Skip to main content

The University of Texas at Austin's AT&T Conference Center
1900 University Ave. Austin TX 78705

Directions & Nearby

Event Description

The FTC’s second “Start With Security” event will take place on November 5, 2015, in Austin, Texas, and will be co-sponsored by the University of Texas Robert S. Strauss Center and the Center for Identity.  

This one-day conference will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. Aimed at start-ups and developers, this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. "Start with Security" will run from 9:30 AM to 4:00 PM. 

  • 8:30 am Doors Open

    9:30 am

    Professor Robert Chesney
    Director, Robert Strauss Center for International Security and Law University of Texas

    Introductory Remarks
    Dama Brown
    Regional Director, Southwest Region, Federal Trade Commission

    Opening Remarks
    Terrell McSweeny
    Commissioner, Federal Trade Commission

    10:00 am

    Panel 1: Starting up Security: Building a Security Culture

    How can startups build a culture of security? Examining some of the most common design flaws and vulnerabilities found in applications today, this panel will explore how startups can model these threats, train their developers in secure coding practices, and use secure frameworks to help minimize their application security debt.


    • Laura Riposo VanDruff
      Division of Privacy and Identity Protection, FTC


    • Christophe Borg
      Vice President of Engineering Operations
    • Alan Daines
      Chief Information Security Officer

    • Josh Sokol
      Information Security Owner
      National Instruments
    11:00 am Break
    11:15 am

    Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth

    How can startups test and review their applications for security when they are experiencing exponential user growth, hiring new engineers at a rapid clip, and shipping code on a weekly, daily, or even hourly basis? This panel will discuss how security testing can be automated and adapted for a world of continuous delivery in a high-growth startup environment.


    • Laura Berger
      Division of Privacy and Identity Protection, FTC


    • Matt Johansen
      Director of Security
      Honest Dollar

    • Matt Tesauro
      Senior Software Security Engineer

    • James Wickett
      Engineer of Awesome
      Signal Sciences Corp
    12:15 pm Lunch Break

    1:10 pm

    Investing in Security: Fireside Chat with Co-founder of LiveOak Venture Partners Venu Shamapant


    • Commissioner Terrell McSweeny
    1:30 pm

    Panel 3: Third-party AppSec: Dealing with Bugs, Bug Reports, and Third-party Code

    Out of the gate, third parties have big implications for startups’ security: Applications are comprised of third-party components; third-party services provide critical functionality; and before long, third-party researchers come calling with vulnerability reports about your own code. This panel will address how startups can manage risks from third-party code and services, and harness the security community’s work to improve their secure development lifecycle.


    • Jarad Brown
      Division of Privacy and Identity Protection, FTC


    • HD Moore
      Chief Research Officer

    • Katie Moussouris
      Chief Policy Officer

    • Wendy Nather
      Research Director
      Retail Cyber Intelligence Sharing Center
    2:30 pm Break
    2:50 pm

    Panel 4: Beyond Bugs: Embracing Security Features

    How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TLS, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.


    • Katherine McCarron
      Division of Privacy and Identity Protection, FTC


    • Robert Hansen
      Vice President of WhiteHat Labs
      WhiteHat Security

    • Clare Nelson
      ClearMark Consulting

    • Caleb Queern
      KPMG Cyber

    3:50 pm

    Concluding Remarks


  • Panel 1: Starting up Security: Building a Security Culture

    Christophe Borg is Vice President of Engineering Operations at RetailMeNot, Inc. He brings 15 years of broad operational and industry experience as an executive of growing technology companies. A veteran of the high tech industry, Christophe specializes in understanding and forecasting technology trends for real-world applications and translating those market requirements into engineering product. Prior to RetailMeNot, Christophe was founder and CEO of BorgSolutions, Inc., a leading provider of fleet maintenance management software. In this role, Christophe led development of the company's operations software. He continues to serve as the company's chairman.

    Alan Daines is Dell’s Chief Information Security Officer and Executive Director of the company’s Compliance and Information Security organization. Alan and his team manage risk, maintain compliance, and secure the enterprise environment. Alan has been with Dell since 1999 and has over 20 years of experience in IT Security and Infrastructure roles. Previously, he was the company’s Director for IT Security Engineering, Operations & Identity Management. He has worked on many facets of information security, including incident management, forensics, compliance, policy risk, identity management, vulnerability management, and security infrastructure. Alan has also led several infrastructure practice areas at the company, including IT outsourcing, engineering, IT architecture, support and program/project management. Alan was born and educated in the United Kingdom. He currently is based in Dell’s headquarters in Round Rock, Texas.

    Josh Sokol is the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Previously, he worked for several large companies, including AMD and BearingPoint, and as a military contractor. Josh is the founder and creator of the free and open source risk management tool, SimpleRisk. He currently serves on the OWASP Global Board of Directors. Josh graduated from the University of Texas at Austin, with a BS in Computer Science.

    Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth

    Matt Johansen is the Director of Security at Honest Dollar, an Austin financial tech startup, where he is charged with building an information security program from the ground up. Previously, he was the Director of Services and Research at WhiteHat Security, where he oversaw product development, and a Senior Manager for WhiteHat’s Threat Research Center, where he built and managed a team working to prevent website security attacks. In an earlier role, Matt was an Application Security Engineer at WhiteHat, overseeing and assessing security for more than 35,000 web applications for WhiteHat’s clients, including many Fortune 500 companies across a range of technologies. 

    Matt Tesauro is a Senior Software Security Engineer at Pearson. Previously, he was a Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor in the University of Texas Computer Science department, teaching the next generation of computer scientists about Application Security. Matt has spent 15 years specializing in application and cloud security. His work has included security consulting, penetration testing, threat modeling, and code reviews. He also has extensive experience teaching and providing training, including at the University of Texas, Texas A&M University, and numerous industry events. He is a former board member of the OWASP Foundation and project lead for the OWASP AppSec Pipeline & Web Testing Environment project, a collection of application security testing tools. He holds two degrees from Texas A&M University.

    James Wickett is Engineer of Awesome at Signal Sciences. He is a leader in the DevOps and InfoSec communities and a supporter of the Rugged Software movement. He coined the term “Rugged DevOps” and founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of Hands-on Gauntlt: Security Testing for Developers. He also created and founded the Lonestar Application Security Conference, the largest annual security conference in Austin. He is a chapter leader for OWASP Austin and serves on the Global Information Assurance Certification (GIAC) Advisory Board. James got his start in technology when he founded a Web startup as a college student. Since then, James has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups.

    Investing in Security: Fireside Chat with LiveOak Venture Partners co-Founder Venu Shamapant

    Venu Shamapant is a co-founder of LiveOak Venture Partners, an Austin, TX based early stage venture capital firm that focuses on technology and technology driven services companies based in Texas and the Southwest. At LiveOak, Venu focuses on investments across a wide variety of sectors including Software, Security and Tech-enabled services. His current investments include Veros Systems, NSS Labs, InforcePro, Capsenta and InfoCyte.

    Prior to LiveOak, Venu was a General Partner at Austin Ventures where he invested in over ten companies producing more than $1.5 Billion in exit values to date. He was an early investor in and sat on the Board of Directors of LifeSize Communications (acquired by Logitech), Spatial Wireless (acquired by Alcatel-Lucent), Navini Networks (acquired by Cisco Systems), Mavenir Systems (NYSE:MVNR), Blacksand Semiconductors (acquired by Qualcomm) and Sipera Systems (acquired by Avaya Communications). Prior to joining Austin Ventures, he was with McKinsey & Co. serving clients in the enterprise systems and software markets. He started his professional career as a software developer and engineering lead at Mentor Graphics.

    Venu received his MBA from the Harvard Graduate School of Business, MS in Computer Engineering from the University of Texas at Austin, and a BS in Electronics and Communications Engineering from Osmania University, India.

    Venu is also a founding Board Member of Austin Speech Labs, a non-profit focused on providing affordable speech and cognitive therapy for stroke survivors.

    Panel 3: Third-party AppSec: Dealing with Bugs, Bug Reports, and Third-party Code

    HD Moore is Chief Research Officer for Rapid7. He is responsible for leading the company’s research into real-world threats and providing guidance on how to address them. In addition, he drives technical innovation across Rapid7's products and services, applying technology to the challenge of identifying and defending against current and emerging threats, as well as heading the development of experimental prototypes and free tools. He is the creator of Metasploit, the world's leading open source penetration testing framework, and remains deeply involved in Metasploit's evolution. He was named one of Business Insider magazine’s 50 most powerful people in technology.

    Katie Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response and structured bounty programs. She is a noted authority on vulnerability disclosure and advises lawmakers, customers, and researchers to legitimize and promote security research and help make the internet safer for everyone. Katie’s earlier work at Microsoft encompassed industry-leading initiatives such as Microsoft's bounty programs and Microsoft Vulnerability Research. She is also a subject matter expert for the U.S. National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), vulnerability handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market, and a New America Foundation Fellow. She is an ex-hacker, ex-Linux developer, and persistent disruptor.

    Wendy Nather is Research Director at the Retail Cyber Intelligence Sharing Center (R-CISC), advancing the state of resources and knowledge to help organizations defend their infrastructure from attackers. She was previously Research Director of the Information Security Practice at independent analyst firm 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), as well as for the Texas Education Agency. Wendy is co-author of The Cloud Security Rules, and was listed as one of SC Magazine's Women in IT Security "Power Players" in 2014.

    Panel 4: Beyond Bugs: Embracing Security Features

    Clare Nelson is CEO of ClearMark Consulting, where she specializes in multi-factor authentication (MFA). She has more than 30 years of experience in high tech. Her background includes working on encrypted TCP/IP variants for the NSA and a focus on mobile security. She has published journal articles on multi-factor authentication (MFA). In a recent assessment of more than 200 MFA vendors, she uncovered a number of suboptimal technology choices. She is a cofounder of C1ph3r_Qu33ns, and is active in the OWASP community. Clare has held executive positions at EMC, Dell, DEC, and Novell, as well as startups including TeaLeaf Technology. She has a degree in mathematics from Tufts University. Clare can be found on Twitter: @Safe_SaaS.

    Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. Previously, he was the Chief Executive of SecTheory and Falling Rock Networks. Robert began his career in banner click fraud detection at ValueClick. He has worked for Cable & Wireless doing managed security services, and at eBay as a Senior Global Product Manager of Trust and Safety. Robert contributes to and sits on the boards of several startups. He co-authored XSS Attacks: Cross Site Scripting Exploits and Defenses and wrote the eBook Detecting Malice. Robert is a member of numerous nonprofits dedicated to helping organizations develop security best practices, including WASC, APWG, IACSP, and ISSA, and has contributed to several OWASP projects, including by originating the XSS Cheat Sheet. He is a mentor at TechStars Austin. His passion is breaking web technologies to make them better. Robert can be found on Twitter: @RSnake.

    Caleb Queern is a Manager at KPMG Cyber. He is a web application security researcher and board member of the San Diego OWASP chapter. For just under a decade, Caleb worked in cyber intelligence at Cyveillance, where he served as the company's Chief Scientist. He recently joined KMPG's Cyber practice to assist organizations in applying appropriate information security measures to provide ongoing confidentiality, integrity, and availability of their most sensitive data. Caleb's goal is to help others quickly minimize the most cyber risk in a sustainable manner and at the right cost. Caleb received his bachelor’s degree in psychology from James Madison University and his MBA from San Diego State University. Caleb can be found on Twitter: @HttpSecHeaders.

FTC Privacy Policy

Under the Freedom of Information Act (“FOIA”) or other laws, we may be required to disclose to outside organizations the information you provide when you pre-register. The Commission will consider all timely and responsive public comments, whether filed in paper or electronic form, and as a matter of discretion, we make every effort to remove home contact information for individuals from the public comments before posting them on the FTC website.

The FTC Act and other laws we administer permit the collection of your pre-registration contact information and the comments you file to consider and use in this proceeding as appropriate.  Under the Freedom of Information Act or other laws, we may be required to disclose to outside organizations the information you provide when you pre-register.  For additional information, including routine uses permitted by the Privacy Act, see the Commission’s Privacy Act system for public records and comprehensive privacy policy.

This event will be open to the public and may be photographed, videotaped, webcast, or otherwise recorded.  By participating in this event, you are agreeing that your image — and anything you say or submit — may be posted indefinitely at or on one of the Commission's publicly available social media sites.