Featured Session
AUTH-005 - Mark Russinovich: Zero Day: A Novel
Thursday, March 1, 3:00 PM, Room 134
Mark Russinovich, Technical Fellow, Microsoft Windows Azure Group
If you are looking to join Microsoft at the RSA conference this year, there are a number of ways you can do so. The full list of sessions is below. Don’t forget that you can also join us at the Microsoft booth (#1616) where there are a number of demo pods and a theatre.
SEM-002 - Improving Application Security Seminar (Full Day - Delegates only)
Monday, February 27, 8:30 AM, Room 305
Speaker(s) Kathy Kriese, Principal Product Manager, Symantec Corporation
Jacob West, Director, Security Research Group, HP
Chris Eng, Vice President of Research, Veracode, Inc.
Brad Arkin, Senior Director, Product Security & Privacy, Adobe
Alexander Hoole, Principal Security Researcher, Fortify Software, an HP company
Brian Hope, Principal Consultant, Cigital, Inc.
Katie Moussouris, Senior Security Strategist Lead, Microsoft
Abstract: Building security into applications is a much less expensive proposition than trying to add security later in the software development lifecycle. Through demonstration and lecture, participants will learn about a broad variety of security issues as well as prevention techniques/countermeasures.
KEY-102 - TwC for our Computing-centric Society
Tuesday, February 28, 8:50 AM, Moscone North Hall D
Abstract: In the ten years since Microsoft announced the creation of its Trustworthy Computing (TwC) initiative, much has changed: society has become far more dependent on information systems; those attacking networks have become more persistent and determined; and new concerns about supply chain and cyber warfare are now frequently discussed in national capitols. Additionally, users are moving to the cloud, ushering in the era of big data. Scott Charney will talk about how these factors are affecting the future of TwC.
ASEC-106 - Making Sense of Software Security Advice: Best vs. Practiced Practices
Tuesday, February 28, 1:10 PM, Room 302
Moderator Reeny Sondhi, Director, Product Security, EMC Corporation
Panelist(s) Gary McGraw, Chief Technology Officer, Cigital, Inc.
Kyle Randolph, Senior Manager, Security & Privacy, Adobe
Gary Phillips, Senior Director, R&D, Symantec Corporation
David Ladd, Principal Security Program Manager, Microsoft
Abstract: There’s no shortage of software security advice out there. How do you make sense of it and apply it to your work? Organizations such as SAFECode promote software security best practices. Others like BSIMM won’t tell you what you should do; but rather what others are doing. This session will cut through the noise and demonstrate how to find and use the right advice to achieve real-world success.
HT1-108 - Vulnerability Panel: Is it ZERO Day or ZERO Care?
Tuesday, February 28, 3:50 PM, Room 102
Moderator Jake Kouns, Chief Executive Officer, Open Security Foundation, Director, Cyber Security and Technology Risks Underwriting at Markel Corporation
Panelist(s) Steve Christey, Principal Information Security Engineer, MITRE
Dan Holden, Director, HP DVLabs, HP
Carsten Eiram, Chief Security Specialist, Secunia
Abstract: Vulnerability Databases have provided information about security vulnerabilities for over 10 years. This enables analysis on trends and changes in the security industry. This session will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities.
TECH-108 - Targeted Exploits & Spear Phishing – Will it be the Demise of Trusted Email?
Tuesday, February 28, 3:50 PM, Room 307
Moderator Craig Spiezle, Executive Director, Founder & President, OTA Alliance
Panelist(s) John Scarrow, General Manager of Safety Services at Microsoft, Microsoft
Andy Steingruebl, Manager of Internet Standards & Governance, PayPal, Inc.
Mike Hammer, Web Operations Security, American Greetings Interactive
Abstract: Email continues to be the attack vector of choice by cybercriminals. This session will review how email authentication and the use of IETF standards (SPF and DKIM) can aid the enterprise in detecting forged email and help protect business and government data. Speakers will review recent research revealing adoption in various industries compiled by the Online Trust Alliance.
ASEC-201 - War Stories: The Good, Bad and the Ugly of Application Security Programs
Wednesday, February 29, 8:00 AM, Room 302
Moderator Chenxi Wang, Vice President & Principal Analyst, Forrester
Panelist(s) Doug Cavit, Principle Security Strategist, Trustworthy Computing, Microsoft
James Routh, Managing Director & Global Head of Application, Internet and Mobile Security, JPMorgan Chase & Co.
Abstract: Despite the increasing awareness that vulnerabilities at the application level are behind some of the most dangerous attacks, application security remains a small and largely untapped market. This panel will address critical questions regarding application security technologies and the nuances of building an effective app sec program.
STAR-201 - Application Access Control - Taming the Wild West
Wednesday, February 29, 8:00 AM, Room 304
Moderator Eric Green, EVP, Business Development, Mobile Active Defense
Panelist(s) Ward Spangenberg, Director of Security Operations, Zynga Game Network
Mike Convertino, Director, Network Security, Microsoft
Matthew Dosmann, Emerging Technologies Team Chief, U.S. Army
Elias Manousos, Chief Executive Officer, RiskIQ
Abstract: It’s been said that app stores are the number one malware delivery mechanism ever created by mankind. So even if you want to stick your head in the ground and believe apps are being code reviewed properly first time around, surely you don’t believe they go through the same testing for new versions. So how do you protect your mobile enterprise from rogue apps? The answer can only be – In real time!
SPO1-203 - Compliance, Audits and Fire Drills: In the Way of Real Security?
Wednesday, February 29, 10:40 AM, Room 120
Speaker(s) John Howie, Senior Director of Technical Security Services, Microsoft
Mark Estberg, Senior Director, Microsoft
Abstract: Meeting compliance obligations, passing audits, and dealing with incidents real or perceived can all distract a security organization from its core mission – maintaining the security and privacy of data and assets. In this session, hear how one large cloud provider ensures these distractions do not get in the way of the goals of information security.
HT1-301 - Code Red to Zbot: 10 Years of Tech, Researchers and Threat Evolution
Thursday, March 1, 8:00 AM, Room 102
Speaker(s) Tim Rains, Director, Microsoft
Jeffrey Jones, Director, Microsoft
Abstract: Windows XP just recently reached end of life. Bill Gates’ TwC is now ten years old. The threat landscape has constantly evolved in dramatic and unexpected ways, changing the character of Internet risk completely. Using data from millions of computers and online services, this session will provide a unique retrospective on how computing has changed over the past 10 years.
DAS-301 - Always-On SSL: A Necessity to Deal with an Inconvenient Truth
Thursday, March 1, 8:00 AM, Room 301
Panelist(s) Quentin Liu, Senior Director Engineering, Symantec Corporation
Alex Rice, Product Security, Facebook
John Scarrow, General Manager of Safety Services at Microsoft, Microsoft
Abstract: A growing number of high-profile account hijacking attacks on prominent websites have highlighted that while we routinely employ countermeasures to deal with sophisticated attacks, most organizations don’t provide end-to-end encryption when transmitting confidential data of people using their web sites. We will explore why there is technical inertia and the call to action by the industry leaders.
ASEC-301 - What Motivated My Company to Invest in a Secure Development Program?
Thursday, March 1, 8:00 AM, Room 302
Moderator Brad Arkin, Senior Director, Product Security & Privacy, Adobe
Panelist(s) Gunter Bitz, Head of Product Security Governance, SAP AG
Steven Lipner, Senior Director of Security Engineering Strategy, Microsoft
Janne Uusilehto, Director, Head of Nokia Product Security, Nokia
Abstract: Behind every company that has a significant emphasis on secure software development lies a great story on how it all got started. Come hear the real-world war stories of what put five major software producing organizations on the road to security salvation. You'll laugh, you'll cry and you'll learn some tricks that may prove useful in your own environment.
MBS-303 - BYOD: Securing Mobile Devices You Don’t Own
Thursday, March 1, 10:40 AM, Room 305
Moderator Kevin Mahaffey, Chief Technology Officer, Lookout
Panelist(s) Mike Convertino, Director, Network Security, Microsoft
Alex Stamos, Founding Partner of iSEC Partners, iSEC Partners
Jeff Moss, Founder & Director, Blackhat
William Boni, Corporate Information Security Officer, T-Mobile USA
Abstract: As billions of people around the world use their phones as PCs, hackers are paying attention. In the workplace, personally owned phones and tablets are rapidly becoming the norm, making the tightly-managed PC obsolete. In this panel we'll discuss issues affecting devices now and in the future as well as what security professionals can do to stay on top in this rapidly changing environment.
ASEC-304 - Privacy by Design: Baking Privacy into Business and Product Development
Thursday, March 1, 1:00 PM, Room 302
Speaker(s) Brendon Lynch, Chief Privacy Officer, Microsoft
Trevor Hughes, President & Chief Executive Officer, IAPP
Abstract: The Federal Trade Commission, European Commission and data protection officials in Canada have all called on companies to build Privacy by Design (PbD) into the corporate policies and the software development lifecycle. Learn how leading companies are implementing PbD within their organizations and the benefits this approach provides.
GRC-304 - Collective Defense: How the Defenders Can Play to Win
Thursday, March 1, 1:00 PM, Room 309
Speaker(s) Maarten Van Horenbeeck, Senior Program Manager Lead, Microsoft
Abstract: Modern software security response is complex, requiring defenders from across industries to collaborate. Critics, though, claim the offensive side is better coordinated, and “winning.” This talk shows how Microsoft has taken deliberate action to make collaboration among industry and government leaders a core part of its security response process. We’ll demonstrate how defenders are playing to win.
Speaker(s) Mark Russinovich, Technical Fellow, Microsoft Windows Azure Group
Abstract: An airliner’s controls abruptly fail mid-flight over the Atlantic. An oil tanker runs aground in Japan when its navigational system suddenly stops dead. Hospitals everywhere have to abandon their computer databases when patients die after being administered incorrect dosages of their medicine. In the Midwest, a nuclear power plant nearly becomes the next Chernobyl when its cooling systems malfunction. At first, these random computer failures seem like unrelated events. But Jeff Aiken, a former government analyst who quit in disgust after witnessing the gross errors that led up to 9/11, thinks otherwise. Jeff fears a more serious attack targeting the United States computer infrastructure is already under way. And as other menacing computer malfunctions pop up around the world, some with deadly results, he realizes that there isn’t much time if he hopes to prevent an international catastrophe. Written by a global authority on cyber security, Zero Day presents a chilling “what if” scenario that, in a world completely reliant on technology, is more than possible today---it’s a cataclysmic disaster just waiting to happen.
HT2-403 - Evil Though the Lens of Web Logs
Friday, March 2, 11:20 AM, Room 104
Speaker(s) Russ McRee, Manager, Security Incident Management & Pentesting Services, Microsoft
Abstract: Web logs can be analyzed with specific attention to Internet Background Radiation (IBR). Two bands of the IBR spectrum include scanning and misconfiguration where details about attacker and victim patterns are readily available. Via web application specific examples this discussion will analyze attacks exhibiting traits, trends, and tendencies from the attacker and victim perspectives.