Hackers & Security Experts Descend on Minneapolis

by Peter Beacom

OWASP-AppSec-USA-20111The Open Web Application Security Project held their AppSec USA conference last week, drawing over 600 from around the world to the Minneapolis Convention Center to discuss the security considerations of living “your life in the cloud”.

Envisioned and organized by MPLS chapter president Adam Baso and Lorna Alamri, the conference consisted of two days of training, followed by two days of talks by international information security experts, hackers, and academics. There were also a handful dozen vendors on display such as Minneapolis-based security analysis and penetration testing firm NetSPI.

From the Beginning

A keynote was delivered by Mark Curphey who founded OWASP ten years ago and is currently employed by Microsoft. He gave a brief history of OWASP and its “creation to counter fear, uncertainty, and doubt in the information security space.” He also recognized some of the many contributors who have built OWASP into the preeminent source for web application security knowledge over the past decade.

Curphey concluded his talk with his vision for the future of OWASP and stressed the importance of free and open source software as a model for trusted participation in the security space.

Diversity in AppSec

Tokuji Akamine and Takeshi Suzuki are two professional penetration testers from Tokyo who work for Rakuten, the parent company of buy.com. Christophe Veltsos is an associate professor at Mankato State who teaches information security and information warfare classes and was a presenter at RSA 2010.  Keynoter Mark Curphey is originally from England.

These people, nearly all speakers, and a vast majority of conference attendees are male, and to address that situation the conference organizers introduced the ‘Women in AppSec‘ program this year to encourage women to pursue careers in information security.

Two female university students were awarded travel, hotel, and conference passes as part of the program. Additionally, women with letters of recommendation regarding their interest in information security were able to attend the conference for free. The program targets women working or pursuing education in IT, but not yet actively involved in security.

The Wells Fargo Foundation provided $4k seed funding for the Women in AppSec program.

One recipient of a free conference pass is Katie Stanton, employed at General Mills and currently working on the company’s roll out of SAP throughout Asia. She is encouraged by increasing numbers of people showing an increased interest in security which she credits to the fact that security is one of “the most interesting landscapes in IT”.

After watching Android and iPhone hacking demonstrations by the Spider Labs team she noted, “it’s amazing how much damage someone can cause in just 30 minutes.”

University Challenge

AppSec USA also held its first ‘University Challenge‘ this year. The competition consisted of both attack and defense scenarios. The defense portion of the competition was won by the team from Dakota State University.

The attack portion, which required exploiting cross site scripting (XSS) vulnerabilities, SQL Injection vulnerabilities, and finding system components still using default passwords was won by the team from Saint Cloud State University.

The Saint Cloud team, which was also the winner overall, was led by Professor Tirthankar Ghosh and consisted of seven students. Team member George Massawe said that what he got out of the competition, aside from the two security books he was awarded, was a conviction that, “everyone in IT should get more involved in security.”

Fellow team member Matthew Sitko enjoyed “the chance to apply knowledge outside of class”, as well as learning, “a few new tricks and lots of knowledge from the pros.”

The Saint Cloud State team had previously won the Collegiate Cyber Defense  Competition; the University of Minnesota and University of Saint Thomas were conspicuously absent from the competition.

Growing awareness

The AppSec events organized by OWASP continue to gain international popularity. For example an Israeli chapter recently held an event that drew over 350 attendees, and major conference is planned in Greece for 2012.

For developers who can’t make it to a conference the vast majority of security knowledge across many popular development technologies, as well as videos of talks from the conferences will be available on the OWASP website.

Mark Curphey estimates that one trillion lines of code have been written so far by about fifteen million developers since the dawn of the computer. With that much code in need of security in existence that continuously increases in its importance to human quality of life, let’s hopethat attendance continues to grow at AppSec events.


  • Beckie Mossman

    You should have included Lorna Alamri with Adam Baso.Adam and team would agree this conference wouldn't have happened without Lorna. I recall the day she had the vision to bring AppSecUSA to the Twin Cities. Her contributions to AppSec, OWASP and the Minneapolis/St Paul information security are tremendous and greatly appreciated.Adam Baso was also instrumental in planning and running the event. It was great to have a conference of this stature here in the Twin Cities, great thanks to the whole team!

  • http://twitter.com/PeterBeacom Peter Beacom

    Neglecting to include Lorna Alamri's contributions in the original article was a mistake. She was key to organizing the Mark Curphey keynote, Women in AppSec, and the University Challenge. I regret the omission.

  • http://researchnetwork.com/ christain

    You have the option of going for the university online jobs, academic jobs, higher education jobs. With the university online jobs you do not need to give regular attendance at the university and can send the necessary class notes and assignments through the internet.