Wednesday, April 4, 2012
7:30AM – 8:50AM Registration
8:50AM – 9:00AM Welcome and Opening Remarks
9:00AM – 10:00AM Keynote: Dan Geer
10:00AM – 10:45AM OWASP Board
10:45AM – 11:00AM Coffee Break


Offense & ToolsRoom 201 Case StudiesRoom 202A IoMTRoom 202B Interrogate!Room 206
11:00AM – 11:50AM DOMJacking – Attack, Exploit and DefenseShreeraj Shah The Unfortunate Reality of Insecure LibrariesJeff Williams and Arshan Dabirsiaghi Python Basics for Web App Pentesters – Part 2Justin Searle Integrating Application Security into your Lifecycle and
Jim Manico
11:50AM – 12:00PM Coffee Break
12:00PM – 12:50PM Attacking CAPTCHAs for Fun and ProfitGursev Singh Kalra Case Study: How New Software Assurance Policy Reduces Risk
and Costs
Rob Roy and John Keane
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous
Joshua Corman
12:50PM – 2:30PM No-Host Lunch
2:30PM – 3:20PM Hacking .NET(C#) Applications: The Black ArtsJon McCoy Security at scale: Web application security in a continuous
deployment environment
Zane Lackey
The “Easy” Button for Your Web Application Security CareerSalvador Grec Risk Analysis and Measurement with CWRAFJoe Jarzombek, Bob Martin, Walter Houser and Tom Brennan
3:20PM – 3:30PM Coffee Break
3:30PM – 4:20PM OWASP Broken Web Applications (OWASP BWA) 1.0 ReleaseChuck Willis Security Is Like An Onion, That’s Why It Makes You CryMichele Chubirka Anatomy of a Logic FlawCharles Henderson and David Byrne
4:20PM – 4:30PM Coffee Break
4:30PM – 5:20PM New and Improved Hacking Oracle from WebSumit Siddharth State of Web SecurityRobert Rowley Old Webshells, New Tricks — How Persistent Threats have
revived an old idea, and how you can detect them.
Ryan Kazanciyan
Fed Panel
5:20PM – 5:30PM Coffee Break
5:30PM – 6:20PM Unraveling some of the Mysteries around DOM-based XSSDave Wichers 2012 Global Security ReportTom Brennan and Nick Percoco Survivable Software for Cyber-Physical SystemsKaren Mercedes Goertzel
6:20PM Networking Opportunity sponsored by


Thursday, April 5, 2012
Critical InfrastructureRoom 201 Defend!Room 202A On the GoRoom 202B SDLCRoom 206
7:30AM-9:00AM Registration
9:00AM- 9:50AM Pentesting Smart Grid Web AppsJustin Searle Friends don’t let friends store passwords in source code Neil Matatall Smart Bombs: Mobile Vulnerability and ExploitationKevin Johnson, John Sawyer and Tom Eston Overcoming the Quality vs. Quantity Problem in Software
Security Testing
Rafal Los
Web Application Defense with Bayesian Attack Analysis Ryan Barnett
9:50AM – 10:00AM Coffee Break
10:00AM- 10:50AM Vulnerabilities in Industrial Control SystemsICS-CERT Access ControlJim Manico Software Security Goes MobileJacob West Baking In Security, Sweet, Secure, CupcakesKen Johnson and Matt Ahrens
10:50AM-11:00AM Coffee Break
11:00AM- 11:50AM AMI SecurityJohn Sawyer and Don Weber SharePoint Security 101Rob Rachwald Behind Enemy Lines – Practical& Triage Approaches to Mobile
Security Abroad – 2012 Edition
Justin Morehouse
Understanding IAST – More Context, Better AnalysisJeff Williams
11:50AM- 1:30PM No-Host Lunch
1:30PM- 2:20PM Project Basecamp: News from Camp 4Reid Wightman Enterprise Security API (ESAPI) for C Plus PlusDan Amodio Whack-a-Mobile II: Mobile App Pen Testing with the MobiSec
Live Environment
Kevin Johnson and Tony Delagrange
Proactive risk mitigation within the Software Development Lifecycle (SDLC)
Joe White
2:30PM – 2:30PM Coffee Break
2:30PM- 3:20PM Real world backdoors on industrial devicesRuben Santamarta Dynamic DAST/WAF IntegrationRyan Barnett An In-Depth Introduction to the Android Permissions Model,
and How to Secure Multi-Component Applications
Jeff Six
Teaching an Old Dog New Tricks: Securing Development with
Joe Hemler
3:20PM- 3:30PM Coffee Break
3:30PM- 4:20PM Denial of Surface.Eireann Leverett Cloud-based dWAF: A Real World Deployment Case StudyAlexander Meisel Android in the Healthcare Workplace A Case StudyThomas Richards What can an Acquirer do to prevent developers from make
dangerous software errors?
Michele Moss and Don Davidson
4:20PM- 4:30PM Coffee Break
4:30PM- 5:20PM Securing Critical InfrastructureFrancis Cianfrocca Using PHPIDS to Understand Attacks TrendsSalvador Grec Mobile Application Security – Who, how and whyMike Park and Charles Henderson Private information Protection in Cloud Computing _ Laws,
Compliance and Cloud Security Misconceptions
Mikhail Utin and Daniil Utin
5:20PM Closing Remarks