1

The 1 ST Annual Web Services Security Conference &

Exhibition

Program

The Inn & Conference Center University of Maryland, College Park, Maryland

May 25‐26, 2006

Unatek_ TransGlobal IT Security Conferences

2

Marriott Hotel College Park

Meeting Rooms

Floor Plan

3

.General Information All WSSC meeting sessions and activities are held inside the buildings in the conference center unless otherwise noted. Consult this program for room locations and check for last minute updates from the WSSC staff or at the conference portal.

SELF‐SERVE REGISTRATION Self‐serve registration is available to pre‐registered and onsite attendees, and exhibitors who are pre‐ registered.

ONLINE REGISTRATION Online registration is available at: http://www.unatek.com/reg istration.htm.

STAFFED REGISTRATION DESK Registration staff will be available to assist you during the following times:

Wednesday, May 24 4:00pm – 8:00pm

Thursday, May 25 7:00am – 3:00pm

Friday, May 26 7:00am – 3:00pm

REGISTRATION POLICY All attendees, speakers and authors must register for the conference. Badges are required for admission to all technical sessions, the exhibition and social functions.

Meet in an environment that truly inspires creativity. The center's handsome Georgian buildings are home to one of Maryland's finest art collections

­ as well as quality meeting space, advanced conference technologies, and comfortable accommodations.

LOCATION The conference location, Adelphi, Maryland is 12 miles from downtown Washington, D.C. • 35 miles from Dulles International Airport • 30 miles from Baltimore‐Washington International Airport • 20 miles from Reagan National Airport.

CONFERENCE FACILITIES

• 39,000 square feet of dedicated meeting space • 39 meeting rooms, three computer labs • 750­seat auditorium with satellite downlink • Executive meeting wing • 8,000­square­foot grand ballroom • State­of­the­art audiovisual capabilities, soundproof walls, adjustable lighting, climate control, 12­hour chairs, tackable walls • Teleconferencing • Videoconferencing.

GUEST ROOMS 237 guest rooms including 11 suites • Telephone with dataport, individual climate control, remote‐control cable TV, iron, ironing board, complimentary high speed Internet access, complimentary daily newspaper • Nonsmoking and accessible rooms.

DINING • Mt. Clare Cafe, serving breakfast and lunch buffet style • Garden Restaurant, serving breakfast, lunch, and dinner with table service • Oracle Lounge, serving beer, wine, and cocktails.

ON‐SITE SERVICES

• Dedicated conference services managers • Audiovisual technicians • Business center • Covered parking • Gift/sundry shop • Valet dry cleaning

RECREATION/GROUP ACTIVITIES Art gallery • Exercise room • Golf, tennis, racquetball and swimming on campus • Near Washington, D.C., Baltimore, and Annapolis attractions.

CONTACT ICC Sales Department 3501 University Blvd. East Adelphi, Maryland 20783 USA 301‐985‐7303 Fax: 301‐985‐7445 For more information or to make online reservations, please visit www.umucmarriott.com.

4

Http://www.unatek.com Providing Information Technology Security Services

Intrusion Prevention Solutions

• Design – Implement – Manage ­ ROI

IT Security Solutions

• Assess – plan – design – implement ­ manage

Healthcare Security Solutions

• Health Information Portability and Accountability Act (HIPAA)

Financial Services Security Solutions

• Gramm – Bliley ­ Leach Act (GBLA) ­ Sarbanes – Oxley Act (SABOX)

Securing Your Connections to the World.

A commitment to detect, defend and protect IT infrastructures

For more information, please contact: Unatek, Inc. 1100 Mercantile Lane, Suite 115A, Largo, MD 20774 Tel: (301) 583­4629 Fax: (301) 772­8540 Email: info@unatek.com

5

Welcome Dear Colleague:

Welcome to the 1 st annual Web Services Security Conference and Exhibition! With the city of College Park and the Washington DC Metropolitan Area offering us its unique style of hospitality and with a conference program that is unsurpassed in its coverage of Web Services Security, this premier conference promises each of us a wealth of valuable and enjoyable experiences.

The conference will commence with the opening session on Thursday, May 25, 2006. The conference highlight will be a plenary keynote presentation titled: “Web Services Depends on Interoperable Security Standards,” scheduled for Thursday at 8:30am. There are more than twenty­three keynotes and specially invited papers. Also worth noting are four industry track panel discussions, the tutorial luncheons, guest lectures, and specialized workshops.

The exhibit at the Marriott Conference Center is a “don’t miss.” Representatives from different companies will occupy booths and display their latest products and services. Another noteworthy event is the conference dinner, scheduled for Thursday evening. At this gala reception, we shall celebrate the achievements in Web Services Security and recognize institutions and the leaders in the field.

As for the conference venue, there are lots of attractions in the city of College Park and the surrounding cities of the Washington Metropolitan Area. With its unique setting as the center of the US government, there are multiple tourist attractions and the famous Baltimore Inner Harbor is just twenty­five minutes away. So, this is an experience unto itself. Whether it is the food, the Inner Harbor riverboats and cruises, Washington monument, numerous museums or the blend of southern and cosmopolitan charm of the area, you will be sure to have a memorable time.

Finally, the successful accomplishment of the conference will undoubtedly result in an achievement of fruitful business and technical progress, and at the same time contribute to the development of Web Services Security.

With best regards,

Charles M. Iheagwara, Ph.D., P.E. Conference Chair

­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­

Securing Web Services for Online Transactions Web services in contemporary information technology are increasingly fueling e­commerce, application integration, and business­to­business (B2B) e­commerce. By definition, Web services are loosely coupled IT computing services that reduce the complexities of building business applications, save costs, and enable new business models.

The opportunities presented by these services makes them attractive to enterprises that engage in e­ commerce transactions. But while there is a high interest to integrate Web services into the mainstream of service­oriented architectures (SOA), security concerns might be the deterrent for enterprises trying to do so or accelerate the pace. In effect, the security for any enterprise­level Web service transactions performed over the Internet becomes a paramount consideration.

Therefore, for enterprises engaged in or anticipating integrating Web services into their SOA, securing Web services is crucial for financial, legislative, trust, and privacy reasons.

The Web Services Security Conference – which is an annual event – was instituted to explore the issues pertinent to the security of enterprise­level Web service transactions. This year’s two­day conference features keynotes and presentations on the state­of­the­art of the practice by an impressive line­up of local and international security experts, along with innovative CTOs and leading technology inventors.

6

WSSC Dinner

The WSSC inaugural dinner (sponsored by Forum Systems, Inc.) will be held at 7:00p.m. Thursday, May 25, at the Marriott Conference Center’s Garden restaurant. There will be presentations by conference sponsors and invited speeches. CAFE, one of the finest dance bands in the Washington area, will entertain with background music during dinner, with dancing following. Tickets for this premier event are $75 (except for registered conference attendees) and may be purchased at the conference registration desk.

Sponsors

The WSSC Corporate Sponsor Program has helped to further our mission of ensuring a future of continued technological innovation. We gratefully acknowledge the contributions of the organizations listed below:

Platinum sponsors

Gold sponsor

Silver Sponsors

7

Exhibition 2006 . . . Exploring Web Services, Security and Risk Management

Exhibit Hours: Thursday 10am – 7pm

Friday 10am ‐ 5pm

Visit the exhibit for a refreshment break. See the newest in Web services security. Take a look at the latest products, processes and services exhibited by leading organizations from throughout the USA. Meet new business contacts and renew old acquaintances. Visit the booths in the Exhibit Hall.

Thank you to our Exhibitors:

Company Booth #

101

102

103

104

105

106

107

108

109

110

8

Conference at a Glance Wednesday May 24 Thursday May 25 Friday May 26

07:00am Registration Desk Registration

07:00am Registration Desk Registration

08:05am Opening & Welcome 08:05am Opening & Announcements

08:20 ­ 09:20am Auditorium Web Services Depends on Interoperable Security Standards Tony Nadalin; Dr. Nagaratnam, IBM

08:20 ­ 09:15am Auditorium Threat Protection in a Service Oriented World Andre Yee, NFR

09:25 ­ 10:15am Auditorium True Intrusion Prevention ­ Protecting Against Threats From All Vectors, At All Times Martin Roesch, SourceFire, Inc.

09:25 ­ 10:15am Auditorium What are the realities of your legal risks?" Melise R. Blakeslee, McDermott Will & Emery LLP

10:00am ­19:00 pm Exhibit hall Exhibits open

10:00am ­17:00 pm Exhibit hall Exhibits open

10:26am Tea break and Networking 10:26am Tea break and Networking 10:50 ­ 11:45am Auditorium Starting with Identity Management Systems for securing Web Services Mamoon Yunus, Forum Systems, Inc.

10:50 ­ 11:45am Auditorium eRisk and liability in Online Transactions – the impact of the Sarbanes­Oxley Act Ralph Bazilio, TCBA

11:45 ­ 12: 25pm Auditorium Poster Session: Prince George’s County: The State of Maryland’s Economic Engine Jack Johnson, County Executive of Prince George's County

11:45 – 12:25pm Intrusion Prevention Auditorium

Gartnerization of IDS/IPS Vendoring: Beyond the magic quadrant…What works? What Doesn’t Charles Iheagwara, Unatek, Inc. ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ IDS isn't dead, your implementation of it is! Lessons learned from an enterprise deployment: how to maximize your detection capabilities and investment Rohan Amin, Lockheed Martin ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ Architectures for Detecting Service Intruders and Holding Them Accountable without Sacrificing User Privacy Prof. U. Flegel, University of Dortmund, FRG

12:25pm Lunch and Networking 12:25pm Lunch and Networking

4:00 PM ­ 8:00 pm

Registration Desk

Early Delegate Registration

5:00 PM ­ 6:00 pm Auditorium

Birds­of­a­Feather Sessions

• Intrusion Prevention & Vulnerability Management in Web Services and Applications

• eFraud Prevention in banking and financial institutions

13:25 ­14:20pm Intrusion Prevention Auditorium

Security Metrics Management Grows Up (Finally!)” Dr. Anton Chuvakin, LogLogic ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ McAfee NAC Solution: Gaining back your sanity and minimizing your Risk Andrew J. Berkuta, McAfee, Inc. ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 13:25 ­ 14:20pm Web Services

R00M 1301 Ten Web Services Security Case Studies Mark O’Neill, Vordel ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ Web Services Security and BPM Phil Larson, Appian Corporation

13:25 ­ 14:20pm Auditorium eFraud in Online Commerce: Impact on Business Reputation & Consumer Confidence Kerry G. (Kwasi) Holman, Prince Georges County Economic Development Corporation

9

14:25 ­ 15:25pm Auditorium Panel 1 Discussions

State­of­the­Art in Intrusion Prevention: Product Maturity and Charting the Course for the Next Decade ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 14:25 ­ 15:25pm R00M 1301 Panel 2 Discussions

Web Services Technologies and XML Cutting­Edge Products: Maturity and Charting the Course for the Next Decade

14: 25 ­ 15: 25pm Web Services Auditorium

Spyware Exploits Donald Debolt, Computer Associates, Inc.

­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 14: 25­15: 25pm Risk Management Systems

R00M 1301 Managing Identity Risk Bill Dutcher, Booz Allen and Hamilton ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ Identity Bridging Techniques across SOA­ based Business Service Networks M. Yunus and R. Mallal, Crosscheck Networks ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 14: 25 ­ 15: 25pm Risk Mgt & Legal issues

R00M 1309 Security for Rich Media Collaboration: The Challenge of Balancing Network Security with the Need to Communicate John Starke, TransGlobal Business Systems ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 14: 25 ­ 15: 25pm Intrusion Prevention

R00M 1307 Establishing A "Best Practice" Security Process: Setting the Standards From Assessment through Incident Response O. K. Helferich, Central Michigan University

15:25pm Tea break and Networking 15:25pm Tea break and Networking

15:35 ­ 16:35pm Auditorium

Trusted Computing and its Impact on Web Services Steven Sprague, Wave Systems

15:35 – 16: 35pm Auditorium Panel 3 Discussions

Identity Management Systems and Trust Enablement ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 15:30 –16:30 pm R00M 1301 Panel 4 Discussions

Technical and Legal Problems with Preserving Data

16:35 ­ 17:30 pm Exhibit hall

Ask the Experts ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 16:35 PM ­ 17:30 pm R00M 1301

Workshop sponsored by TransGlobal Business Systems

16:35 PM ­ 17:30 pm Exhibit hall

Ask the Experts ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ 16:35 PM ­ 17:30 pm R00M 1301

Workshop sponsored by Bowie State University

16:30pm Tea break and Networking 16:30pm Tea break and Networking 17:30 ­19:00 pm Exhibit hall

Exhibit Hall Reception

17:30 ­19:00 pm Exhibit hall

Exhibit Hall Reception 19:00 Conference Dinner 18:00 Conference closing

10

Sourcefire, Inc., the world leader in intrusion prevention, is transforming the way organizations manage and minimize network security risks with its 3D Approach ­ Discover, Determine, Defend ­ to securing real networks in real­time. The company's ground­breaking network defense system unifies intrusion and vulnerability management technologies to provide customers with the most effective network security available. Founded in 2001 by the creator of SnortR, Sourcefire is headquartered in Columbia, MD and has been consistently recognized for its innovation and industry leadership by customers, media, and industry analysts alike with more than 16 awards and accolades since January 2005 alone. Most recently, the company was positioned in the Leaders Quadrant of Gartner's "Magic Quadrant for Network Intrusion Prevention System Appliances" report and the Sourcefire 3D System was named "Best Security Solution," at the 2006 SC Magazine Awards. At work in leading Fortune 1000 and government agencies, the names Sourcefire and founder Martin Roesch have grown synonymous with innovation and intelligence in network security.

US Headquarters: 9770 Patuxent Woods Drive

Columbia, MD 21046 800.917.4134

410.290.1616 | 410.290.0024 fax

For more information about Sourcefire, please visit www.sourcefire.com.

11

Technical Program with Abstracts Wednesday, May 24, 2006

4:00 pm ­ 8:00 pm Registration Desk

Early Delegate Registration Pick up your badge and conference materials and avoid the Thursday morning rush.

5:00 pm­ 6:00 pm Auditorium

Birds­of­a­Feather Sessions Two pre­conference sessions: to be moderated by Bill Dutcher, Principal Consultant, Booz Allen and Hamilton, Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University and George Kalb of John Hopkins Information Security Institute.

These sessions are a great chance to interact and discuss timely topics with your peers in a casual, roundtable discussion format before the conference officially begins Thursday morning.

• Intrusion Prevention & Vulnerability Management in Web Services and Applications • eFraud Prevention in banking and financial institutions

Thursday, May 25, 2006

07:00am Registration Desk Delegate Registration and Continental Breakfast.

08:15am Opening & Welcome Auditorium Welcome to Web Services Security Conference 2006 by Anthony Williams

President of Unatek, Inc.

Chairman: Mamoon Yunus, CTO & Founder, Forum Systems 08: 20 – 12:20pm

08:30am Auditorium Plenary Keynote: “Web Services Depends on Interoperable Security Standards.” Tony Nadalin; Dr. Nataraj Nagaratnam Distinguished Engineer and Chief Security Architect, IBM; Chief Architect for Identity Management, IBM The fundamental promise of Web demands predictable interoperability and security. This keynote would highlight the array of emerging Web services security standards (WS­Security), including those related to token types, headers, signatures and encryption. An overview of OASIS’s in­progress security standards work will also be provided. In addition to the work of OASIS, the WS­I Basic Security Profile Working Group is tasked with producing Security Scenarios and a Basic Security Profile.

09:25am Auditorium Keynote: “True Intrusion Prevention ­ Protecting Against Threats From All Vectors, At All Times.” Martin Roesch, CTO & Founder, SourceFire, Inc.

First generation Intrusion Prevention Systems (IPS) have failed to solve today's threat problem ­ breaches are occurring at an ever increasing rate, damaging organizations' reputations and costing revenue. Standalone IPS only protect against intrusions, coming from the perimeter, during the time of the attack. Today's blended threats require blended security systems that have more remediative options. Join Martin Roesch, founder of Sourcefire and creator of Snort, as he discusses how the combination of endpoint, threat and network intelligence provides true intrusion prevention by defending networks against threats from all vectors, all the time ­ before, during and after an attack.

12

10:00am ­19:00 pm Exhibit Hall Exhibits open with company sponsored on­the­Show floor receptions

Note on Exhibit Hall Reception: The first night for delicious hors d'oeuvres, cocktails and conversation with your peers. Review new products and security solutions from top vendors, and enter to win some fantastic prizes.

10:26am Tea Break and Networking

10:50am Auditorium Keynote: “Starting with Identity Management Systems for securing Web Services.” Mamoon Yunus, CTO & Founder, Forum Systems

Identity Management is the cornerstone of deploying secure Web Services. Application­to­ Application & User­to­Application authentication and authorization are the primary steps in Web Services Threat Mitigation. Identity Management is also fundamental to Trust enablement of Web Services.

This session explores popular secure Web Services deployment scenarios through protocol­ based (e.g., HTTP Basic Auth, SSL Mutual Auth) and message­based (e.g., WS­X509, SAML) identities. Practical Web Services Identity bridging, XML Threat Sensors, and Web Services Trust functions, such as WS­Signatures & WS­Encryption, are also presented as pillars of deploying comprehensive Web Services Security.

11:45 ­ 12: 20pm Auditorium

Poster Session Topic: “Prince George’s County: The State of Maryland’s Economic Engine.” Jack Johnson, Prince George's County Executive

Prince George’s County is taking the state of Maryland, the Washington Metropolitan area and the entire region on an extraordinary economic ride. Cutting edge technology is necessary to support businesses and residents to continue the county’s tremendous economic growth. Through the use of E­government, we are able to pair local businesses with development projects such as the University of Maryland’s 130­acre research park, M Square; Konterra, a 2,200­acre mixed­use development project; or National Harbor, a $2 billion, 350­acre mixed­ use development project featuring Gaylord Hotel, the first luxury resort hotel and convention center in the county with 2,000 rooms and 460,000 square feet of convention space slated to open in 2008. With projects of this magnitude happening throughout the county and the amount of online information and services our government currently provides residents and businesses, this keynote will share how our government works to secure and responsibly manage our e­government initiative.

12:25pm Lunch and Networking

13:25 ­ 14:20pm Session 1: State­of­the­Art of Intrusion Prevention Auditorium Chairman: Martin Roesch, CTO & Founder, Sourcefire, Inc. 13:25 ­ 14:20pm Topic: ““Security Metrics Management Grows Up (Finally!).”” Dr. Anton Chuvakin, Director of Product Management, LogLogic

The presentation will cover the role of security metrics for taking control of security management. Specifically, it will define the criteria for good and bad metrics as well as explain operational and executive metrics. The audience will learn the methodology for creating and using various security metrics for assessing their security posture. The entire security metrics lifecycle will be presented in detail. In addition, it will touch upon how recent security standard developments will help organizations acquire better ways of measuring security.

13

13:25 ­ 14:20pm Topic: "McAfee NAC Solution: Gaining back your sanity and minimizing your Risk" Andrew J. Berkuta, Senior Security Evangelist | Strategist McAfee, Inc.

You've already seen the CxO once this year...and for them it was enough! Why don't they understand that a good day in security is one where nothing happens? Now with the advent of zero day attacks, bots, and other ferocious types of malware, the industry is calling for end­ point protection. What is it, and who is out there that can help me with a real flexible and scalable solution? Better yet, HOW can I go back to my CxO and ask for it THIS year?

Andrew J. Berkuta has been there. As a security director, as a "plank owner" for three startup companies, he understands that justifying another expenditure for security can be trying. He will talk about the latest trends in malicious events, the myth of ROI in security, and why a NEW paradigm is necessary to face the combative CxO, and still get what you need to security your enterprise!

13:25 ­ 14:20 pm Session 1: Web Services Technologies and XML Cutting­Edge Products Room 1301

Chairman: Steven Sprague, CEO, Wave Systems 13:25 ­ 14:20pm Topic: “Ten Web Services Security Case Studies.” Mark O’Neill, Chief Technology Officer, Vordel

This presentation consists of ten case studies of Web Services security being deployed. Each case study includes a deployment diagram.

The goals of all the deployments are the same: to ensure that no unauthorized user or malicious XML content can access a Web Services application. However, each case study differs in terms of the products used to deploy the Web Services.

The case studies are as follows: 1) Securing a Parlay­X based service deliver platform for a mobile telecoms operator 2) Two­stage XML Firewall for an insurance company 3) Protection of a .NET based Web Services deployment 4) Scanning of large (>25MB) XML files for XML Signature integrity and for Schema conformance 5) Integration with a legacy mainframe­based authorization system using SAML 6) Protection of a SAP NetWeaver Web Services deployment 7) XML Firewall deployed with a load­balancer which performs SSL termination 8) A joint deployment of Web Services security with Web Access Control, in front of BEA WebLogic 9) Protection of Apache Axis based Web Services 10) Security as part of a Services Oriented Architecture for a large manufacturing company

13:25 ­ 14:20pm Topic: “Web Services Security and BPM.” Phil Larson, Director of Product Strategy, Appian Corporation

The heavy adoption of service­oriented architecture (SOA) and Web services technology is driving demand for Business Process Management (BPM), and vice versa. However, legitimate security concerns arise when BPM is used to tie together disparate systems using Web services and make them accessible via a single application. Each web service may have its own security requirements reflecting the policies of the service provider. Moreover, the various “flavors” of Web service technology and the prevalence of poorly documented services makes implementing a holistic security paradigm more difficult.

14

BPM is empowering business users to be more responsible and involved in designing and managing their processes. However, most business users are unfamiliar with appropriate security measures to implement when designing application level security into the processes they are building. Conversely, BPM solutions that use Web services should carry over and enforce the same access privileges. This should be done in addition to standard organization security requirements, such as SSL encryption of network traffic, for effective authentication of users.

This session will feature Appian Corporation, the leading provider of human­centric business process management suites (BPMS) and will highlight the different security approaches organizations should look at when implementing BPM technology along with Web services. Appian’s BPM suite solution is currently in use in tandem with Web services technology at leading Government agencies and commercial organizations.

14:25pm Panel 1 Discussions Auditorium Topic: State­of­the­Art in Intrusion Prevention: Product Maturity and Charting the Course for the Next Decade Moderator: Dr. Anton Chuvakin, Director of Product Management, LogLogic Panelists include: Martin Roesch, Andree Yee, Andrew Berkuta, Ulrich Flegel, Charles Iheagwara, Rohan Amin

14:25pm Panel 2 Discussions (Parallel with Panel 1) Room 1301

Topic: Web Services Technologies and XML Cutting­Edge Products: Product Maturity and Charting the Course for the Next Decade

Moderator: Donald Debolt, Director, Computer Associates Panelists include: Steven Sprague, Rizwan Mallal, Mamoon Yunus, Mark O’Neill, Phil Larson

15:25pm Tea Break and Networking

15:55 ­ 16:30 pm Auditorium Chairman: Ralph Bazilio, President, TCBA 15:55 ­ 16:30 pm Keynote: “Trusted Computing and its Impact on Web Services.” Steven Sprague, CEO, Wave Systems

Wave Systems has been involved in trustworthy computing since its inception in 1989. Wave has built a variety of security silicon implementations, with support infrastructure, which have been used in trusted computing in specific applications, and in 2003 was one of the first non­ founding members of the Trusted Computing Group. The Trusted Computing Group (TCG) is an industry organization formed in 2003, and currently is comprised of more than 100 companies representing security silicon manufacturers, platform OEMs, security middleware providers, and security application providers. The purpose of TCG is to develop, define, and promote open, vendor­neutral industry specifications for trusted computing. These include hardware building block and software interface specifications across multiple platforms and operating environments. Implementation of these specifications will help manage data and digital identities more securely, protecting them from external software attack and physical theft. TCG specifications can also provide

15

capabilities that can be used for more secure remote access by the user and enable the user’s system to be used as a security token.

At the core of TCG technology is a silicon security device, known as a Trusted Platform Module (TPM), which is embedded on the main processing board of a computing platform. The initial work on integrating TPM technology has focused on the PC, and workgroups are addressing incorporating TPM technology into PDAs, cellphones, servers, and trusted peripherals.

A TPM is a public key capable device which, when embedded in a environment to form a trusted platform, can be utilized by applications and infrastructure to:

• Store keys, digital certificates, passwords and data securely in hardware • Enhance network security • Protect online commerce transactions • Help protect against viruses, worms and other malicious attacks • Protect digital identities • Provide authentication between systems and networks • Allow for single sign­on to systems • Enable digital signatures for financial and other transactions • Support regulatory compliance for Sarbanes­Oxley, HIPAA and other federal

requirements

The TPM is now shipping on millions of PC platforms driven by logo compliance for Windows Vista. The advent of industry standard security will change how the enterprise implements security. Strong multi­factor authentication and strong data protection is possible on every endpoint in the network.

15:30 pm ­ 16:30 pm Exhibit Hall

Ask the Experts. Get one­on­one advice and have your questions answered by conference speakers in our "Ask­the­Experts" area of the Exhibit Hall.

15:40­16:40pm

Workshop sponsored by TranGlobal Business Systems Room 1301

Chairman: Mark Walcott, President TransGlobal Business Systems

10:00 ­19:00 pm Exhibit Hall

Exhibits open with company sponsored on­the­Show floor receptions Exhibit Hall Reception: The first night for delicious hors d'oeuvres, cocktails and conversation with your peers. Review new products and security solutions from top vendors, and enter to win some fantastic prizes.

19:00pm Conference Dinner (sponsored by Forum Systems) Garden Restaurant

Background classical, Jazz and contemporary music provided by CAFÉ is sponsored by Transglobal business systems

16

r Friday, May 26, 2006

07:00am Registration Desk Delegate Registration and Continental Breakfast.

Chairman: Professor Ulrich Flegel, University of Dortmund, Germany 08: 20am – 11:25pm

08:15 Auditorium Keynote: “Threat Protection in a Service Oriented World.” Andre Yee, President & CEO, NFR TBA

09:10 Auditorium Keynote: "What are the realities of your legal risks?" Melise R. Blakeslee, Partner, McDermott Will & Emery LLP Court decisions, regulations and your company's own promises may be setting impossibly high standards for data, system and document security and management. This presentation will discuss:

• The surprising decisions from the courts • The confusing regulatory environment • The questions to ask about your company's obligations • The sufficiency of technology solutions; and • The most important steps you need to take to reduce the likelihood of legal liability.

10:10am Tea Break and Networking

10:00 ­17:00 pm Exhibits open with company sponsored on­the­Show floor receptions

10:30am Auditorium Keynote: “eRisk and liability in Online Transactions – the impact of the Sarbanes­Oxley Act.” Ralph Bazilio, President, TCBA In today’s Internet Age, everyone must pay attention to the risks and liabilities in online transactions. For most, if not all of us, we are concerned not only as business professionals providing services to our client base but also as consumers ourselves. There are risks and liabilities to doing business online as they are with any type of business activity. There are also tremendous opportunities available to innovative businesses that understand the risks and take the appropriate measures to mitigate and reduce the risks and manage the potential for liability. The key is adequate planning and risk management.

To complicate matters even further, we have to be concerned with the relevant Federal Laws and Regulations such as the Sarbanes­Oxley Act of 2002. The Act has special significance related to erisk and liability in online transactions. The successful business executive in today’s business environment must develop a plan to effectively manage these and other critical issues that impact our activities.

We will examine some of the most critical erisks and liabilities in online transactions in light of the Sarbanes­Oxley Act of 2002. We will also discuss and exchange ideas on how you can develop and implement a comprehensive strategy to address these and other issues. I will offer some insight on what TCBA has done to assist our clients address these and other related issues.

17

11:25 ­ 12:25pm Session 1: State­of­the­art in Intrusion Prevention Auditorium Chairman: Andre Yee, President & CEO, NFR 11:25 ­ 12:25pm Topic: “Gartnerization of IDS/IPS Vendoring: Beyond the magic quadrant…What works? What Doesn’t?” Charles Iheagwara, Chief Technology Officer, Unatek, Inc.

Since the inception of the deployment of intrusion detection systems and lately intrusion prevention systems, more than 90 products have been/and are being touted as the ultimate solution(s) for enterprise deployment. In the rush to sale and attract customers, vendors have taken to the highway of producing bogus claims in their sales literature. In the process, different metrics have been used to describe the performance and potency of intrusion detection and prevention products. One of the most widely quoted metrics is Gatner’s “Magic Quadrant.” The quadrant ranks vendors in four categories and produces a leader board.

This presentation discusses the “pros and cons” and the implications of Gartnerization.

11:25 ­ 12:25pm Topic: “IDS isn't dead, your implementation of it is! Lessons learned from an enterprise deployment: how to maximize your detection capabilities and investment.”

Rohan Amin, Manager, Lockheed Martin In 2003, Gartner said, "IDSs have failed to provide value relative to its costs and will be obsolete by 2005." Fast forward to 2006, their end conclusion has still not been realized; however, many of the shortcomings they noted in their controversial paper are not shortcomings of the technology but rather of the implementation. This presentation and paper will present a case study of IDS implementation from the world's largest defense contractor and review why Intrusion Detection, correctly implemented, is still a core component of enterprise security.

11:25 ­ 12:25pm

Topic: “Architectures for Detecting Service Intruders and Holding Them Accountable without Sacrificing User Privacy.” Prof. Urlich Flegel, University of Dortmund, Germany

For a better digital world we need services and businesses that not only protect the security objectives of the service providers, but also respect the privacy objectives of their users. We examine the requirements of intrusion detection and response in a service environment regarding accountability and anonymity. Such requirements are partially of legal nature and partially mirror the expectations and demands of the users and therefore determine their choice of service providers. Designing or choosing the right technology is key, if we want to provide our service in and make business with countries that enforce restrictive privacy law, such as EU member states, as well as to get the desired share of the user community. Based on the examined requirements we develop an architectural model for secure and pseudonymous authorizations in service environments. Using the model and generic criteria we distinguish and compare distinct architectures, such we can make sound decisions when designing new systems. Also, existing architectures of secure authorization systems can be mapped to this model, and then analyzed and compared, in order to choose the right system for our purposes.

18

12:25pm Lunch and Networking

Chairman: Professor Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University

13: 25 – 14:15pm 13: 25 pm Auditorium Keynote: “eFraud in Online Commerce: Impact on Business Reputation & Consumer Confidence.” Kerry G. (Kwasi) Holman, President, Prince Georges County Economic Dev. Corp.

The scope and target of Internet fraud in online commerce has seen an exponential growth in recent time. For this, there are unexpected consequences – which are not clearly discernable. By their basic nature, Internet fraud involves the use of the Internet as the target or as the means of perpetrating economic crimes of deception. Therefore, this keynote will examine the nature and extent of some of the principal types of business Internet fraud with concrete examples. The keynote will also highlight the impact on business reputation and consumer confidence.

14:15 ­ 15:30pm Session 2: Web Services Technologies and XML Cutting­Edge Products Auditorium Chairman: Phil Larson, Director of Product Strategy for Appian Corporation 14:15 ­ 15:30pm Topic: “Spyware Exploits.” Donald Debolt, Director, Computer Associates, Inc.

Don DeBolt, Director of Anti­Spyware Research for CA, will provide insight into the many exploit vectors used by manufacturers of Spyware to distribute their code. Botnets, toolbar bundles, rootkits, drive­by downloads, JavaByteVerify attacks, and social engineering are all tactics used by Spyware vendors today. Don will share “in the Wild” examples and provide empirical data to help quantify the treat.

14:15 ­ 15:30pm Session 3: Identity Management Systems Room 1301 Chairman: Dr. Nataraj Nagaratnam, Chief Architect for Identity Management, IBM 14:15 ­ 15:30pm Topic: "Managing Identity Risk." Bill Dutcher, Principal Consultant, Booz Allen and Hamilton

Identity credentials, such as a passport or a driver’s license, allow us to cash checks, travel abroad, board airliners, and gain entrance to government and commercial buildings. The Department of Defense Common Access Card (CAC) and the forthcoming Personal Identity Verification (PIV) card will create government­specific identity credentials that can be used for both personal and electronic authentication to access government and military facilities, as well as to government IT systems.

Any identity credential, not matter how secure it may seem, carries with it some amount of risk. It may have been issued fraudulently, it may have been altered, it may be used by an unauthorized person, or systems it is used to access may not be protected adequately. This presentation will examine the risk elements in creating, using, and managing identity credentials, as well as what IT managers can do to reduce or mitigate those risks.

14:15 ­ 15:30pm Topic: “Identity Bridging Techniques across SOA­based Business Service Networks” Mamoon Yunus and Rizwan Mallal, Advisor and CEO, Crosscheck Networks

Identity Management is a critical aspect of deploying secure SOA­based Business Services Networks. Establishing trusted Business Services Networks require application­ and user­level authentication and authorization of invoked services. In effective BSNs, service invocations

19

should seamlessly traverse corporate boundaries. With loosely coupled and chained Web Services, building trusted Business Networks require flexibility in Identity Management across protocols and messages. As corporate boundaries become porous to trading partner interactions, identity enforcement and identity bridging become central in ensuring Business Service Network flexibility without compromising trust­based security.

14:15 ­ 15:30pm Session 4: Data Theft and Risk Management, Legal Issues Room 1309 Chairperson: Melise R. Blakeslee, Partner, McDermott Will & Emery LLP 14:15 ­ 15:30pm Topic: “Security for Rich Media Collaboration: The Challenge of Balancing Network Security with the Need to Communicate.” John Starke, VP TransGlobal Business Systems

Security and network security are intended to serve customers, who need to communicate. Closing firewalls to complex traffic may keep the network safe, but it is also useless. Another popular alternative for secure communications is the safe proxy server. While providing some degree of security, it is expensive to scale and less flexible than peer­to­peer for personal collaboration. If security systems do not accommodate the need for complex collaboration, then the end users will find alternatives from professionals, who can provide secure and complex collaboration.

14:25 ­ 15:25pm Session 4: Risk Management Room 1307 Chairman: Rohan Amin, Manager, Lockheed Martin 14:25 ­ 15:25pm Topic: “Establishing A "Best Practice" Security Process: Setting the Standards From Assessment through Incident Response.” Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University

Corporate commitment to protect the public as well as their brand image through risk assessment, planning, and more resilient supply networks is increasing given the recognition that the U.S. is vulnerable to a wide range of potential service disruptions from natural disasters, pandemic disease, disgruntled employees, special interest groups, and/or acts of terrorism. Michigan State University through a Department of Homeland Security Grant and in collaboration with industry is developing a strategic level methodology that defines a leading Brand Protection­Supply Chain Security Process. The objective of the process is to impact and prescribe brand protection/security controls to reduce or eliminate risks to the disruption of the overall supply chain. The process can serve as the cornerstone for the development of a brand protection program that identifies disruption risks that could affect business operations while prescribing cost effective solutions to mitigate these risks and optimize effective resilient networks. The process standard is dynamic, capable of being adapted to changing issues, new risks, or operational circumstances and business needs. The presentation will discuss the value, steps­"template" and metrics to achieve such a "Leading Practice" Process for overall Supply Chain Brand Protection/ Risk Management.

15:35 – 16: 35PM Panel 3 Discussions Auditorium

Topic: “Identity Management Systems and Trust Enablement.”

Moderator: Dr. Nataraj Nagaratnam, Chief Architect for Identity Management, IBM Panelists include: Mamoon Yunus, John Starke, Bill Dutcher, Edyth Poole, Charles Kumi, Rizwan Mallal, Computer Associates Track 3: B Practices

20

15:30 – 16:30 PM Panel 4 Discussions (Parallel with Panel 3) Room 1301

Topic: “Technical and Legal Problems with Preserving Data.”

Moderator: Melise R. Blakeslee, Partner, McDermott Will & Emery LLP

Panelists include: Paul Doyle, Omar Keith Helferich, Charlton Sampson.

16:30 Tea Break and Networking

15:00­17:00pm Room 1301 Workshop sponsored by Bowie State University Chairman: Professor David Anyiwo

18:00pm Conference Closing

­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­

1101 15 th Street NW, Suite 1200 Washington, DC 20005, U.S.A. T: 202 – 737 – 3300 F: 202 – 737 ­ 2684

Information Technology Assurance & Control

Thompson, Cobb, Bazilio & Associates, PC (TCBA) has been in business for more than 20 years providing excellent services to commercial entities, not­for­profit entities, federal, state and local governments. Several years ago TCBA created an IT SWAT team called the Information Technology Assurance & Control (ITAC) Group in anticipation of the growing demand for rapid IT assessment/audit and IT staff augmentation demands. ITAC is a cadre of certified IT Auditors and Information Systems and Network Security specialists, well experience with multiple systems and platforms. From mainframe systems to SQL Servers, from LAN/WANs to VPN, and from UNIX to MVS. ITAC professional certifications include CISA, MCSA, MCP, MCSE, CISM, CISSP and PMP. Services

The ITAC group provides the following services:

• SAS 70 Type I and II audits • Emergency Data Center assessment and staff

augmentation • FISMA compliance program development and

audits • Financial systems assurance audits • IT Risk Assessment • System Development Life Cycle (SDLC) reviews • Internet security and vulnerability assessment

(Penetration Testing)

• General and application controls reviews • Operating systems security • Logical and physical security • Network security • Firewall reviews • Database security • Change Management Reviews • Operations Center Reviews • E­commerce/EDI reviews • Virus/Malicious Software Reviews • Help Desk/Customer Support evaluations • System implementations evaluations • Contract compliance reviews

21

We Salute

The outstanding quality of the technical program presented at this year’s conference is due to the contribution of our distinguished keynote and specially invited speakers. Their wealth of experience, dedication and commitment to the profession is a gift to all of us. We salute and thank the following whose biographies are described below.

Dr. Nataraj Nagaratnam is the Chief Architect for Identity Management at IBM, and lead architect for on demand security infrastructure and technical strategy. As a Senior Technical Staff Member in Tivoli organization, Raj drives security architecture and design activities across IBM products and platforms, and importantly the SWG architectural direction. In his career in IBM, he has been the lead security architect for the WebSphere Platform. He leads and/or participates in various open standards activities in standards organizations including OASIS, JSP, WS­I, and GGF. He has authored and co­authored numerous journal articles, papers, books and security specifications, including the book on

"Enterprise Java Security" published by Addison Wesley.

Anthony Nadalin is IBM’s chief security architect. As a Distinguished Engineer, he is responsible for security infra­structure design and development across IBM, Tivoli and Lotus. He serves as the primary security liaison to Sun Microsystems’ JavaSoft Division for Java security design and development collaboration, and to Microsoft for Web Services security design and development collaboration. In his 21­year career with IBM, Anthony has covered the following positions: lead security architect for VM/SP, security architect for AS/400, and security architect for OS/2. Anthony has authored and co­authored over thirty technical

journal and conference articles. Anthony has published two books on Java Security and the Internet. Anthony has been on the technical committee of three major scientific journals and one conference, and has reviewed extensively work published by peers in the field. He has given several presentations and invited speeches at numerous technical security conferences.

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Prevention and Detection System ( www.snort.org) that forms the foundation for the Sourcefire 3D System.

Over the past eight years, Martin has developed various network security tools and technologies, including intrusion prevention and detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort has been featured in Scientific American, on A&E's Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others. Martin has also been the recipient of the 2004 InfoWorld IT Heroes Innovator Award as well as winning the 2004 "40 under 40" award from the Baltimore Business Journal.

Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University.

Mamoon Yunus is an industry­honored CTO in Web Services­based technologies for enterprises and is a pioneer in Web Services Firewalls. He is the founder of Forum Systems, the leader in Web Services Security. Prior to Forum Systems, Mr. Yunus was a Global Systems Engineer for webMethods where he developed business integration strategy and architecture plans for Global 2000 companies such as GE, Prudential, Pepsi,

Siemens, and Mass Mutual. He has held various high level executive positions at Informix (acquired by IBM) and Cambridge Technology Group. Mr. Yunus holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology.

He has been recognized by InfoWorld as one of 4 “Up and coming CTOs to watch in 2004” and is a sought after speaker at industry conferences such as RSA, Web Services Edge, Gartner, and Networld + Interop. He has been featured on CNBC as Terry Bradshaw’s “Pick of the Week.”

22

Melise R. Blakeslee is a partner in the law firm of McDermott Will & Emery LLP based in the Washington, D.C. office. As a member of the Intellectual Property, Media & Technology Department, Melise is the leader of the Firm’s Tech Transactions and e­Business Group. She is admitted to the bars of New York and Washington, D.C.

Melise’s practice is unique in that she has a transactional practice focusing on information technology and the Internet as well as an active litigation docket focusing on complex software and copyright disputes.

Melise’s practice routinely bridges across a wide range of complex IT and IP arrangements, including Multinational IT and BPO outsourcing; and B2B, B2C and commodity exchanges.

In addition, she counsels internet­based businesses on issues such as: consumer privacy, transaction authentication, content licensing, electronic payment systems, advertising concerns and e­business­ related insurance issues.

Melise has 19 years of experience protecting and licensing IP in many industry sectors, including software, advertising, art and music. She leads the Firm's large­scale Internet policing program on behalf of many famous brands.

Melise has chaired several conference panels and has been widely quoted and has published several articles in widely distributed and respected journals, magazines and other editions.

Andre Yee is the President and Chief Executive for NFR Security. Mr Yee's experience includes an impressive track record of leading innovative product development for public and private companies. Prior to NFR, Mr. Yee was Vice President, Research & Development for SAGA Software (Software AG Americas) where he led the development of Sagavista, an award winning enterprise application integration product. Before SAGA Software, he was Director,

Product Development with Landmark Systems, a leading systems management company. Mr. Yee is a noted author and featured conference speaker on topics related to security, distributed computing and middleware. He has authored several articles on intrusion detection and prevention. His books include Integrating Your eBusiness Enterprise (SAMS, 2001) and Mastering Java (Sybex, 1996). Mr Yee is listed as an inventor on two patents

Ralph Bazilio is the President of Thompson, Cobb, Bazilio & Associates, PC (TCBA) and for the past 20 years, has been an active participant in the business community in the Washington, D.C. metropolitan area. Through his vision and leadership, TCBA has expanded its range of services to included IT audits. These services are performed by a new unit within the firm called the Information Technology Audit and Control Group, the group is staffed by CISAs, CISSPs,

PMPs’ and CPAs TCBA has grown to be among the top 50 accounting firms in the nation, having 200 employees in five states and the District of Columbia where it is headquartered.

Mr. Bazilio became a certified public accountant in 1979 and has since grown to be a leader in his profession and a mentor to those entering the field of accounting. For two years, Ralph served on the American Institute of Certified Public Accountants Council, the unit within the 350,000­member organization that sets policy and direction for the profession. He also served for six years as a member of the board of the Greater Washington Society of CPAs and was its president in 2000. In the National Association of Black Accountants, Ralph has been a leader in the movement to encourage more African Americans to become certified public accountants.

Ralph has been equally active in community services, and applies the same dedication and care in service to the community as he does in his corporate and professional activities. He serves on the board of the Cultural Academy for Excellence, a nonprofit organization in Prince George’s County, Maryland, which seeks to enhance the academic, social, and leadership skills of youth through the performing arts, and is also on the Advisory Board of the University of the District of Columbia’s School of Business. He is a member of the Gideons International, and served as the president of its Prince George’s Central Camp in 2002. He also serves as Vice Chair of the Board of First Wesleyan Church of Oxon Hill, Maryland.

John Starke is the Vice President of Technology & Applications Development, TransGlobal Business Systems and a member of its Board of Directors. John is also the Managing Director of the Jobs Access Network, a not­for­profit consulting firm specializing in using virtual presence technologies to improve performance of distributed worker, and to spur economic development in communities. He has been CEO of two real estate finance firms, and he has been a consultant in risk management for both industry and government agencies. He also

was President of the Telework Consortium, Director of Planning at the Government National Mortgage Association (Ginnie Mae), and Chairman of the Electronics Development Corporation.

23

Mr. Starke graduated from The George Washington University with a BS (Electrical Engineering) and MS (Operations Research). He also graduated from the Sloan School of Management at the Massachusetts Institute of Technology with an MS (Management). Mr. Starke is the author of numerous articles on mortgage lending, and the author of a book, Mortgage Lending and Investing, Understanding Risks in a Changing Market, Business One­Irwin, 1991.

Steven Sprague is president and CEO of Wave Systems Corp. Based in Lee, MA, Wave is a leader in delivering trusted computing applications and services with advanced products, infrastructure and solutions across multiple trusted platforms from a variety of vendors. Wave holds a portfolio of significant fundamental patents in security and e­commerce applications and employs some of the world's leading security systems architects and engineers.

Sprague was a vice president of Wave from 1992 to 1995. In 1995 he founded Wave Interactive Network, a specialized consumer distribution channel. In 1996, Wave acquired Wave Interactive Network and Sprague was elected president and COO of Wave Systems. In

2000 he took over responsibilities as CEO.

Sprague has a B.S. in mechanical engineering from Cornell University and resides in Lenox, MA.

Jack Johnson was sworn in as the sixth County Executive of Prince George's County on December 2, 2002. Prior to being elected County Executive, Mr. Johnson served as the County's State's Attorney for eight years.

As County Executive, Mr. Johnson launched his highly anticipated Livable Communities Initiative within three months of taking office. Mr. Johnson's keen sense of people and understanding of their needs has successfully propelled this initiative to all economic

segments and geographic areas of the county. Mr. Johnson credits his formula for "having the understanding that quality schools help create first class communities and that communities clean and free of crime, are attractive places for economic opportunities."

In less than two years as the incumbent County Executive, Mr. Johnson worked closely with the council and the state to save the Prince George's County Hospital system. He negotiated the revival of the National Harbor Convention Center Complex and Luxury Hotel project and in partnership with the County Council reached an agreement with developers to construct National Harbor. Once completed, National Harbor will be the first and largest resort hotel and convention center "in Gorgeous Prince George's County," and the largest privately funded project of its kind on the East Coast.

A native of South Carolina, Mr. Johnson received a degree in Business Administration from Benedict College in Columbia, South Carolina and a Juris Doctor degree from Howard University School of Law in Washington, D.C. He has held a variety of leadership roles in civic and professional organizations. His accomplishments and dedication to the community have been recognized with many awards and honors including the NAACP's "Presidential Award and the Army's Patriot Award." Most recently, he received the National Foundation For Black Public Administrator's Leadership Award.

Kerry G. (Kwasi) Holman is currently President and CEO of Prince George's County Economic Development Corporation and has an expansive and professional background in business and economic development, banking, small business turnaround, legislative affairs, policy analysis and marketing spans over two decades.

Mr. Holman began his career in 1983 working for The District of Columbia Office of Business and Economic Development as Executive Director where he developed the District’s first industrial park, with new initiatives in development of arts facilities. From 1987 ­ 1991, he joined the National Bank of Washington as a Senior Vice President responsible for a $10 million portfolio. In 1992, he worked as Executive Director for the Ellington Fund and raised and managed $1.2 million fund to support the academic and arts programs at the Duke Ellington School of Arts. In 1993, he served as Executive Vice President for the District of Columbia Chamber of Commerce where he directed and administered programs to heighten visibility of the Chamber and to enhance membership. In 1999, in his role as President and CEO of the New York Avenue Development Corporation he implemented transportation and policy improvements designed to attract businesses and residents to the New York Avenue corridor. In 2002, he worked for the National Capital Revitalization Corporation as the Director of Business Development where he managed the Economic Development Finance Corporation. In February of 2003, he launched his own consulting company, The Holman Group that includes a number of clients. He is currently the President and CEO of the Prince George’s County Economic Development Corporation, a non profit organization whose mission is to develop, implement and evaluate programs and initiatives intended to foster the industrial, economic, commercial growth and expansion and revitalization of Prince George’s

24

County.

Mr. Holman currently serves as President of his condominium association. He is a former member of the DC Zoning Commission, Leadership Washington, Secretary of Downtown DC Business Improvement District Board member, Treasurer and Secretary of the Washington Projects for the Arts.

Mr. Holman holds a Bachelor’s Degree in Government, Economics and History from Wesleyan University in Middletown, Connecticut (1971), a Juris Doctorate from Howard University School of Law in Washington, D.C. (1974) and is a graduate of the Fundraising School of Indiana University ­ Principles of Fundraising (1988).

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time

he maintains his security portal http://www.info­secure.org and blogs at O'Reilly (http://www.oreillynet.com/pub/au/1207) and Blogspot (http://chuvakin.blogspot.com).

Dr. Charles Iheagwara, the founder and chief technology officer of Unatek is an information technology security executive with experiences that covers a broad spectrum of Enterprise Information Assurance practice at business consulting and corporate implementation levels. Prior to assuming the position of CTO, Dr. Iheagwara worked in the business consulting unit and lead multiple engagements including subcontracting with KPMG on risk management and eCommerce software security projects for the Washington Metropolitan Airports Authority; and consulting with

Thompson, Cobbs, Bazilio and Associates (TCBA) on different projects for numerous clients. Previous employment include stints at Lockheed Martin, Aligned Development Strategies, Inc (ADSI), Edgar online, Inc. and UTV environmental. At Lockheed Martin, he was the lead consultant for the Enterprise Information Systems next generation intrusion detection systems re­engineering project, as director of IT security services at ADSI, he managed the INFOSEC program of the ten million dollars ($10,000,000.00) District of Columbia government HIPAA privacy project for the TCBA –ADSI – Bearing Point contractor group, and as a systems security administrator at Edgar online worked on corporate and NASDAQ Online Web services /Internet portal IT security programs.

Dr. Iheagwara has served as an adjunct professor at several universities including Bowie State University, Bowie, Maryland and has published more than thirty­eight (38) papers in referred international technical and scientific journals and conference proceedings.

Dr. Iheagwara received a Ph.D. degree in computer science from the University of Glamorgan, Wales, UK, a Master of Science degree in Metallurgical Engineering from the University of Minnesota, Minneapolis, Minnesota, USA, and a Bachelor/Master of Science degree in Metallurgical Engineering from the Moscow University of Steel and Alloys Technology, Moscow, Russia. Dr. Iheagwara is a licensed professional engineer.

Mark O’Neill is the Chief Technology Officer of Vordel, Inc. In this role, Mark oversees the development of Vordel’s technical strategy and product development for the delivery of XML and SOA management and security solutions for Global 2000 companies and Governments worldwide. He regularly presents at industry seminars on the security and management issues effecting Web Services and is author of the book, “Web Services Security”, and co­ author of “Hardening Network Security” published by Osborne­McGraw Hill. Mark holds a double­honors degree in Mathematics and Psychology from Trinity College Dublin and

studied neural network modeling at Oxford University.

Dr. Omar Keith Helferich is a consultant and university faculty member with experience in environmental/ safety engineering, supply chain, decision support systems, incident management, and continuity planning. Keith received a Doctor of Business Administration with concentrations in operations, logistics and information management (1970) from Michigan State University. He received an MBA with concentration in Quantitative Methods, an MS in Environmental/Sanitary Engineering, and a BS in Civil Engineering from the University of Michigan.

25

Dr. Helferich experience includes five years in nuclear, biological and chemical safety engineering for Atomic Energy Laboratories, nuclear weapons testing in the Pacific and United States, and nuclear power safety systems engineering. He was also a member of the “Hot Spot” team that responds to USA nuclear weapons accidents. During the past fifteen years Dr. Helferich has been a disaster logistics volunteer for the American Red Cross (ARC). His logistics leadership response experience includes fires, storms, train derailments, Oklahoma bombing, the World Trade Center terrorist incident and hurricane Katrina. He is an ARC disaster logistics instructor, a member of the ARC Weapons of Mass Destruction Task Force, the US ARC Critical Response Team (CRT) for Air, Transportation and Weapons of Mass Destruction disasters. He is also an advisor to the National ARC Logistics Function. Current projects involve developing an improved process for food procurement and inventory management to support national disasters and security of the national food supply chain through migration programs.

Dr. Helferich also has worked with the DOD initiative on ”network centric” operational concepts based on sense and response processes to achieve effective logistics support. Presentations on supply chain security have been made for such organizations as the Society of Industry Security professionals, major university conferences on achieving business resilience, and the largest logistics professional group­ The Council of Supply Chain Management Professionals (CSCMP). Helferich also is on the advisory board and track chair for the Distribution Business Management educational group.

Omar K. Helferich has over 20 years experience in supply chain consulting including positions as a Vice President with Integrated Strategies, a partner with Cleveland Consulting Associates and as Co­Founder and Managing Director of the Dialog Systems Business Division of AT Kearney. Dr. Helferich was Director of the Supply Chain Management Outreach Program at Michigan State University from 1992 through 1999. His areas of focus are supply chain strategy, risk management, application of DSS tools to system optimization, vehicle routing, scheduling, inventory planning, layout, process reengineering, forecasting, environmental impact and business continuity planning. Current initiatives with MSU and GSC Mobile Solutions Inc. involve research under the Department of Homeland Security to enhance security for the US national food supply plus electronics and pharmaceutical product segments.

Dr. Helferich has been a member of CSCMP, formerly the Council of Logistics Management (CLM) since graduate school at Michigan State University. He has been a frequent speaker at the CLM Conferences. He is a c­author of the 2001 White Paper for CLM, “Securing the Supply Chain”. Dr. Helferich is also Co­ author with Dr. Robert L. Cook of the Chapter on Supply Chain Security in the forthcoming Handbook on Supply Chain Management. He is co­author with Air Force Major Mary Kay Allen PhD of the 1992 CLM sponsored monograph, “Putting Expert Systems to Work in Logistics” and two CLM supply chain environmental impact case studies. He has co­authored two logistics textbooks and a number of articles and proceedings. He is on the editorial staff of the Distribution Business Management Journal. Dr. Helferich has made presentations to business organizations on topics of DSS tools, logistics strategy, environmentally responsible supply chain practices, disaster logistics and supply chain continuity planning.

Rohan Amin is the Manager of Security Intelligence and Incident Response at Lockheed Martin, one of the world’s largest defense contractors. Rohan leads the enterprise team that provides Incident Response, Intrusion Detection, Situational Awareness and Security Intelligence capabilities for the corporation. Rohan has a Bachelor’s Degree in Computer and Telecommunications Engineering and a Master’s Degree in Telecommunications and Networking from the University of Pennsylvania. Rohan is also, currently, a doctoral student

at George Washington University in the NSA Information Assurance program.

Donald Debolt is the Director of Anti­Spyware Research at CA, one of the world’s largest IT management software providers. Don leads his team daily in identifying new forms of Spyware ensuring all samples are evaluated against common criteria. Prior to joining CA Don lead the Managed Security Operations for Counterpane Internet Security under Bruce Schneier. There he worked to protect Fortune 500 companies from daily attack. He has been working within the IT security field for the

last 10 years and now brings his well rounded security background to the table when targeting Spyware.

Andrew J. Berkuta is a Senior Security Evangelist / Strategist for McAfee, Inc., creators of best­of­breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. He consults regularly with executives and clients from a unique customer’s prospective, as well as speaks frequently on various security trends and techniques. Prior to joining the McAfee Security team, he was a security director in the mortgage industry, started 3 companies, a manager of a unique proof of concept lab, and has a diverse consulting background that spans more

26

than 15 years.

Dr. Ulrich Flegel is a research associate of the Information Systems and Security chair of the University of Dortmund, Germany. He focuses on information security in general and specifically on reactive security and privacy enhancing technologies. Dr. Flegel serves the scientific community as an author of numerous publications, and as a member of programme and organizing committees of national and international conferences, as well as guest editor and author of scientific journals. He is the founder and chairman of the steering committee of the international conference series DIMVA on Detection of Intrusions and

Malware & Vulnerability Assessment. Dr. Flegel also is a member of the steering committee of the Security chapter of the German Informatics Society (GI) and is in charge of the chair position of the GI special interest group SIDAR ­ Intrusion Detection and Response.

Bill Dutcher is a member of the Booz Allen Hamilton Global Resilience team, working with Department of Defense and government customers to install and operate identity management and Internet security systems, and to solve network operations problems. His specialties are network operations and network security, DNS services, and PKI. He has worked for Xerox, supporting the first commercial Ethernet workstation systems, for SAIC and Network Solutions, consulting on DoD and commercial network operations, and for VeriSign, developing Internet access and telephony services. He is the author of two books,

Managing IP Addresses, and The Network Address Translation Handbook, and is the co­inventor of the WebNum wireless Internet access system.

Rizwan Mallal, director at Crosscheck Networks is also the founding member and Chief Security Architect of Forum Systems, Rizwan is responsible for all security related aspects of Forum's technology. Rizwan currently serves on the Advisory Board of Trlokom, a leading anti­malware security company.

Previously, Rizwan was the Chief Architect at Phobos where he was responsible for developing the industry's first embedded SSL offloader. This product triggered Phobos's acquisition by Sonicwall (NASD: SNWL). Before joining Phobos, he was member of the core­engineering group at Raptor Systems, which pioneered the Firewall/VPN space in the mid 1990s. Raptor after its successful IPO in 1996 was later acquired by

Axent/Symantec (NASD: SYMC).

Rizwan started his career at Cambridge Technology Partners (acquired By Novell) where he was the technical lead in the client/server group. Rizwan has a BSc. in Computer Science from Albright College and MSc. in Computer Science from University of Vermont.

Phil Larson, Director of Product Strategy for Appian Corporation, guides the strategic vision of Appian Enterprise, the company's flagship solution. With more than 6.1 million seats deployed, Appian Enterprise is an industry­leading enterprise BPM suite and is being used in a wide range of projects within government agencies, non­government organizations, and Fortune 500 companies.

Special Thanks We express our appreciation to the conference attendees, sponsors, exhibitors, and the entire staff of SBI, Prince George’s County Economic Development Corporation, Welz & Weisel Communications and the Marriott Conference Center for their various contributions towards a successful 2006 WSSC.

We want to also thank our esteemed speakers, chairs and moderators for their pioneering role, vision and leadership of the profession.

27

McDermott Will & Emery is a leading international law firm with 1,000 lawyers representing a wide range of industrial, commercial and financial enterprises. Our diversified practice serves clients through numerous integrated practice and industry groups across offices in the United States and Europe. Over our 70­year history, McDermott Will & Emery has earned a reputation for outstanding service. We consider client satisfaction the ultimate measure of our success.

McDermott Will & Emery’s Intellectual Property, Media & Technology Department provides legal services relating to every aspect of intellectual property law and plays a significant role in developing and defending intellectual property rights in virtually every major industry. With 190 lawyers and patent agents, McDermott offers one of the largest concentrations of patent, trademark and copyright prosecution, licensing and litigation services worldwide.

McDermott has been ranked as one of the Top 10 IP litigation firms by IP Law & Business and as one of the leading patent firms by Intellectual Property Today. Our strategic patent prosecution program resulted in 1,282 U.S. patents for clients in 2005, and our trademark practice ranks among the top 10 percent of trademark firms in the United States. More than 130 members of our team hold scientific and/or technical degrees, and more than 95 are registered with the U.S. Patent and Trademark Office.

Washington, D.C. 600 13th Street, N.W. Washington, DC 20005­3096 U.S.A.

T: 202.756.8000 F: 202.756.8087

Since its founding in 1996, NFR Security has demonstrated a deep understanding of the intrusion management market, and has established a strong reputation for product innovation and technical superiority.

Today, NFR Security redefines the intrusion defense and management market by offering both trusted intrusion prevention and accurate intrusion detection technologies. Considered by many as best in class for network intrusion management since 1996, NFR Security's products are used by more than 500 organizations worldwide, including Fortune 100 companies, federal government agencies, and leaders in the financial, utility, healthcare, and manufacturing sectors. NFR is also the product of choice of major telecommunications companies, ISPs, OEMs, and MSPs.

Customers are served via a worldwide network of channel partners, as well as NFR Security's direct sales force.

NFR Security, Inc. World Headquarters 5 Choke Cherry Road

Suite 200 Rockville MD 20850­4004

Voice 800.234.8419, 240.632.9000 Fax 240.632.0200

28

THE 2006 WORLD SUMMIT ON INTRUSION PREVENTION

Marriott Conference Center, University of Maryland, College Park, Maryland

October 30 – 31, 2006

Plan now to attend the latest in a series of outstanding international conferences on the science, technology and applications of intrusion prevention. The world’s top experts from the industry and academia will present numerous papers on the latest scientific, technological and business developments. An international exhibit of products and services will accompany the technical program.

TOPIC HIGHLIGHTS

• Intrusion prevention in wired enterprise systems

• Wireless perimeters and intrusion prevention

• Product maturity

• The challenges ahead • Prospects and emerging trends • Risk management • Legal issues

Plenary keynote by The World's Most Famous Former Hacker

Kevin Mitnick is a celebrated former hacker who's "gone straight" and now devotes his considerable skills to helping corporations, organizations, and government agencies protect themselves from the kinds of attacks described in his books, the best­seller The Art of Deception (2002) and his more recent The Art of Intrusion (2005).

Sponsored by: UNATEK IT SECURITY CONFERENCES

For more information, please contact Unatek, Inc.

Attn: WSIP 1100 Mercantile Lane, Suite 115A,

Largo, MD 20774 Tel: (301) 583­4629 Fax: (301) 772­8540

Email: wsip@unatek.com

29

The 2007 Web Services Security Conference & Exhibition

Marriott Conference Center, University of Maryland, College Park, Maryland

April ‐ May, 2007 Plan now to attend the latest in a series of outstanding international conferences on the science, technology and applications of Web Services Security. The world’s top experts from the industry and academia will present numerous papers on the latest scientific, technological and business developments. An international exhibit of products and services will accompany the technical program.

TOPIC HIGHLIGHTS • Securing Financial online

transactions • Federated Identity Management • Security of Service­Oriented

Architecture • TCP, XML, HTTP, in security

context • What is your stake and take on

online transaction security

• Product maturity • The challenges ahead • Prospects and emerging trends • Risk management • Legal issues • +++ More

•

Sponsored by: UNATEK IT SECURITY CONFERENCES

For more information, please contact Unatek, Inc.

Attn: WSIP 1100 Mercantile Lane, Suite 115A,

Largo, MD 20774 Tel: (301) 583­4629 Fax: (301) 772­8540

Email: wssc@unatek.com

30

Company Fact Sheet Salt Lake City Office: Boston Office: 45 West 10000 South, Suite #415 95 Sawyer Road, Suite #110 Sandy, UT 84070 Waltham, MA 02453 Tel: (801) 313­4400 Tel: (781) 788­4200 Fax: (801) 313­4401 Fax: (781) 788­4201

About Forum Systems, Inc. Forum Systems, Inc. is the leader in Web services security with a comprehensive suite of trust management, threat protection and information assurance solutions for the automated Web. Forum Systems flexible hardware, software and embedded products make vibrant business communications possible by actively guarding XML data and Web services across networks and business boundaries. Forum’s products have been chosen by over 40 Fortune 1000 industry leaders and are winners of Network Computing Magazine’s Well­Connected 2004 Award and Product of the Year 2004 Award, Network Computing Magazine’s Editor’s Choice 2003 Award, Network Magazine’s Product of the Year 2003 Award and DEMO 2004 Invitation. http://www.forumsys.com/

About Forum S3A™ Forum S3A (Seamless Security Solutions Architecture) is a life cycle approach to protecting next generation service oriented architectures and data­level networks. Forum S3A relies on an adaptive approach to building trustworthy, ubiquitous and robust security­minded enterprise applications. Forum solutions include Web services risk management services, testing tools, firewalls and gateways. Availability: software, PCI­card and appliances.

Forum Sentry™ Web Services Security Gateway enables trusted information sharing using XML data and Web services across disparate security domains and complex business processes. Forum Sentry allows enterprises to achieve a higher return on investment by implementing secure service­oriented architectures and event­driven applications.

Forum Presidio™ OpenPGP Security Gateway is a secure content exchange platform that allows enterprises to immediately comply with government information privacy regulations without complexity and at a lower total cost of ownership using the ubiquitous OpenPGP™ standard.

Forum XWall™ Web Services Firewall with data­ level authentication, XML intrusion prevention and interoperability enforcement protects enterprises against XML viruses, denial of Web service attacks and unauthorized data access. Forum XWall ensures applications are appropriately accessible and continuously available by enforcing policies that check data integrity and control access to exposed enterprise Web services.

Forum XRay™ Web Services Diagnostics is a quality assurance solution that tests Web services for security susceptibilities, functional accuracy and performance requirements. Forum XRay can systematically and cost­effectively detect and eliminate design­centric as well as attack­centric vulnerabilities prior to application deployment.

Forum Vulcon™ Vulnerability Containment Service is an early warning system for known and impending XML­related vulnerabilities. Forum Vulcon is an on­line subscription services that automatically delivers threat intelligence reports, antivirus updates as well as software and policy revisions.

Facts­At­A­Glance Founded: May 2001, Launched DEMO February 2002 Corporate Headquarters: Salt Lake City, Utah Funding: Privately held; $30.5 million in funding led by GMG Capital Industry Associations: eBXML, IS Alliance, OASIS, W3C, WS­I, XBRL, XML Working Group Forum Foundation Partners: HP, IBM, Lockheed Martin, Microsoft, nCipher, Computer Associates, Oracle, RSA, SonicSoftware, Sun, Systinet, Oblix, NetContinuum and Software AG Awards: Network Computing Editors Choice, Network Computing Well Connected 2004 Finalist, Best of Interop Finalist, 2003 Network Magazine Product of the Year Customers: Over 40 Fortune 1000 enterprises have adopted Forum S3A™ products including Amazon, Motorola, Charles Schwab, Mass Mutual and Lockheed Martin

Management Team Forum’s management team brings a wide range of experience in commercial enterprise, government and financial services industries with deep technology expertise in networking, security and business integration.

31

TransGlobal Business Systems, Inc. 1100 Mercantile Lane, Suite 115A, Largo, MD 20774 301 583 4630 (O), 301 772 8540(F) www.transglobalbiz.com

TransGlobal Business Systems, Inc. provides integrated, end­to­end solutions that reliably deliver information, and communications services while being deliberate at implementing security considerations throughout the enterprise architecture. We traditionally deliver best­of­breed solutions using our proprietary solutions as well as extending solutions of the world's leading providers of Government and Enterprise IT solutions through Value Added Reseller agreements and Strategic partnering. As Developers and Systems Integrators (SI) of systems that harness and deliver strategic intelligence to first­responder end users such as Law Enforcement, Emergency Response Management, and Fire. TransGlobal applies a holistic and disciplined approach in addressing our client’s needs. Our

approach is designed maximize client participation in describing their “as is”, Business and IT Enterprise Architecture and practices, as well as describing their desired outcome. Our recommended solutions are then compared to Industry’s best practices so as to inform sensible decisions and procurement choices towards improved efficiencies and cost savings for the client. Our recommended solutions emphasize the value of integrating systems and data, controls over data and information security, systems interoperability and system compliance. Ultimately, TransGlobal Business Systems, Inc. strives to lead in Global, Regional and Enterprise­Wide Information sharing initiatives, as well strategic intelligence capture and sharing.