Technical & OWASP Application Security Tracks

T1 – Systematic Network Security Troubleshooting

Jason Woodson

Network security can involve a variety of complex technologies and disciplines, often managed by separate teams as well as third parties. Client-server traffic can be impacted at many points along the path and it’s not always obvious where to troubleshoot when there are problems. This talk presents a systematic approach to network security troubleshooting by utilizing logs, pcaps, the OSI model, and everyday tools to work through the stack in a deliberate fashion, narrowing down root causes quickly and accurately.


Jason Woodson is a network security engineer currently with NTT Security. Having spent the last 11 years in the MSSP space, he has faced network security challenges with enterprises around the world. He lives in Irondequoit, NY.

T2 – Problems With Elliptic Curves In TLS and SSH

Joe Testa

This presentation examines the elliptic curve parameters standardized by NIST in FIPS 186-2, which are suspected by some as being backdoored by the NSA. Despite their being first introduced over 17 years ago – these curve parameters remain highly prevalent, as they are central to both the TLS and SSH protocols. An overview of the history and process of their standardization will be covered, along with a discussion of the NSA’s other successful back doors in NIST’s standards (as revealed by Edward Snowden). Recent developments in new curve parameters will be shown, as will a practical guide aimed at systems administrators for disabling the suspicious curve parameters in TLS and SSH.


As a seasoned security consultant, Testa brings over 15 years of experience to the business. He specializes in penetration testing, server & network hardening, source code auditing, and social engineering. A strong supporter of open-source technology, he is the author and maintainer of both the BitClamp and SSH-MITM projects. In his spare time, he volunteers as a board member and as treasurer for BSides Rochester (a 501(c)(3) charity responsible for hosting an annual information security conference).

Prior to founding Positron Security, Testa excelled as a security researcher and vulnerability test programmer for Rapid7. He holds a Master of Science degree in Computer Security and Information Assurance from the Rochester Institute of Technology, along with a Bachelor of Science Degree in Psychology and Computer Science from the University of Maryland at College Park.

T3 – Providing Email Security On The Cheap

Chaim Sanders

Email has existed for over 35 years and yet security professionals are often unaware that new security controls are being standardized on a regular basis. In this presentation, we’ll go in-depth into the most commonly deployed standards in email security, including SPF, DKIM, and DMARC. These standards aim to reduce email security threats. While we’ve seen that the usage of these standards is encouraged, this doesn’t mean that they are easy to deploy, especially into existing environments. We’ll investigate the adoption rate for each of these across the internet as well as the process by which we deployed these standards into our environment; highlighting some of the lessons learned and some of the tooling we constructed to simplify our lives.


Chaim Sanders is the Security Lead at ZeroFOX, an organization devoted to social media security. He is also the project lead for the OWASP Core Rule Set (CRS) and a co-lead for OWASP Baltimore. Currently Chaim’s specialization centers around web application security. Chaim frequently shares his research at many conferences nationwide as well as through various blogs. Prior to his current employer, Chaim has worked for several governmental contractors, security research organizations, universities, and commercial contractors providing security driven consulting and development expertise. Chaim holds a Bachelor and a Master of Science in Information Security from the Rochester Institute of Technology (RIT), where he still lectures.

T4 – Responding to Cyber Attack at Machine Speed

Duncan Sparrell

Attackers, even script kiddies, are utilizing automation with adaptive tradecraft. To combat this we need standardization enabling more flexible and interoperable cyber defense components. OpenC2 standardizes machine-to-machine command & control (C2) to enable interoperability at machine speeds. This talk covers the problem OpenC2 is trying to solve, reviews the OpenC2 language, presents use cases, shows the economics that will drive adoption, reviews various open source implementations, and gives the current status on standardization. The talk will conclude with how OpenC2 will disrupt the marketplace and foster innovation – two aspects not normally associated with standardization.


Duncan Sparrell is a seasoned (aka old) software developer and network security evangelist. He graduated from RPI back when computers were the size of buildings and programmed with punch cards. After a 35-year career with AT&T, he is semi-retired and trying to give back to the community while pursuing his interests in cloud security, agile, secure software development, and erlang. Most of his cyber experience is blue team (defense) but he kick-started his cyber chops as part of a AFWIC cyber attack team during first Gulf War. Besides various certs (CSSIP, CSSLP, CCSK, PE), he was awarded the Intelligence Community Seal Medallion, and the AT&T Science and Technology Medal. twitter = @dsparrell, peerlyst = sFractal, github = sparrell.

T5 – Dodging a Bullet: Avoiding The New Security Issues In IPv6 DHCP

Joseph Mayes

For a decade or more, we’ve been told that the world must move from IPv4 to IPv6. Six years ago, the head of ICANN announced, “A pool of more than 4 billion Internet addresses has just been emptied this morning. The future of the Internet, and the innovation it fosters, lies with IPv6.”

If you’re questioning that statement, you’re behind the times.

Google reports more than 20% of users are accessing its sites using IPv6. Microsoft Windows has been preferring IPv6 , by default, for more than a decade. If you don’t understand how IPv6 operates, you risk having serious IT security gaps. This presentation will explore some of these security issues, and focus on how to securely establish and operate IPv6 DHCP for your network of tomorrow.


JOSEPH MAYES, B.S., M.Ed., is a member of the technical staff at Carnegie Mellon University’s Software Engineering Institute on the CERT Enterprise Workforce Development team. He has been an educator for more than 30 years in secondary, undergraduate, and graduate schools, and also as a commercial course instructor. He is a Microsoft Certified Trainer (MCT), a Cisco Certified Academy Instructor (CCAI) and Cisco Certified Systems Instructor (CCSI), and currently teaches graduate courses at Heinz College of Carnegie Mellon University.

Joseph has also been a network engineer and network security professional since 1990, both as a U.S. Army IT Sergeant Major and in civilian positions working with government and commercial network systems, including Critical Infrastructure and Key Resources (CIKR) systems. He has operated his own consulting and training business for more than 15 years. He holds more than 25 certifications in Microsoft systems, routing and switching, network security, wireless technologies, telephony and information assurance. He is a member of the IEEE, ISC2, and the ETA-I.

O1 – Beyond the Top 10

John N. King, Mary Beth King

Building secure applications begins with awareness and while the OWASP Top 10 is an excellent starting point, there are vulnerabilities that fall outside its scope. We will demonstrate and discuss the trust implications of third-party JavaScript, dig into the security implications of misconfigured session cookies and touch upon reasons that CORS is a particularly fickle technology to leverage securely. Our presentation will also incorporate some tools and techniques that are freely available and that can help development teams take greater ownership of their application security.


John brings more than a decade of experience in web application development. He has a keen interest in application security, enterprise software, and Agile product development. He serves as an Officer for the Rochester Chapters of ISSA and OWASP and has been a contributor to the Rochester Security Summit for the past five years. In 2017 he co-founded West Wind Security, a Rochester-based application security consultancy.
Mary Beth comes from a background in pedagogy, has experience in web development, and is an advocate for application security and privacy. She has been contributing to the Rochester Security Summit since 2014. Together, with her husband John, she co-founded West Wind Security in 2017.

— Schedule Change —

O2 – Do’s & Don’ts: Performing Effective Risk Assessments

Daniel Gibson

In today’s risky environment, it’s not if, but when. At some point, your organization will be the target of a cyberattack or the victim of cybercrime, insider misuse, fraud or theft. Understanding risk is the only way to build an effective security strategy while utilizing finite resources. We will also bring you back in time to World War II to study the successful and unsuccessful risk management strategies that have altered our history as we know it today. This presentation will cover the standards and compliance regulations from NIST to FISMA, HIPAA and PCI-DSS. Join GreyCastle Security as we demystify risk management 101 and provide attendees with practical tactics focused on risk mitigation.


Daniel Gibson (CISA, CISSP, MBA, M.S. Cybersecurity) is a senior security specialist at GreyCastle Security. Prior to joining GreyCastle, Daniel has served as the Director of Information Security for the Ayco Company, a Goldman Sachs Company, and in IT Advisory Services at Ernst & Young. Additionally, he has held roles managing information technology and security initiatives in various industries, including healthcare, finance and technology marketing.

His 10 plus years’ experience in IT and cybersecurity, includes extensive experience in risk assessment and management, incident response, HIPAA, ISO 27001/2, NIST 800-53, SOX, GLBA, vendor risk management, contracts, security awareness training, and leading comprehensive enterprise security programs.

O3 – How Billion Dollar Enterprises Manage Application Security at Scale

Altaz Valani

Security Compass completed a comprehensive research study by surveying companies across multiple industries with the goal of discovering how large, complex organizations address application security at scale. The majority of respondents were multinational organizations who reported annual earnings greater than $1 billion USD. Through this new research study, we have gleaned novel insights on how large organizations manage application security at scale. During this presentation we will reveal aggregated insights, industry trends, and best practices that illuminate how organizations are addressing application security at scale, so that you may apply and compare these learnings to the state of application security at your own organization.


Altaz Valani is the Director of Research at Security Compass responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz was a Senior Research Director in the Application Development Practice at Info-Tech Research Group providing IT managers, directors, and senior managers with guidance and analysis around application development, application rationalization, agile, cloud, mobile, and the SDLC. His other past positions include Senior Manager at KPMG, and various positions where he worked side by side with senior-level stakeholders to drive business value through software development.

O4 – Almost Intractable Application Security Problems… and Solutions

Danny Harris

There are many security challenges that face software development teams. When considered as a whole, these challenges can seem intractable. This talk discusses some of the common, recurring application security challenges encountered in a variety of organizations that develop different kinds of software. The good news is that despite the challenges, there are real, workable solutions. The challenges and solutions covered in this talk are approached from people, process, and technology perspectives. Topics are based on the presenter’s experience helping organizations in a variety of industries improve their application security programs and build secure software.


Danny Harris has been an information and application security practitioner for over 20 years. He is knowledgeable in all phases of the secure software development life cycle (SDLC) and is responsible for the creation and delivery of application security training and SDLC programs at Security Innovation. Previous teaching experience includes 7 years as an adjunct professor for the Computer Security and Forensic Investigation program at Wilbur Wright College and as a security instructor for the SANS Institute.

Topics of expertise include information security, security policy, metrics, application and network vulnerability assessments, real-time embedded systems programming, intrusion detection, and incident response.