Steve Kosten

Steve Kosten is Managing Director at Cypress Data Defense performing secure code reviews across multiple languages, web app and mobile penetration testing, vulnerability assessment and risk management, and helping clients create and grow a secure development lifecycle, working in sectors such as insurance, finance, real estate, transportation, and many more. He previously performed security work in the defense and financial sectors as well as non-profit and headed up the security department for a financial services firm. Steve has been teaching for SANS since 2013 and currently can be found teaching SEC545: Cloud Security Architecture and Operations.

More About Steve


Fresh out of undergrad, Steve worked in the aerospace sector, which eventually led to the Intelligence and Information sector working with sensitive government customers participating in exciting projects such as building ground stations to communicate with satellites, developing security requirements for various programs, and helping with compliance to DCID 6/3. Deeply intrigued by this work, Steve ended up pursing his master's degree in Information Security and continually following his security interests. His past training in engineering and associated risks with solutions led him to doing a lot of work in the cloud and trying to find the most pragmatic approaches to address problems.

Steve has always sought after new and better ways to address problems, which is a great fit for the cloud space since the cloud offers many potential benefits, but also many challenges. He appreciates the pace of development, new attacks, new techniques, and new technology in the cloud and finds it fun to pull different resources together, whether attacking or defending a target. After college, Steve taught math and physics for a few years in Fiji while in the Peace Corps and thoroughly enjoyed the teaching experience, so teaching security has combined some natural passions and skill sets for Steve. He revels in sharing knowledge and experiences and feels if people can learn from his successes and failures, it can shortcut the learning process for others, contributing to the development of a greater society.

As an instructor, Steve likes to share the practical aspects of what the material is covering by relaying stories of things he’s encountered throughout his career that map to the topic. Steve is a big proponent of hands-on learning and strives to help everyone learn by getting their hands dirty and simply enjoying the class. Cloud Security Architecture is a fun topic to teach for Steve as there is typically a wide range of students coming into the course. Some have had little to no experience in the cloud and others have been working and solving problems for their organizations within the cloud for many years. Pulling together all of these different experiences across different industries makes for an interesting and interactive experience.

Steve believes the pace of change within cloud security is the biggest challenge his students face. The ability to keep pace with new offerings, new interfaces, new ways of doing things is always a challenge and when multiple cloud providers are added to the mix, this issue can be truly trying. Yet these challenges are what provide continual learning, which he relishes.

Steve has been involved with Open Web Application Security Project (OWASP) for many years. He has been on the board of OWASP Denver for over 10 years, helped run AppSec USA when OWASP hosted the national conference in Denver, and ran the Denver chapter for five years before stepping down in order to revamp the Boulder chapter, of which he’s currently the chapter lead. He has presented security talks at numerous conferences in multiple countries including Bulgaria and China.

Steve holds a bachelor of science in Aerospace Engineering from the Pennsylvania State University and a Master of Science in Information Security from James Madison University. He currently maintains GSSP-JAVA, GWAPT, CISSP, and CISM certifications and won the Lifetime Contributions Award from the OWASP Denver chapter in 2017.

In his spare time, Steve enjoys attending his children’s sporting events with his wife, road and mountain biking, snowboarding, golfing, volleyball, and paragliding.


You can find writings by Steve here and here.