For more information on our events policy, see https://isaca-gwdc.org/event-policies/
- This event has passed.
Secure DevOPs and Application Audit Conference
April 11, 2019 @ 8:00 am - 4:30 pm EDTGWDC Member - $105, Other ISACA Member - $135, Non-ISACA Member: $150
This one-day conference covers application development and what you need to consider from a cyber security and audit perspective. It discusses how you ensure a secure development lifecycle in a digital environment and how you audit application development in your environment.
1. Dev[Sec]Ops Security at the Speed of DevOps - Larry Maccherone
Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.
What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.
This talk includes guidance on the characteristics of security tools compatible with DevOps but it primarily focuses on the harder part... THE PEOPLE. This talk introduces the DevSecOps manifesto and provides you with a process model, based upon Agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
2. DevOps Dread: A Call for CALMS - Ben Tomhave, MS, CISSP
For many non-dev people, the word "DevOps" evokes real trepidation and concerns that development and operations are embarking on a program lacking security, accountability, compliance, strategy, or any sense of reasonable control. Of course, nothing could be further from the truth, but only if we embrace all of what DevOps is and means rather than fighting against what is ultimately very meaningful organizational change and maturity.
3. Plugging the Security Gap in DevOps with DevSecOps - Gaurav "GP" Pal
Government Agencies and Organizations are rapidly adopting cloud services. The advent of readily available automation services are transforming the way we respond to security and systems events at scale. As developers accelerate the pace and frequency of code deployments, the security and compliance teams must constantly play catch-up. The use of DevSecOps methodologies and technologies can help integrate security and compliance functions into the Continuous Integration/Continuous Delivery (CI/CD) pipeline. The combination of DevSecOps when supplemented by management best practices can yield optimal results to help organizations detect and respond to incidents faster.
The talk will cover the following topics -
1. Introduction to DevSecOps
2. Overview of industry standards for DevSecOps, technologies and integration points
3. Description of specific examples relevant to Security and compliance including management oversight The focus will be on practical examples to help create awareness of emerging practices and technologies on FedRAMP Accredited cloud services such as AWS and Microsoft Azure.
4. Practical DevSecOps – Cheaper, Better, Faster Software Assurance Jeff Williams
Most likely, your next breach will be through a vulnerable web application or API. The leaders in every sector are turning their businesses into software at an amazing rate. Unfortunately, with the traditional “tool soup” approach to application security, it’s impossible for security teams to keep up with high-speed modern development. But new technologies are changing these broken economics. Rather than relying on noisy, “outside-in” scanning and firewalling, IAST and RASP use an embedded “inside-out” approach to accurately identify vulnerabilities, analyze open source, and prevent exploits at DevOps speed and portfolio scale. Come learn how you can get started with *free* IAST and RASP tools today to take control of application security.
* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries
5. Microservices in the U.S. Government - Paul Fox
How the NIST SP 800-190 Application Container Security provides guidance for the implementation of these emerging services.
6. Using DevSecOps and Cloud to Create DoD Software Factories - Nicolas Chaillan
Learn about the DoD Enterprise DevSecOps initiative which enables DoD Programs to rapidly move to DevSecOps leveraging a containerized based architecture with Kubernetes and ISTIO.
7. The More You Monitor, The More You Know You Don’t Know - Adnan Sijercic, CISSP, CEH
Learn how to improve communication between auditors and security analysts during evidence gathering and some lessons learned from point of view of an security analyst. We will also cover some interesting topics like: insider threat, threat intelligence, honeypots and picking and vetting a MSSP.
Who should attend?
MEET THE PRESENTERS
DevSecOps Transformation, Senior Director at Comcast
Ben Tomhave, MS, CISSP
Principal at Falcon's View Consulting, LLC
Gaurav "GP" Pal
Founder and CEO at stackArmor
Gaurav “GP” Pal is an award-winning Senior Business Leader with a successful track record of growing and managing a secure cloud solutions practice with over $30 million in annual revenues focused on US Federal, Department of Defense, non-profit and financial services clients. He successfully led and delivered multi-million-dollar Amazon Web Services (AWS) cloud migration and broker programs for US Government customers including the Department of the Treasury and the Recovery Accountability & Transparency Board (RATB) since 2009.
GP is the Industry Chair at the University of Maryland’s Center for Digital Innovation, Technology and Strategy (DIGITS). He has strong, relationship-based consultative selling experience with C-level executives providing DevOps, Managed Services, IaaS, Managed IaaS, PaaS and SaaS in compliance with US FedRAMP, FISMA, HIPAA and NIST Security Frameworks. He has a successful track record of delivering multiple cloud solutions with leading providers including Amazon Web Services (AWS), Microsoft, Google and among others.
CTO at Contrast Security
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Solutions Architect, at Twistlock
Paul Fox is a Solutions Architect at Twistlock, based out of the Washington, D.C. region. Paul comes from Microsoft where he supported their U.S. Government business. Prior to Microsoft Paul worked for the White House, U.S. Navy and a startup.
Nicolas Chaillan (IPA)
Special Advisor for Cloud Security and DevSecOps at Department of Defense
Nicolas M. Chaillan is the Special Advisor for Cloud Security and DevSecOps at the Department of Defense, OSD, A&S. He is the former Special Advisor for Cybersecurity and Chief Architect at the Department of Homeland Security. Mr. Chaillan designed the new robust, innovative and holistic .Gov cyber security architecture (Cyber.gov) that mitigates cyber threats by leveraging best practices and implementable solutions with minimal impact to workforce efficiency.
Mr. Chaillan is a technology entrepreneur, software developer, cyber expert and inventor.
He is a Senior Executive with over 19 years of domestic and international experience with strong technical and subject matter expertise in cybersecurity, software development, product innovation, governance, risk management and compliance. He is an expert in numerous technological fields such as Cloud computing, Cybersecurity, DevSecOps, Big Data, multi-touch, mobile, IoT, Mixed Reality, VR, and wearables.
Adnan Sijercic, CISSP, CEH
Adi Global Networks
ISACA Members from Other Chapters: You will need to bring your ISACA Membership Card to the event to verify your ISACA Membership.
Presentations: Conference presentations will be included in the registrants' final event-related email message containing the CPE certificate and evaluation survey when permission is received from the presenter and their organization. In some cases, permission is not received.
Requests for Assistance: If you require assistance for an audio, visual, or other disability, please contact the Programs Director to discuss your needs, as soon as possible. We need as much advance notice as possible to determine whether requests can be accommodated. Thank You.
SPONSOR THIS EVENT
Earn up to 7 Continuing Professional Education (CPE) credits in the area of Specialized Knowledge. The ISACA® GWDC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: http://www.learningmarket.org.
CPE Distribution and Evaluation Survey
CPE's will be distributed via e-mail along with the event evaluation survey up to seven (7) business days after the completion of the event. Attendees must be present the full day to receive full CPE credit.
- Prerequisites and Advance Preparation: N/A
- Program Knowledge Level: N/A
- Delivery Method: Live in person event
GWDC Members: $105
Other ISACA Members: $135
We encourage early registration, as some events sell out.
To register, click the green "Click to Register" button in the "Details" section below.
If you are unable to attend an event, you can cancel your registration. All cancellations must be received three days before the start of the course. A $15 cancellation fee is charged.
To cancel, access your payment confirmation e-mail message and click the UNREGISTER link.