Richmond, VA

May 30th - June 1st, 2013


Alex Hutton – Keynote Chris Wysopal – Keynote
Donald Allison Rockie Brockway
Colby Clark Gus Fritschie & Andrew Du
Adam Ely Dan Han
Dan Holden Itzik Kotler
Barry Kouns Brian Lockrey
Sean Mason Daniel Ramsbrock
Mike Shema Jericho
Ben Tomhave Schuyler Towne
Paul Watson

Alex Hutton

Director of Technology and Operations Risk Management
hutton-picAlex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is the Director of Technology and Operations Risk Management for a top 25 bank. A former principal for Research & Intelligence with the Verizon Business RISK Team, Alex also helped produce the Verizon Data Breach Investigation, the Verizon’s PCI Compliance report, was responsible for the VERIS data collection and analysis efforts, and developed information risk models for their Cybertrust services. Alex is the veteran of several security start-ups. Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts, and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog. Some of his earlier thoughts on risk can be found at the blog.

RVAsec 2013 Keynote

Chris Wysopal

CTO, Veracode

@weldpond /
wysopal-pic Veracode’s CTO and Co-Founder, Chris Wysopal, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld’s Top 25 CTO’s and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he was one of the authors of L0phtCrack, the Windows password auditing program and the author of Netcat for Windows. Chris has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of “The Art of Software Security Testing” published by Addison-Wesley and has published several major security vulnerabilities in Lotus Notes, Microsoft Windows and Cold Fusion.

RVAsec 2013 Keynote

Donald Allison


Bio: Mr. Allison brings more than 25 years of experience in computer forensic investigations, incident response, critical information management, and network and software security. He manages complex international forensic and incident response investigations involving intellectual property. He performs forensic examination of digital evidence for use in civil, regulatory, bankruptcy, and criminal matters involving the theft of proprietary information and intellectual property, spoliation, securities fraud, and defense contracting abuse. He is an invited speaker and author for the Senior International Judiciary members of the World Jurist Association.

Significant cases include:

• High profile Payment Card Industry data breaches.
• Multiple Political figures in the Executive Office and Congress.
• Multiple Fortune 50 companies investigating C-Level Officers.
• Material Support of Terrorism, Espionage and Terrorist Cases.
• US Olympic Committee.
• Multiple unauthorized entries into Energy Company computer networks.
• Asian Royal Family members.

Title: Observations on the (Mostly) Inadvertent Effect of Data Management on International Cybercrime Investigations

Data management or lack thereof, has an effect on International cybercrime investigations. A little planning may help your company and protect your data.

Rockie Brockway

Security Practice Director, Black Box Network Services
@rockiebrockway /

Bio: Rockie Brockway serves Black Box as the Security Practice Director. With over two decades of experience designing, building and managing systems and networks; auditing and enforcing network security and policy; testing and assessing vulnerabilities and threats; and analyzing business impact and risk, Rockie teams with clients to understand the value and location of business critical data.

Rockie specializes in Information Security Risk Management and the inherent relationship between assets, systems, business process, and function. He offers perspectives on how adversaries may find value in that data and then highlights the business impact and ramifications of the theft, disruption, and/or destruction of that information.

Title: Business Adaptation or: How I Learned to Stop Worrying and Love the Internet’s Unclean Conflicts

The US historically has much experience in “unclean conflicts”. The fall of the USSR led to an international arrogance that has filtered into our business DNA. Our global innovators are losing their ground (which directly affects our national economy) due to Moore’s Law and the fact that it is now harder to keep secrets for extended periods of time. This talk dives into these issues and challenges people to think outside the box to develop strategic plans based on the inherent security of natural adaptation.

Colby Clark

Director of Incident Management, FishNet Security

Bio: Colby Clark, co-author of Hacking Exposed Linux, is Director of Incident Management for FishNet Security, where he leads an elite team of incident responders and manages all aspects of global incident response endeavors.

As a senior professional in the information security, computer forensic and regulatory compliance fields, Mr. Clark, has performed investigative, consulting services, designed software packages and methodologies for use in the two largest players in the computer forensic software space – Guidance Software and AccessData.

With over 12 years of information security experience, he has helped Fortune 500 companies and public and private entities in the areas of law, financial services, education, telecommunications and other sectors. His expertise is in regulatory compliance consulting and auditing (e.g., Sarbanes-Oxley and FTC Consent Orders), security consulting, business continuity, disaster recovery, incident response and computer forensic investigations.

Mr. Clark earned a bachelor’s degree in business administration from the University of Southern California and maintains QSA, EnCE, CISSP, OPSA, CISA and CISM certifications. He has taught advanced computer forensic and incident response techniques at the Computer and Enterprise Investigations Conference (CEIC). Mr. Clark also is a developer of the Open Source Security Testing Methodology Manual (OSSTMM) and has been with the Institute of Security and Open Methodologies (ISECOM) since 2003.

Title: The Digital Battlefield

The Digital Battlefield is an up to date presentation involving current cyber threats affecting information security and everyone with a need to protect it. The presentation also includes FishNet Security’s observations from the front lines and effective methods involved in combating cyber threats.

Gus Fritschie & Andrew Du

Gus Fritschie, CTO, SeNet International
@gfritschie /

Bio: Gus Fritschie is an information security professional living in Washington, D.C. He is the Chief Technology Officer at SeNet International ( Gus has experience leading and performing numerous vulnerability assessments and penetration tests in support of financial audits, FISMA, and other compliance-related efforts. Clients included Fortune 500 companies, civilian agencies, and the Department of Defense (DOD). Projects included enterprise-wide vulnerability assessments for multiple government and commercial clients, management of the certification and accreditation (C&A) efforts, and Web application penetration tests.

Andrew Du is a member of a commercial organization that hosts multiple government applications. He is a developer by training who was moved over the security team to help coordinate security efforts between security and development.

Title: How to defend against FISMA

There are many talks on how to protect against SQL injection, implementing wireless IDS, and mobile threats. However, one of the biggest threats facing an organization is FISMA and the current C&A process. This presentation will discuss how a commercial organization that hosts government systems had to make sacrifices in order to comply with NIST controls that do little to enhance the security posture of the systems. Andrew will give the perspective from the security operation staff on what steps had to be taken to comply with some of the standards. He will also show how certain controls were implemented according to NIST guidelines but were still vulnerable to real attacks. He will then show how his organization implemented security controls above and beyond FISMA that add real value to the organization. Gus will give the perspective from a company that performs C&A assessments. He will provide real examples (redacted) that show FISMA’s shortcomings and provide recommendation on how the process could be improved.

Adam Ely

Chief Something or Other, Bluebox
@adamely /

Bio: Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties including,, and

Title: BYOD: Risks, Maturity, and Solutions

BYOD has blown open the corporate walls similar to the adoption cloud services. Enterprises are allowing any device, including laptops, and hoping they can manage the issues that come along with a mix of employee owned, corporate owned, and consumer grade devices. In this ever changing world, we need to understand the risks, legal ramifications, and solutions to solving our problems.

Dan Han

Information Security Officer, Virginia Commonwealth University

Bio: Dan is the Information Security Officer for Virginia Commonwealth University. He has 12 years of experience working in various roles within IT. He spent majority of his career working in the higher education and healthcare sector, and have been working in the information security field for nearly 10 years. He specializes in information security management and IT management, and holds a MS and MBA in addition to a number of industry recognized certificates.

Title: SIEM implementation: What to expect

This talk will explore the experience of SIEM implementation from the perspective of one Higher Education institution, and provide information on actual costs, benefit, drawbacks, considerations, and the “gotchas” of the implementation. Further, the talk will discuss possible short term implementation processes and long term management strategies for organizations.

Dan Holden

Director, ASERT, Arbor Networks
@desmondholden /

Bio: Dan Holden is the Director of ASERT, Arbor’s Security Engineering and Response Team, where he leads one of the most well respected security research organizations in the industry. His teams oversee the ATLAS global security intelligence database, and are responsible for threat landscape monitoring and Internet security research including the reverse engineering of malicious code. Dan also oversees the development and delivery of security content and countermeasures for Arbor’s industry leading DDoS technologies via the ATLAS Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services.

Prior to Arbor, Dan was director of HP TippingPoint’s DVLabs and a founding member of IBM/ISS X-Force. While at HP TippingPoint, Dan grew the DVLab’s organization into a mature security research and development team delivering security content, intelligence portals, and reputation technology as well as overseeing both the Zero Day Initiative (ZDI) program and Pwn2Own vulnerability contest. Dan also helped build and define X-Force over the course of 12 years in various capacities ranging from development to product management. Dan has been in the security industry spanning two decades specializing in vulnerability analysis, security research, and technology incubation. Dan is a frequent speaker at major industry conferences and has been quoted and featured in many top publications, radio and television.

Title: DDoS & Modern Threat Motives

In the past fifteen years, we’ve gone from dial-up Internet to massive high bandwidth pipes that have connected and even flattened the world. Along with this growth and new infrastructure the threats have also matured going from Web defacement and take downs to cybercrime, cyber warfare, intellectual theft, and infrastructure attacks. In many ways, the Internet has become the network and availability its lifeblood. Availability is as critical to an organization today as electricity. If an organization is taken offline, they can lose the ability to generate revenue from their customers, or the ability to access cloud based data and applications. This talk will focus on the growth of the Internet, computing infrastructure, how these technologies have flattened the world and changed geo-political interaction, and how traditional defences have come about and are now bypassed. The other important aspect covered will be the multitude of motives and different attack scenarios from advanced threats, hacktivism, competitive take-outs, cyber-crime and cyber warfare.

Itzik Kotler

Independent Consultant
@itzikkotler /

Bio: Itzik Kotler has been doing Information Security for well over 12 years and is currently an independent consultant. Before that, he was the Chief Technology Officer at Security Art.
Previously, Itzik was the Security Operation Center Team Leader at Radware and the Lead Security Researcher at Safend. Itzik speaks regularly at Blackhat, DefCon, RSA and other conferences. Additionally, he founded and organizes the Tel-Aviv DefCon (DC9723) meetup group, and is a member of the Standards Institution of Israel (SII) Committee on Information Security.

Title: Hack Like It’s 2013

Try to imagine, if you will, the amount of time and effort it would take you to write a bug-free script or application that will accept a URL, port scan it, and for each HTTP service that it will find — it will create a new thread and perform a black box penetration testing while impersonating an iPad.

While you’re thinking, here’s how you would have done it in Hackersh:

“http://localhost” \
-> url \
-> nmap \
-> browse(ua=”Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X; en-us) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3″) \
-> w3af

Meet Hackersh, a new, free and open source cross-platform shell (command interpreter) with built-in security commands and Pythonect-like syntax.
This talk will introduce Hackersh, the automation gap it fills, and its features. Demonstrations and scripts are included to showcase concepts and ideas.

Barry Kouns

CEO, Risk Based Security

Bio: Barry is the CEO and President of Risk Based Security, Inc., focusing on leading the company’s growth through technology innovation, customer focus and best in class quality services. His 25 years of demonstrated success in growing information security and professional services businesses includes launching an ISO/IEC 27001:2005 consulting practice, establishing a professional recruiting division and creating an information security consulting practice for a leading financial institution while improving productivity and profitability. Barry holds a B.S. in Statistics from Virginia Tech, an M.S. in Industrial Engineering from NDSU and he has earned the CISSP designation. Barry is an ISO 27001 Trained Auditor & ISMS Implementer and is ITIL Foundation Certified.

Title: Risk Assessment – The Heart of Information Security

Risk assessment, we have all heard the words and often times use them ourselves, but what is a risk assessment and why is it so important? Too many businesses think that completing a risk assessment is such a difficult and complicated process that it can only be done by third party consultants at great expense. As a result risk assessments are not conducted or conducted once and promptly stored away to show to auditors. Risk assessments are essential in order to assure that the expenditures involved in the implementation of security controls are commensurate with the risks facing the organization. Attend this interactive session to explore the definitions, methodologies, structure and the results of a proper risk assessment that can be produced by your organization.

Brian Lockrey


Bio: Brian Lockrey is a college professor of Computer Security and Computer
Forensics. Brian has over 30 years of experience with Information Technology and has been using and managing Internet services since 1990
while working for major government defense contractor at the time.

Brian is the Executive Director of the International Association of Digital Forensics Investigators. He is passionate in sharing his expertise in Internet Security, Social Media, IT best practices and incident reporting.

He often consults with educators, law enforcement and business managers and provides professional seminars on a variety of Digital Forensics topics.

Brian has presented at a broad variety of conferences including
Computer Hacker’s Forensics Investigators, WordPress, TechColumbus,
DECUS, Podcamp Ohio, CIOhio, Rotary, American Management Association
and American Marketing Association.

Brian’s much sought work has also been published in several journals and

Brian earned his A.S. degree from Florida Institute of Technology,
his B.S. degree from the University of Toledo, and his M.S. degree in Computer Science from the Ohio State University.

Brian is a Certified Computer Forensics Examiner and is a member of several
Information Security organizations and civic organizations.

Title: Social Media Digital Forensics

With the advent of social media, mobile devices, digital photography and media sharing sites becoming critical data repositories, digital forensics investigators are now faced with new challenges when looking for artifacts.

This presentation will cover the tools and techniques for collecting artifacts from social media networks and other devices.

Sean Mason

Director of Incident Response, GE

Bio: Sean Mason is an IT Leader and industry veteran who currently holds the position of Director, Incident Response for General Electric where he is responsible for the global Detection & Response operations for the Fortune 5, 300k+ employee company. After serving his commitment to the US Air Force, Sean has spent his career with Fortune 500 companies (GE, Harris, and Monsanto) where he has worked in a variety of verticals, to include software development, auditing and information security. Sean served as the Defense Industrial Base representative for Harris Corporation from 2009-2011, where he first learned the term “Advanced Persistent Threat”, ultimately helping to rearchitect the entire security posture for the Fortune 500 company to include building out its Incident Response and Security Operations Center. Prior to his current position, Sean led the Incident Response organization for GE’s Aviation & Energy businesses (140k+ employees, $63B in revenue). Sean also serves as a Subject Matter Expert for ISC2, helping to design credentials’ common body of knowledge and exam questions. Sean received his BS in MIS from McKendree University and his MBA from Webster University; he also holds many industry certifications to include the CISSP, CISM, CISA, ISSMP, CSSLP, and PMP.

Title: A Day in the Life of an Incident Responder at a Fortune 5

Incident Response is regarded by many to be a black box, mythical art, full of voodoo and mystery- this talk will seek to change that preconception and educate the audience on what really goes on behind the mystical curtain. “A Day in the Life of an Incident Responder for a Fortune 5″ will discuss the many key elements that go into running a World Class, global Incident Response Team and provide lessons that audience members can immediately put to work in their organizations. Additionally, the high level process of Detection, Collection, Analysis and Response- based on a foundation of Cyber Intelligence- will be discussed and its influence into the organizational design, role and responsibility make-up and day-to-day operations will be explored. Lessons learned from both building out an IRT as well as those learned from sustaining an IRT will also be shared, to include emphasizing critical touch points between other organizations within the company.

Daniel Ramsbrock

Security Consultant, Cigital, Inc.

Bio: Daniel has been writing software and hacking applications for over ten years. He believes that getting security right during development is a crucial step towards making our software and networks more reliable and secure. Daniel is a consultant for Cigital, one of the leaders in the software security space. He works with a variety of clients from many different sectors, including financial services, telecommunications, energy/smart grid, and medical technologies. His client projects typically involve network and application penetration testing, source code review, architectural risk analysis, and security policy reviews.

Title: Web Application Vulnerabilities and Solutions

You’ve been hearing about many of the common web application vulnerabilities for a while, but what about actually solving the problem? We will look at many of the common security issues, such as CSRF, XSS, SQL injection, and some of their lesser-known relatives. Instead of spending most of our time describing the problem and the countless ways your website could be compromised, I will focus on sample code in several common languages that gets it right and addresses these issues.

Mike Shema

Director of Engineering Qualys, Inc.
@CodexWebSecurum /

Bio: Mike Shema is Director of Engineering at Qualys, where he writes software to test the security of web sites. When not writing in C++ he turns to books and blog posts to share his knowledge of information security, from network penetration testing to wireless hacking to secure programming. He has taught hacking classes and presented research at security conferences around the world.

Title: JavaScript Security & HTML5

Modern web apps that leverage HTML5 APIs rely heavily on JavaScript. But the mixture of JavaScript, poor programming, and insecure server-side code makes the web an Orwellian place where “JavaScript is Harmless”.

HTML5 introduces security controls like sandboxes, Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP). Each of these contribute to a more secure browsing experience, but only if implemented properly — and only against the flaws they were designed to mitigate.

If you’ve been confused whether HTML5 improves security or not, this presentation will clarify what to expect from web apps. It lists the steps necessary to improve your site’s JavaScript and prepare it for a smooth transition to better security with CSP, with demonstrations on why the effort to refactor your code is worth taking. It covers the risks and benefits associated with other HTML5 APIs and how they impact the user agent and user’s privacy. Finally, it highlights areas where browser security still lags, and offers some suggestions for new techniques to improve browser security against more than just XSS.


@attritionorg /

Bio: Brian Martin has been studying, collecting, and cataloging vulnerabilities for 15 years, personally and professionally. Starting with a personal collection organized in the FILES.BBS format and ultimately becoming the Content Manager of the Open Source Vulnerability Database (OSVDB), he has pushed for the evolution of VDBs for years. Brian has been involved in all aspects of the vulnerability disclosure process, including finding new vulnerabilities, writing advisories, coordinating disclosure, and working with a variety of organizations to improve vulnerability handling and response. Additionally, Brian is on the CVE Editorial Board and remains a champion of small misunderstood creatures.

Title: Our Straw House: Vulnerabilities

Ben Tomhave


Bio:Ben Tomhave, MS, CISSP, is an independent consultant, distinguished author, and public speaker. He currently serves on the board of the Society of Information Risk Analysts board and as co-chair of the ABA InfoSec Committee. He is also a member of ISSA and the IEEE Computer Society, and earned a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.

Title: Interesting Times: Will Business Survive?

We’ve come a long way since that first packet was transmitted in 1969. Apple released the game-changing iPhone in 2007, preceded by the first mobile malware outbreak (2001 – DoCoMo) and the first mobile worm (2005 – Commwarrior-A). IDS, firewalls, anti-virus, and PKI all date to the 1980s, followed by SSL in 1994 and DLP and ASLR in 2001. The world is changing faster than we can keep pace, with attackers adapting faster than defenders, amplifying the asymmetric threat. These are, indeed, interesting times. The question is no longer how to win, but how to survive in the ever-changing risk landscape.

Schuyler Towne

Research Scholar, Ronin Institute
@shoebox /

Bio: Schuyler Towne is obsessed with locks. While he got his start picking locks competitively, his interest has since exploded into every aspect of their history, design and manipulation. He’s taught hackers, authors, cops and even toy designers. There is nothing Schuyler loves more than to talk locks with anyone who will listen. His interests in the history of physical security and design of locks provides a passionate background to his lectures and workshops on lockpicking. Currently he is attempting to recover lock patents lost in the 1836 patent office fire.

Title: Vulnerability Research Circa 1851

We’ve lost a few things in the last 16 decades, but in particular, the open nature of vulnerability research that prevailed in the middle of the 19th century. In this talk we’ll look back to how locks were designed and publicly tested from the landmark attacks of Hobbs against Bramah and Chubb, to the efforts of a forgetten engineer to responsibly disclose vulnerabilities in the top American lock of the time. We’ll then observe how physical security disappeared from the public eye and public research became villainized and how all of that led to the American residential security market remaining absolutely unchanged and incredibly insecure for 150 years.


Paul Watson

Infosec Apostle, Google

Bio: Paul Watson is currently employed as an network security engineer with Google. He has over 20 years of experience in the information technology area, including 18 years focused on information security. During his career, he has presided over 3 start-ups, as well as having been employed by such distinguished organizations as the U.S. Air Force, Iridium LLC, CapitalOne Financial, VeriSign, Rockwell, and Google.

Watson has accumulated a wide area of technical expertise throughout his career and has authored and presented several talks, papers, and training classes on information security topics. Watson is a co-recipient of the MIT Brunnell award for macro engineering for efforts on the development of the U.S. Air Force Command Tactical Information System, the Smithsonian science award for his work with the Iridium project, as well as a 2010 Google Founders award.

Title: Cross-Platform Network Access Control

Discussion of Capirca, an open-sourced multi-platform Network ACL generation system. This talk will discuss the history of Capirca, originating as an internal Google project through its current form and use in the open-source community. Attendees will gain an understand of how to use the system to simplify and improve the efficiency and reliability of network security management. A significant portion of time will also be dedicated to an overview of how the software and libraries work internally, including how to develop new modules and contribute to the open source effort.