Frank Kim is the founder and principal consultant with ThinkSec as well as the curriculum lead for application security for the SANS Institute. Frank has over 14 years of experience in software development, information technology, and security. He has designed and developed applications for large healthcare, technology, insurance, and consulting companies. Frank currently focuses on security strategy and application security program development with a special interest in integrating security into the software development life cycle. Frank is the author of the SANS Institute's Secure Coding in Java course. He has spoken internationally at events like JavaOne, Devoxx, Jazoon, and UberConf and was recently named a JavaOne Rock Star.
Tanya is a SANS senior instructor, as well as a SANS courseware author. With more than 10 years of information security experience, Tanya has consulted with a variety of clients about their security architecture in areas such as perimeter security, network infrastructure design, system audits, Web server security, and database security. Currently, Tanya provides a variety of security consulting services for clients, including system audits, vulnerability and risk assessments, database assessments, Web application assessments, and penetration testing. She has previously worked as the director of assurance services for a security services consulting firm and served as the manager of infrastructure security for a healthcare organization. She also served as a manager at Deloitte & Touche in the Security Services practice. Tanya has played an integral role in developing multiple business applications and currently holds the CPA, GIAC GCFW, GIAC GCIH, CISSP, CISM, CISA, CCNA, and OCP DBA certifications. Tanya completed a bachelor of arts degree with majors in accounting, business administration and management information systems.
Kevin Johnson is a Senior Security Consultant with Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture, and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises, and penetration testing everything from government agencies to Fortune 100 companies. Kevin is an instructor and author for the SANS Institute and a contributing blogger at TheMobilityHub.
Kevin has performed a large number of trainings, briefings, and presentations for both public events and internal trainings. Kevin teaches for the SANS Institute on a number of subjects. He is the author of three classes- SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing, and SEC571: Mobile Device Security. Kevin has presented at a large number of conventions, meetings, and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard, and ISSA.
In addition, Kevin is very involved in the open source community and runs a number of open source projects. These include SamuraiWTF, a web pen-testing environment; Laudanum, a collection of injectable web payloads; Yokoso!, an infrastructure fingerprinting project; and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.
Jason is a senior security analyst at a major financial institution in Canada. His recent SANS Institute courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion. Jason started his career as a programmer before moving on to ISP network administration, where he handled network security incidents, which sparked his interest in information security. Jason specializes in Web application security, penetration testing, and intrusion detection. He currently holds a BA in computer science from York University in Toronto, Ontario, as well as the CISSP, GCIA, GCFW, GCUX, GCWN, and GCIH certifications.
Jason Montgomery is a principal of Active Technologies Group, Inc. (ATGi), an international technology consulting firm based in Columbus, Ohio. Jason leads ATGi's Software & Application Security practice which evolved out of ATGi's 15 years of real world application development experience. Jason has over 14 years of development experience building applications for Fortune 500 companies, Internet Start-ups, as well as State and Federal Government organizations. As a contractor for the Department of Defense, he hardened servers, provided security guidance to developers, revealed and helped mitigate vulnerabilities in federal systems and built custom applications. Jason served on the GIAC Secure Software Programmer (GSSP) Steering Committee which produced the first .NET GSSP Blueprint. His knowledge of programming, Information Security, and network protocols combined with his system administration and system hardening experience in Windows as well as the Linux/BSD Unix operating systems produces a holistic perspective on security. Jason also contributed chapters about security in Professional K2 blackpearl (Wiley Publishing Inc, 2009), an enterprise .NET workflow engine built on Microsoft Windows Workflow Foundation.
Mano Paul is (ISC)2 appointed software assurance advisor and is a seasoned veteran in the discipline of information security, software assurance and software development, with responsibilities that include designing and developing security programs from compliance to coding, security in the software development lifecycle, and providing risk management, security strategy and security awareness and education. He is the CEO and founder of SecuRisk Solutions, which specializes in security product development and consulting, and Express Certifications, a professional certification assessment and training company.
Before founding his two companies, Paul worked for Dell, Inc. in a variety of security and software positions, including software developer to technical architect, global application security consultant, senior global security program manager, and workforce strategist for both IT and the business. He is a contributing author for the Information Security Management Handbook, writes periodically for information security and certification magazines, and has participated in and contributed to several security articles for the Microsoft Solutions Developer Network (MSDN).
Additionally, Paul has been featured at numerous security conferences around the world as an invited speaker and panelist, delivering keynotes and talks to such conferences as CSI, SC World Congress, Burton Group Catalyst and OWASP. He is also an appointed faculty member and served as the industry liaison for the Capitol of Texas Information Systems Security Association (ISSA) chapter.
Paul is a Certified Secure Software Lifecycle Professional (CSSLPCM) and Certified Information Systems Security Professional (CISSP2), both (ISC)2 certifications. He also holds the MCAD, MCSD, CompTIA's Network+ and ECSA certifications.
Paul has already undertaken a number of tasks for (ISC)2, including creating the online self-assessment tool known as studISCope, authoring the upcoming Official (ISC)2 Guide to the CSSLP, collaborating on the development of the CSSLP curriculum, establishing and fostering relationships between (ISC)2 and other professional security organizations, and writing several white papers underscoring the need for software assurance. In his software assurance advisor role, he will continue many of these pursuits in addition to speaking engagements and other opportunities as they arise.
David Rice is an internationally recognized cyber security expert, consulting director for policy reform at the U.S. Cyber Consequences Unit, and author of the critically acclaimed book Geekonomics: The Real Cost of Insecure Software. Mr. Rice is a key figure shaping the discussion of cyber security, and his work impacts both U.S. and European cyber security policy. As director of The Monterey Group, a private consulting firm, Mr. Rice advises a variety of clients on a range of issues, including cyber strategy development and execution, corporate cyber risk management, cyber security metrics, identity management, and secure software development practices.
Johannes Ullrich, Ph.D.
Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top 5 influential IT security thinkers. His research interests include IPv6, Network Traffic Analysis and Secure Software Development. Johannes is regularly invited to speak at conferences and has been interviewed by major publications, radio as well as TV stations. He is a member of the SANS Technology Institute's Faculty and Administration as well as Curriculum and Long Range Planning Committee. As chief research officer for the SANS Institute, Johannes is currently responsible for the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also maintains a daily security news summary podcast and enjoys blogging about application security.