(ISC)² Application Security Advisory Council (ASAC)

Council Members

Tony Vargas

CHAIR: Tony Vargas, CSSLP, CISSP-ISSAP, Security+, Co-Founder & CEO - Security Together, Co-Founder, Chairman & President, (ISC)² Sacramento Chapter  

Tony is Co-Founder & CEO of Security Together. Prior to this, he was Technical Leader of Engineering at Cisco Systems. He is a Distinguished Subject Matter Expert (SME) in Application Security, Security Awareness, IT Security, Cloud Computing and Software Development. He provides both technical leadership and consultation in all of these areas. He is responsible for helping lead secure product development for many products at Cisco. Tony is Co-Founder, Chairman and President of the (ISC)² Sacramento Chapter, which focuses on promoting an interest and growth in the information security field and giving back to the community. The chapter presents (ISC)² Safe and Secure Online presentations to children, parents and teachers throughout Northern California and beyond. The (ISC)² Sacramento Chapter is an official 501(c)3 non-profit. He is also the West Coast (ISC)² Safe and Secure Online Lead. He has also been a member of (ISC)²'s Application Security Advisory Council since 2013. Tony is an Advisory Committee member for multiple community colleges in the Sacramento region in regard to providing direction in regard to Cybersecurity and other technical curriculum. Tony received the inaugural Cisco Product Security Champion of the Year award in 2013 and was also a Cisco Security Champion award winner in 2012 for his leadership and vision. Tony also received a Cisco Mentorship Award in 2013. He is a core member and a co-founder of a very large security and leadership awareness program. He sits on the prestigious Cisco SDLC Technical Advisory Group, influencing the direction of product security across Cisco. Tony is a frequent speaker on security both internally at Cisco and industry wide. In December, Tony was a keynote speaker at the Amphion Forum 2013 in San Francisco. Tony has spoken about product and application security in the United States, Europe, India and China to audiences as large as 700 people.

anthony lim

VICE-CHAIR: Anthony Lim, CSSLP, CISSP, FCITIL, Senior Cybersecurity Advisor, Asia Pacific, Frost & Sullivan 

Anthony is a pioneer and veteran cybersecurity advocate, consultant, instructor, and business leader in the Asia Pacific region, with nearly 20 years' professional experience. He is a charter member and vice-chair of the global Application Security Advisory Council at (ISC)², a pioneer of its CSSLP certification, and winner of its 2010 senior information security leadership and President's awards. Anthony has held inaugural senior AP business development management roles in cybersecurity for IBM, CA (Computer Associates), CheckPoint Software, Watchfire, WhiteHat Security and Crossbeam. He is also a charter member of the Singapore Government Cybersecurity Alliance Committee, Singapore Board Member of Cloud Security Alliance and a 7-terms exco officer-bearer on the Security & Governance Chapter of Singapore IcT Federation. Anthony is a popular speaker and content contributor for many business, government, industry, and university conferences and media (print, broadcast and internet), and also sat on several government cybersecurity committees in Singapore and neighboring countries. He is a guest and adjunct instructor at some universities in Singapore and a life alumni member of the University of Illinois, Urbana-Champaign.


David Kennedy, CISSP, OSCP, OSCE, GSEC, MCSE, ISO 27001, Founder, Principal Security Consultant, TrustedSec

David started TrustedSec with the vision to build a world-class information security consulting company. To date, TrustedSec provides information security consulting services for a large portion of the Fortune 1000 space as well as medium-sized companies. Prior to TrustedSec, David was a Chief Security Officer (CSO) for Diebold Incorporated, a Fortune 1000 company located in over 80 countries with more than 16,000 employees. He developed a global security program that tackled all aspects of information security. David is considered a thought leader in the security field and has presented at over three hundred conferences worldwide. He has had numerous guest appearances on Fox News, CNN, CNBC, Huffington Post, Bloomberg, BBC, The Katie Show, and other high-profile media outlets. He is the founder of DerbyCon, a large-scale information security conference. David has testified in front of Congress on multiple occasions on the threats in security and in the government space. David also co-authored Metasploit: The Penetration Testers Guide book, which was number one on Amazon in security for over a year. David is one of the founding members of the “Penetration Testing Execution Standard (PTES).” David is the creator of several widely popular open-source tools including “The Social-Engineer Toolkit” (SET), Artillery, and Fast-Track. David has over 14 years of security experience, with more than nine years in security consulting.


David O'Berry, CSSLP, CISSP-ISSAP, ISSMP, CRISC, Worldwide Strategic Technology, Office of the CTO, McAfee

David O'Berry is a "reformed CxO/CIO currently working for 'The Dark Side' in Worldwide Strategic Technologies within McAfee's Office of the CTO." He spent 19 years on the enterprise side as a Network Manager, Director of Information Technology Systems and Services and, most recently, Director of Strategic Development and Information Technology in the public sector. During that timeframe he was an advocate for standards-based networks and security working with groups like Trusted Computing Group and The Open Group to further those causes. Active within the industry, he currently holds CISSP-ISSAP, ISSMP, CSSLP, CRMP, among other certifications. He has also been published several years in a row in the Information Security Management Handbook around standards-based distributed network visibility and autonomic security concepts as well as writing for various publications over the years on a wide-range of IT and IT-SEC topics. Most recently he was honored as a ComputerWorld Top 100 IT Leader for 2011, a fact he attributes to the amazing team that surrounded him during his service in the public sector.


Erin Jacobs, CEH, CISA, QSA, Managing Partner, Urbane Security

Erin Jacobs manages the compliance and strategic advisory delivery teams at Urbane Security bringing over 15 years of consulting and C-level management experience. As a former CIO and CSO, Erin works with all levels of organizations to identify business needs and challenges, align them with best solutions, and deliver concise services to meet any organization’s needs. For over seven years, Erin has hosted professional events at major conferences such as RSA and Black Hat in order to provide an informal medium for information security professionals of all skills and levels to network and share ideas. Erin also founded Backup Buddies in 2013 as a support line for attendees of major conferences in order to ensure positive conference experiences. The Backup Buddy system was set up to alleviate negative experiences for females as well as first-time conference attendees. Erin has presented at numerous high-profile security conferences including Black Hat, RSA, SourceBoston, CloudExpo, SourceBarcelona, BruCon, DerbyCon, and several SecurityBSides events.

Glenn Leifheit, CISSP, CSSLP

Glenn Leifheit, CSSLP, CISSP, ACS, Principal Security Architect, Microsoft

Glenn Leifheit is Principal Security Architect for Microsoft Information Technology's ACE (Assessment, Consulting and Engineering) Team. In this role he provides security advice to Microsoft internally as well as external customers. Prior to joining Microsoft, Glenn created, developed and led the application security program for FICO (Fair Isaac Corporation). He also lead FICO’s PCI program. Through Glenn's 20 year career in information technology he has focused on security, architecture, OS and middleware design, and operations along with software development. Glenn holds both a CISSP and the CSSLP certifications. He is also passionate about evangelizing security practices to the development community, engaging in over 50 conferences, users groups and code camps as a speaker or panel member. Glenn is also a founding member of TechMasters, a Toastmasters group designed to create a technical speaker community.


Jacob West, Chief Architect, Security Products, NetSuite

Jacob West is Chief Architect for Security Products at NetSuite. In his role, West leads research and development for technology to identify and mitigate security threats. Prior to his role, he served as Chief Technology Office (CTO) for Enterprise Security Products (ESP) at HP where influenced the security roadmap for the ESP portfolio and lead HP Security Research (HPSR), which drives innovation with research publications, threat briefings, and actionable security intelligence delivered through HP security products. West also served as CTO for Fortify products and leader of Fortify Software Security Research within HP ESP. West has spent more than a decade developing, delivering, and monetizing innovative security solutions, beginning with static analysis research at the University of California, Berkeley, and as an early security researcher at Fortify prior to its acquisition by HP. A world-recognized expert on software security, West co-authored the book, "Secure Programming with Static Analysis" with colleague and Fortify founder, Brian Chess, in 2007. Today, the book remains the only comprehensive guide to how developers can use static analysis to avoid the most prevalent and dangerous vulnerabilities in code. West co-authors the Building Security in Maturity Model and speaks frequently at customer and industry events, including RSA Conference, Black Hat, Defcon and OWASP. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, CA.


Joe Jarzombek, CSSLP, PMP, Director, Software & Supply Chain Assurance, SECIR/CS&C/NPPD, U.S. Department of Homeland Security (DHS)

Joe Jarzombek is the Director for Software & Supply Chain Assurance (SSCA) in Cyber Security and Communications within the Department of Homeland Security (DHS). He leads public-private collaboration efforts for government interagency teams with industry, academia and standards organizations. After retiring from the US Air Force as a Lt. Col. in program management, Mr. Jarzombek worked in the cybersecurity industry as vice president for product and process engineering. He later served in two software related positions within the Office of the Secretary of Defense prior to accepting his current position. Mr. Jarzombek is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP). He has spoken extensively about security automation, measurement, software assurance, supply chain risk management and practices for security-enhanced acquisition and development. He encourages further participation in DHS sponsored public private collaboration efforts via the Software & Supply Chain Assurance Forum and Working Groups, along with the SSCA Community Resources and Information Clearinghouse and Build Security In websites.


Joshua Corman, CTO, Sonatype, Founder, "Rugged Software" and "I am The Cavalry"

Joshua Corman is the Chief Technology Officer for Sonatype. Previously, Corman served as a security researcher and strategist at Akamai Technologies, The 451 Group, and IBM Internet Security Systems. A respected innovator, he co-founded Rugged Software and I Am The Cavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations and social impact has helped position him as one of the most trusted names in security. He is also an adjunct faculty for Carnegie Mellon's Heinze College, IANS Research, and a Fellow at the Ponemon Institute. Josh received his bachelor's degree in philosophy, graduating summa cum laude, from the University of New Hampshire.
• See Mr. Corman speak about the Internet of Things on Channel NewsAsia  

Katie Moussouris, Chief Policy Officer, HackerOne

Katie Moussouris is the Chief Policy Officer of HackerOne, where she oversees the company's philosophy and approach to vulnerability coordination and disclosure, advises customers and researchers, and works toward the public good to legitimize and promote security research to help make the Internet safer for everyone. Katie Moussouris' Microsoft work encompasses industry-leading initiatives such as Microsoft's bounty programs, BlueHat content chair, security researcher outreach, vulnerability disclosure policies, and MSVR (Microsoft Vulnerability Research). She also serves as a subject matter expert for the U.S. National Body of the International Standards Organization (ISO), in vulnerability disclosure (29147), secure development (27034), penetration testing (20004-2) and vulnerability handling processes (30111). Ms. Moussouris was one of the Artists Formerly Known as @stake, and has performed dozens of software penetration tests, security code audits, and design reviews for major companies. She was honored with the 2011 Executive Women's Forum Women of Influence Award in the category of One to Watch. Ms. Moussouris is a renowned keynote speaker and has presented at Security Analyst Summit 2014, RSA 2014, and Nordic Security Con 2013 as well as several others. She also was an invited speaker at Harvard Business School, MIT, HitB Malaysia 2012 and the Executive Womens Forum 2012 She is working on a book about vulnerability disclosure do's and don'ts for vendors.


Mano Paul, CSSLP, CISSP, GWAPT, GSSP-.Net, MCAD, MCSD, CompTIA Network+, ECSA, Founder and CEO, SecuRisk Solutions and Express Certifications, Founder, HackFormers

Mano 'dash4rk' Paul is a shark biologist turned security professional. He is the author of the acclaimed "7 Qualities of Highly Secure Software" and the "Official (ISC)² Guide to the CSSLP." He founded and serves as the CEO of SecuRisk Solutions. Before SecuRisk Solutions, Mano managed the application security program at Dell, Inc. prior to which, he was a shark researcher in the Bimini Islands, Bahamas. His infosec experience includes designing & developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, penetration testing, vulnerability analysis, and security awareness training & education. Mano was appointed as the software assurance advisor for (ISC)²and is a member of the AppSec Advisory Council. He was recognized and honored for his contributions to the security industry by being awarded the first Information Security Leadership Awards (ISLA) as an information security practitioner in 2011. Mano is an invited speaker, delivering keynotes, talks, training and participating as a panelist, in several domestic and international security conferences such as RSA, Security Congress, ASIS, DerbyCon, SANS, OWASP AppSec, LASCON, Shakacon, Gartner (Catalyst), and SecureSDLC events. Mano holds the following professional certifications - CSSLP, CISSP, GIAC GSSP-.Net, EC-Council ECSA, MCSD, MCAD and the CompTIA Network+ certification. Mano holds a Bachelor of Business Administration degree in Management Information Systems from the University of Oklahoma, USA, and a Bachelor of Science degree in Zoology (Fisheries) from the University of Chennai, India.

Mikko Varpiola, Security Researcher, Codenomicon

Mikko Varpiola is an expert in unknown vulnerability discovery and management, specializing in fuzz-testing. Before founding Codenomicon he was a key researcher with the globally recognized PROTOS research group at University of Oulu. He actively participates in the development of secure programming practices and automation of software security testing. His contributions are integral to the development of practical implementations of generation-based fuzz testing software. Recently Mikko has focused his efforts on Codenomicon¹s AppCheck Testing-as-a-Service (TaaS) platform and on research testing instrumentation to reliably detect vulnerabilities in real-time. He is currently based out of Saratoga, CA.


Sean Mason, CSSLP, CISSP-ISSMP, CCFP, CISA, CISM, PMP, Executive Incident Response Leader CSC

Sean Mason is an IT leader and industry veteran who currently holds the position of Vice President of Incident Response & Customer Success for Resolution1 Security and formerly was the Director, Incident Response for General Electric. After serving his commitment to the U.S. Air Force, Sean has spent his career with Fortune 500 companies GE, Harris, Monsanto, and CSC where he worked in a variety of both IT & industry verticals, including software development, auditing, information security, defense, aviation, energy, biotechnology, and healthcare. Sean served as the Defense Industrial Base (DIB) representative for Harris Corporation from 2009-2011, where he first learned the term "Advanced Persistent Threat," ultimately helping to re-architect the security posture for the company. While serving as Director of Incident Response for GE, he led one of the most advanced teams in the industry and was responsible for the global detection, triage, and response operations for the company. Sean received his BS in MIS from McKendree University and his MBA from Webster University in St. Louis.


Tom Brennan, CISSP, Global Vice Chairman, OWASP Foundation, Founder, proactiveRISK and CyberTOOLBELT

Tom Brennan is the founder of proactiveRISK, a veteran of the U.S. Marines Corps and holds a seat on the Global Board of Directors for the Open Web Application Security Project (OWASP) as the Vice Chairman. He also participates on other technical committees including the International Legal and Technology Association (ILTA) and Council of Cyber Security. Tom is just as comfortable ripping through a packet capture, investment ideas, or speaking before live audiences. Well known for translating binary thoughts to meaningful content, Tom has served as a speaker at BlackHat, 2600 HOPE, FBI Infragard, and USSS Electronic Crime Task Force.


Zachary Tudor, CISSP, CISM, CCP, Program Director, Computer Science Lab, SRI International

Zach Tudor, a Program Director in the Computer Science Laboratory at SRI International, serves as a management and technical resource for operational, research and development of cybersecurity programs for government, intelligence, and commercial projects. He supports the Department of Homeland Security's Cyber Security Research and Development Center (CSRDC) on projects including the Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) consortium, and the Industrial Control System Joint Working Group (ICSJWG) R&D working group. He is the past co-chair of the Institute for Information Infrastructure Protection (I3P), a member of the Nuclear Cyber Security Working Group, and represents SRI in the International Information Integrity Institute (I-4), a world forum for senior information security professionals. Prior to SRI, Zach led a team of cybersecurity engineers and analysts directly supporting the Control Systems Security Program (CSSP) at DHS, whose mission is to reduce cybersecurity risks to critical infrastructure systems.