Skip to main content

The University of Washington School of Law
4293 Memorial Way NE Seattle WA 98195

Directions & Nearby
William H. Gates Hall, Room 133

Event Description

The FTC’s third “Start With Security” event will take place on February 9, 2016, in Seattle, Washington, and will be co-sponsored by the University of Washington Tech Policy Lab, the University of Washington School of Law Technology Law & Public Policy Clinic, and CoMotion at the University of Washington.

This one-day event will continue the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. This event will bring together experts to provide insights on how startups and other small companies can secure the software and products they develop, and how important it is to do so. FTC Commissioner Julie Brill will kick things off with opening remarks.

The event is free and open to the public. Lunch is provided. Pre-registration is not required, but the University of Washington invites you to pre-register to assist with event planning.

This event will be webcast. You can also view the PowerPoint slides [PDF].

  • 8:30 am

    Doors Open

    9:30 am

    Introductory Remarks
    Charles Harwood
    Regional Director, Northwest Region, Federal Trade Commission

    Opening Remarks
    Julie Brill
    Commissioner, Federal Trade Commission

    10:00 am

    Panel 1: Building a Security Culture

    How can startups build a culture of security? This panel will explore how startups can jumpstart security in their organization, and why they should, including how to get organizational buy-in for security, train developers to code securely, use basic threat modeling to identify security threats, and more.


    • Miry Kim
      Division of Privacy and Identity Protection, FTC


    • Peter Oehlert
      Director of Product Security
    • Adam Shostack
      CEO and Founder
      Stealth Startup
    • Matt Thomlinson
      Vice President of Cloud and Enterprise Security
    • Tarah Wheeler Van Vlack
      CEO and Co-Founder

    11:00 am

    11:15 am

    Panel 2: Integrating Security into the Development Pipeline

    How can startups effectively integrate security testing and review into their development processes when they may be hiring new engineers at a rapid clip, experiencing exponential user growth, and shipping code frequently? This panel will discuss how security testing can be automated and adapted in startup environments.


    • Jim Trilling
      Division of Privacy and Identity Protection, FTC


    • Julian Dunn
      Product Manager
    • John Heasman
      Senior Director of Software Security
    • Patrick Lamphere
      Director of Security and Compliance

    12:15 pm

    Lunch Break

    1:00 pm

    Lunch Presentation: Avoiding Catastrophe: An Introduction to OWASP Proactive Controls

    Ian Gorrie
    Principal Consultant
    Locked Networks
    Chapter Leader
    Open Web Application Security Project (OWASP), Seattle Chapter

    1:30 pm

    Panel 3: The Business Case for Security

    How can startups determine the importance of security to their bottom line? Building security in up front may help startups avoid significant costs: Venture capital investors may emphasize security in funding decisions; customers may demand contractual security requirements; potential acquirers may evaluate a startup’s security posture; and startups may incur fatal damage to reputation and monetary costs from a security incident. This panel will discuss the importance of security from the investor, customer, and potential acquirer standpoints.


    • Aaron Alva
      Office of Technology Research and Investigation, FTC


    • Saira Nayak
      Chief Privacy Officer
    • Mike Simon
      Chief Information Security Officer
      Creation Logic, LLC
    • Aravind Swaminathan
      Orrick, Herrington & Sutcliffe LLP

    2:30 pm

    2:50 pm

    Panel 4: Securing the Internet of Things

    Connected devices present new security challenges and expanded attack surfaces. How can startups secure their IoT products and services in a rapidly developing ecosystem? This panel will address how IoT startups can identify and manage critical risks in their businesses and plan for the unique challenges they face.


    • Jarad Brown
      Division of Privacy and Identity Protection, FTC


    • Tadayoshi Kohno
      Short-Dooley Professor of Computer Science and Engineering
      University of Washington
    • Shwetak Patel
      WRF Endowed Professor of Computer Science and Engineering and Electrical Engineering
      University of Washington
      Chief Scientist
      Belkin Inc.
    • Arjmand Samuel
      Principal Program Manager
      Windows Azure Internet of Things Team
    • Lorie Wigle
      General Manager, IoT Security

    3:50 pm

    Concluding Remarks


  • Panel 1: Building a Security Culture

    Peter Oehlert is the Director of Product Security at Facebook. Peter has more than fifteen years of experience in application security and development. He spent seven years at Microsoft, during the time in which Microsoft embraced Trustworthy Computing and learned how to build software security at scale. He later worked for a startup as a developer and for security consulting companies, including iSEC Partners. At iSEC, Peter worked across industries with companies large and small, helping them understand and mitigate technical risks. Peter has a special interest in static and dynamic analysis techniques, and he wrote some of the seminal work in fuzzing as that technique dawned.

    Adam Shostack is a technologist, entrepreneur, author and game designer. He is a member of the BlackHat Review Board, and helped found the CVE. He is currently building his fifth startup, focused on improving security effectiveness. Previously, at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3, and created the “Elevation of Privilege” game. Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.”

    Matt Thomlinson is the Vice President of Cloud and Enterprise Security at Microsoft. Matt leads the organization responsible for Microsoft’s security response, innovative security protections and attack detection, fundamental Azure datacenter security services, and security analytics, as well as cyber threat intelligence that powers defenses for Microsoft and its products and services. During his two decades at Microsoft, Matt has led many security engineering efforts such as delivering security features into Windows, developer tools, O365, and Azure. In 2003, he directed the creation of Windows XP Service Pack 2. He is former Chairman and 5-year board member of NIST’s Information Security & Privacy Advisory Board (ISPAB). Matt has been recognized as a 2014 Federal 100 winner for his work to secure the US federal government, and a 2015 Computerworld Premier 100 IT Leader. Matt is an inventor/co-inventor on 20+ patents on technologies. Matt holds both master’s and bachelor’s degrees in Electrical Engineering from the University of Washington.

    Tarah Wheeler Van Vlack is co-founder and CEO of Fizzmint, an end-to-end employee management company, and the lead author of the book “Women In Tech,” coming March 29th, 2016. She has led projects at Microsoft Game Studios (Halo and Lips), architected systems at Silent Circle, and holds master and developer certifications in agile development through the Scrum Alliance. She founded Red Queen Technologies, LLC (web development), Infosec Unlocked (initiative to add diversity in Infosec conference speakers), the Women In Tech Council (to increase women’s participation in tech conference speaking), and Hack The People Foundation (nonprofit mentorship initiative focused on underprivileged people in technology). Tarah holds an MS from Portland State University and a BA from Carroll College.

    Panel 2: Integrating Security into the Development Pipeline

    Julian Dunn is a product manager at Chef, a company that provides tools for system and application configuration management. He previously led Chef’s field solutions engineering team and worked on the company’s professional services team. Prior to working at Chef, he was a senior systems engineer at SecondMarket, a New York-based alternative markets startup that is now part of NASDAQ Private Market. He has more than fifteen years of systems administration, product development, and engineering management experience at outfits large and small in diverse sectors such as advertising, broadcasting, Internet security, and video hardware. He is a graduate of the University of Toronto and attended City University of New York.

    John Heasman is Senior Director of Software Security at DocuSign, a company that provides electronic signature technology and digital transaction management services. In this role, he supervises key tenets of the SDL: threat modeling, code review, and security training for developers. Prior to joining DocuSign, John spent a decade on the other side of the fence as a lead penetration tester with the NCC Group, consulting to blue chip software vendors and financial institutions. During this time he also co-authored The Database Hacker’s Handbook and The Shellcoder’s Handbook and published ground-breaking research into firmware and kernel-level malware persistence. John has previously spoken at Black Hat, Defcon, CEIC and other security conferences; he holds a master’s degree in Engineering and Computing from Oxford University.

    Patrick Lamphere is Director of Security and Compliance at Socrata, a company that leads open data initiatives worldwide to enable government clients to make data publicly accessible and usable. In that role, he is working as a change agent to build an efficient and effective security and compliance team. He has experience working in information security for companies, ranging from startups to Fortune 10 companies, and for large and small governments. He has deep knowledge of global security and privacy laws and regulations, as well as hands-on experience building and running a team that successfully hunted for advanced persistent threat actors (APTs) at Microsoft. He graduated from Central Washington University.

    Lunch Presentation: Avoiding Catastrophe: An Introduction to OWASP Proactive Controls

    Ian Gorrie is the principal consultant at Locked Networks. He has been providing security consulting for eighteen years, leading projects at all levels of engagement including deeply technical implementations, risk management and strategy, improving security programs, and supporting policy. Ian has provided security consulting to organizations including Palo Alto Networks, Fannie Mae, and Microsoft. He began his career working for web startups and internet service providers. Ian is a chapter leader for the Seattle chapter of the Open Web Application Security Project (OWASP), and is a former director of the Seattle chapter of the Information Systems Security Association (ISSA).

    Panel 3: The Business Case for Security

    Saira Nayak is Chief Privacy Officer at TUNE, a SAAS-based platform that provides solutions for mobile and performance marketers. Previously, she was Director of Policy at TRUSTe, where she helped define the company’s external policy platform while advocating the TRUSTe position with industry, regulators, and other stakeholders. Before joining TRUSTe, Saira was Principal at Nayak Strategies, where she advised digital era companies on privacy and data security compliance under international, U.S. and state laws. She has also worked in-house at the Microsoft Corporation, practiced antitrust and consumer protection law at Dickstein Shapiro (Washington, DC), and served as Antitrust Counsel for the National Association of Attorneys General (NAAG).

    Mike Simon is the Chief Information Security Officer and Chief Technical Officer of Creation Logic. From 1993 to the present, Mike has been building security awareness and improving the security posture for hundreds of companies as Chief Scientist for his own consulting firms. Mike is an adjunct faculty member for the University of Washington and occasionally lectures at Seattle University and the University of Idaho. He sits on the advisory boards for the University of Washington Information School’s Information Assurance certificate program and the University of Idaho’s Computer Science Department. Mike began working in computer security and policy development in 1985 at the University of Idaho, building the network laboratory infrastructure used for the research programs and teaching senior and graduate courses in networking and network topology. He earned a BS in Computer Science from the University of Idaho.

    Aravind Swaminathan is a partner at Orrick, Herrington & Sutcliffe and a global co-chair of the firm’s Cybersecurity & Data Privacy practice. Aravind is a former federal prosecutor and trial lawyer with extensive experience in cybersecurity and data breaches and privacy-related matters. Aravind advises clients in proactive assessment and management of cybersecurity risks, breach incident response planning, and cybersecurity corporate governance responsibilities.

    Panel 4: Securing the Internet of Things

    Tadayoshi Kohno is the Short-Dooley Professor of Computer Science & Engineering at the University of Washington and an Adjunct Associate Professor in the UW Information School. His research focuses on helping protect the security, privacy, and safety of users of current and future generation technologies. Kohno is the recipient of an Alfred P. Sloan Research Fellowship, a U.S. National Science Foundation CAREER Award, and a Technology Review TR-35 Young Innovator Award. Kohno is an alumnus of the U.S. Government’s Defense Science Study Group and a member of the National Academies Forum on Cyber Resilience, the IEEE Center for Secure Design, and the USENIX Security Steering Committee.

    Shwetak Patel is the Washington Research Foundation Entrepreneurship Endowed Professor in Computer Science and Engineering and Electrical Engineering at the University of Washington, where he directs the Ubicomp Lab. His work includes developing new sensing systems, energy and water sensing, mobile health, and developing new interaction technologies. Shwetak was a founder of Zensi, Inc., a residential energy monitoring company that was acquired by Belkin, Inc. in 2010. He is also a co-founder of a low-power wireless sensor platform company called SNUPI Technologies and a consumer home sensing product called WallyHome, which was acquired by Sears in 2015. Shwetak is a recipient of a MacArthur Fellowship (2011), Microsoft Research Faculty Fellowship (2011), Sloan Fellowship (2012), TR-35 Award (2009), World Economic Forum Young Global Scientist Award (2013), and NSF Career Award (2013). He was named a 2010 top innovator of the year by Seattle Business Magazine and a Newsmaker of the year by the Puget Sound Business Journal in 2011. Shwetak holds a PhD and BS in Computer Science from the Georgia Institute of Technology.

    Arjmand Samuel is a Principal Program Manager at Microsoft, working in the Windows Azure Internet of Things team. In his current role, Arjmand is involved in the design and development of Windows Azure IoT Hub, a scalable framework for connecting, monitoring and controlling millions of IoT assets. In his previous role, Arjmand led external academic collaborations around devices and services research for Microsoft Research, where he developed programs and research initiatives to harness the power of the Internet of Things. He has published in a variety of publications on topics of security, privacy, location aware access control and innovative use of mobile technology. Arjmand has a bachelor’s degree in avionics engineering from NED University of Engineering and Technology, Pakistan; a master’s degree in control engineering from Beijing University of Aeronautics and Astronautics, China; and a PhD in Information Security from Purdue University, USA.

    Lorie Wigle leads Intel’s corporate wide IoT security efforts. She works across the business groups to set the strategy and drive execution. Lorie and her team are also very active in industry efforts such as the Industrial Internet Consortium and she helped found the Intel Automotive Security Review Board. Lorie represented Intel on the National Security Telecommunications Advisory Committee’s IoT work, which resulted in recommendations to the White House. In her prior roles at Intel, Lorie has led Intel’s product-related efforts on environment and initiated a number of internal start-up businesses. She has been at Intel for 31 years with the last 2+ on assignment at Intel Security (formerly McAfee). Lorie was named one of the three most powerful women in smart grid by Smart Grid Newsletter and one of top 10 women in sustainability by PINK magazine. In 2011, she received the Sustainable Business Leadership Award from Sustainable Business Oregon. She has an MBA from Portland State University and a BA degree from the University of Oregon.

FTC Privacy Policy

Under the Freedom of Information Act (“FOIA”) or other laws, we may be required to disclose to outside organizations the information you provide when you pre-register for events that require registration. The Commission will consider all timely and responsive public comments, whether filed in paper or electronic form, and as a matter of discretion, we make every effort to remove home contact information for individuals from the public comments before posting them on the FTC website.

The FTC Act and other laws we administer permit the collection of your pre-registration contact information and the comments you file to consider and use in this proceeding as appropriate. For additional information, including routine uses permitted by the Privacy Act, see the Commission’s Privacy Act system for public records and comprehensive privacy policy.

This event will be open to the public and may be photographed, videotaped, webcast, or otherwise recorded.  By participating in this event, you are agreeing that your image — and anything you say or submit — may be posted indefinitely at or on one of the Commission's publicly available social media sites.