full day of application security-focused speakers and material. Presentations will explore the security needs and challenges faced in creating and maintaining applications. The target audience includes developers, testers, DevOps admins, penetration testers and IT managers.

O1 – Introduction to Application Security and OWASP Top 10 Risks, Part 1 of 2

Ralph Durkee

Application Security is really hot and very much in demand. Find out why it’s so hot and get an in-depth introduction to application security and 6 of the OWASP Top 10 Application Risks. Ralph will discuss the how-to of the exploits and defenses for:

A2 – Broken Authentication and Session Management
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A9 – Using Components with Known Vulnerabilities

Come to learn and come with questions!


Ralph Durkee is the principal security consultant and owner of Durkee Consulting, Inc since 1996. Ralph started the OWASP Rochester, NY chapter in 2004 and served as founding officer and president for the Rochester ISSA chapter and the annual Rochester Security Summit. He routinely performs network and application penetration tests, software security assessments and secure software development consultations for clients. His expertise in advanced penetration testing, incident handling, secure software development and secure Internet and web applications is based on over 30 years of hands-on technical experience. He has developed and taught a wide variety of professional security seminars including custom web application security training, and SANS SEC401 & SEC504 – Hacker Techniques and Incident Handling and CISSP bootcamp courses since 2004. Ralph also regularly consults on the development and implementation of a wide variety of security standards such as web application security, database encryption, Windows, and Linux security. Ralph also has done security consulting for compliance with the Payment Card Industry Data Security Standard, and holds the following certifications CISSP, C|EH, CRISC, GSEC, GCIH, GSNA, GCIA, GPEN and GXPN.

O2 – Introduction to Application Security and OWASP Top 10 Risks, Part 2 of 2

John King

Want to learn more about the security challenges developers face? This session will provide easy to understand, demo-driven examples of four common application vulnerabilities. You’ll see the attack in action, learn how the attack works, learn how it can be prevented, and watch a successful defensive counter.

This session will be covering the following components of the OWASP Top 10:

A1 – Injection
A3 – Cross-Site Scripting (XSS)
A8 – Cross-Site Request Forgery (CSRF)
A10 – Unvalidated Redirects and Forwards

The source code used in the demo is freely available and uses a Java/JEE stack.


John is an experienced developer with a special focus on application security, enterprise software, and Agile product development. He’s a Senior Web Programmer / Analyst for RIT, an Officer of the Rochester Chapters of ISSA and OWASP, and has been a contributor to the Rochester Security Summit for the past four years.

O3 – Common Developer Crypto Mistakes

Kevin W. Wall

During the past 6 years, Kevin has examined how cryptography has been used, in close to 200 different projects from a security risk perspective. This includes 85+ design reviews and more than 100 secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies; involving proprietary company code, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 6 year window and briefly describes how to correct and avoid them.


Kevin Wall has been involved in application security for the past 15+ years, but still considers himself a developer first, and an appsec engineer second. During most of those 15+ years, Kevin has specialized in applied cryptography and web appsec. Before transitioning to appsec, Kevin spent 17 years at (now Nokia, then AT&T) Bell Labs, leaving there as a DMTS in 1996 to become an independent consultant in C++ and Java. Kevin became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, he somehow found himself “elected” as co-project lead of ESAPI in 2011. Kevin also spent from 2000-2007 as an adjunct faculty member on the Franklin University CS staff where he taught Distributed Operating Systems and Computer Security. Kevin has been working on the Wells Fargo Secure Code Review team for just over of 3 years; he figures it is about as close to code as any company will let him get, which is why he stays active in the development of ESAPI. When Kevin is not around code, he waxes eloquently on 3-4 page tl;dr discourses which he posts to various mailing lists or he hangs out with other “dinosaur” friends at local watering holes discussing appsec, coding, sports, and quantum physics.

O4 – #DevOpsSec – Killing the Buzz?

Jason Ross

The DevOps movement continues to grow, and it is beginning to move out of small startup, and into large enterprise. DevOps and Agile development bring a lot to the table, but are often viewed as coming at the expense of security. This presentation explores ways to integrate security into DevOps environments: identifying the benefits of doing so, outlining potential problems, and attempting to provide solutions to them. Ultimately, the talk hopes to provide practical guidance and tools that can be used as a base to improve security throughout the stack.


Jason Ross is a Senior Consultant with NCC Group, a global information assurance specialist providing organizations with expert security consulting services, working primarily from Rochester, NY. He has developed and delivered training tools and programs on topics such as advanced mobile penetration testing, android forensics techniques, and enterprise-level malware analysis. Jason has spoken at many regional conferences across the United States, as well as at major security conferences including Blackhat DC, BSides Las Vegas, DerbyCon, and DEF CON Skytalks.

O5 – Web Application Firewall Evaluation with DevOps, SDLC and the New OWASP Core Rule Set

Chaim Sanders

Although Web Application Firewalls (WAFs) are recognized as an effective aspect of an in depth defense strategy, there are few tools that attempt to objectively review their effectiveness. Research companies like NSS or Gartner perform benchmarks of WAFs, but their methodologies are rarely disclosed. With the advent of site reliability and devops cultures, infrastructure as code has been a strategy to verify functionality of products. This talk brings that same mentality to WAFs; not only do we verify WAF functionality within deployments, but we also provide a method to verify WAF defenses against new exploits and attacks.


Chaim Sanders is a Security Researcher on Trustwave’s SpiderLabs research team where he focuses on web application security research. Chaim has a versatile background in many areas of security ranging from signals emanation research to secure software development lifecycles. Currently, he is focused on web application security research as well as development and support of both the ModSecurity web application firewall and the OWASP Core Rule Set (CRS) projects.

Mr. Sanders frequently shares his research at many conferences nationwide and on the SpiderLabs Blog. Prior to his current employer, Chaim has worked for several governmental and commercial contractors providing security driven consulting and development expertise. Chaim
holds a Bachelor’s and Master’s of Science in Information Security from the Rochester Institute of Technology (RIT), where he still lectures.