For more information on our events policy, see

Loading Events

« All Events

  • This event has passed.

Secure DevOPs and Application Audit Conference

April 11, 2019 @ 8:00 am - 4:30 pm EDT

GWDC Member - $105, Other ISACA Member - $135, Non-ISACA Member: $150


This one-day conference covers application development and what you need to consider from a cyber security and audit perspective. It discusses how you ensure a secure development lifecycle in a digital environment and how you audit application development in your environment.


1. Dev[Sec]Ops Security at the Speed of DevOps - Larry Maccherone

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This talk includes guidance on the characteristics of security tools compatible with DevOps but it primarily focuses on the harder part... THE PEOPLE. This talk introduces the DevSecOps manifesto and provides you with a process model, based upon Agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.

2. DevOps Dread: A Call for CALMS - Ben Tomhave, MS, CISSP

For many non-dev people, the word "DevOps" evokes real trepidation and concerns that development and operations are embarking on a program lacking security, accountability, compliance, strategy, or any sense of reasonable control. Of course, nothing could be further from the truth, but only if we embrace all of what DevOps is and means rather than fighting against what is ultimately very meaningful organizational change and maturity.


3. Plugging the Security Gap in DevOps with DevSecOps - Gaurav "GP" Pal

Government Agencies and Organizations are rapidly adopting cloud services. The advent of readily available automation services are transforming the way we respond to security and systems events at scale. As developers accelerate the pace and frequency of code deployments, the security and compliance teams must constantly play catch-up. The use of DevSecOps methodologies and technologies can help integrate security and compliance functions into the Continuous Integration/Continuous Delivery (CI/CD) pipeline. The combination of DevSecOps when supplemented by management best practices can yield optimal results to help organizations detect and respond to incidents faster.

The talk will cover the following topics -
1. Introduction to DevSecOps
2. Overview of industry standards for DevSecOps, technologies and integration points
3. Description of specific examples relevant to Security and compliance including management oversight The focus will be on practical examples to help create awareness of emerging practices and technologies on FedRAMP Accredited cloud services such as AWS and Microsoft Azure.


4. Practical DevSecOps – Cheaper, Better, Faster Software Assurance Jeff Williams

Most likely, your next breach will be through a vulnerable web application or API.  The leaders in every sector are turning their businesses into software at an amazing rate.  Unfortunately, with the traditional “tool soup” approach to application security, it’s impossible for security teams to keep up with high-speed modern development.  But new technologies are changing these broken economics.  Rather than relying on noisy, “outside-in” scanning and firewalling, IAST and RASP use an embedded “inside-out” approach to accurately identify vulnerabilities, analyze open source, and prevent exploits at DevOps speed and portfolio scale.  Come learn how you can get started with *free* IAST and RASP tools today to take control of application security.

  * We will enable developers with real-time security feedback right in their IDE

  * We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities

  * We'll integrate security into the CI/CD process so that we can easily fail a build

  * We'll identify application layer attacks and create a whole new level of visibility for your SOC

  * We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries


5. Microservices in the U.S. Government - Paul Fox

How the NIST SP 800-190 Application Container Security provides guidance for the implementation of these emerging services.  


6. Using DevSecOps and Cloud to Create DoD Software Factories - Nicolas Chaillan

Learn about the DoD Enterprise DevSecOps initiative which enables DoD Programs to rapidly move to DevSecOps leveraging a containerized based architecture with Kubernetes and ISTIO.


7. The More You Monitor, The More You Know You Don’t Know - Adnan Sijercic, CISSP, CEH

Learn how to improve communication between auditors and security analysts during evidence gathering and some lessons learned from point of view of an security analyst. We will also cover some interesting topics like: insider threat, threat intelligence, honeypots and picking and vetting a MSSP. 


Who should attend?

  • Any professional in the Information Security / Assurance industry, including IT auditors, IT consultants, and general IT professionals with exposure to or looking to get exposure to cybersecurity initiatives.
  • Anyone that is already or anyone interested in getting involved with the ISACA CSX program.



DevSecOps Transformation, Senior Director at Comcast

Larry Maccherone is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics. He currently leads the DevSecOps transformation at Comcast. Previously, Larry led the insights product line at Rally Software where he published the largest ever study correlating development team practices with performance. Before Rally, Larry worked at Carnegie Mellon with the Software Engineering Institute (SEI) and CyLab for seven years conducting research on cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. He has also served as Principal Investigator for the NSA's Code Assessment Methodology Project, on the Advisory Board for IARPA's STONESOUP program, and as the Department of Energy's Los Alamos National Labs Fellow.

Ben Tomhave, MS, CISSP

Principal at Falcon's View Consulting, LLC

Ben Tomhave is a security industry veteran, progressive thinker, and culture warrior. He holds an MS in Engineering Management from The George Washington University, a BA in Computer Science from Luther College, is a CISSP, and is a graduate of the BJ Fogg Behavior Design Boot Camp. He's previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and E&Y. He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member for the Society of Information Risk Analysts, and former board member for OWASP NoVA. He is a published author and experienced public speaker, including engagements with the RSA Conference, MISTI, ISSA, RMISC, Secure360, RVAsec, DevOps Connect, as well as Gartner events.

Gaurav "GP" Pal

Founder and CEO at stackArmor

Gaurav “GP” Pal is an award-winning Senior Business Leader with a successful track record of growing and managing a secure cloud solutions practice with over $30 million in annual revenues focused on US Federal, Department of Defense, non-profit and financial services clients. He successfully led and delivered multi-million-dollar Amazon Web Services (AWS) cloud migration and broker programs for US Government customers including the Department of the Treasury and the Recovery Accountability & Transparency Board (RATB) since 2009.

GP is the Industry Chair at the University of Maryland’s Center for Digital Innovation, Technology and Strategy (DIGITS). He has strong, relationship-based consultative selling experience with C-level executives providing DevOps, Managed Services, IaaS, Managed IaaS, PaaS and SaaS in compliance with US FedRAMP, FISMA, HIPAA and NIST Security Frameworks. He has a successful track record of delivering multiple cloud solutions with leading providers including Amazon Web Services (AWS), Microsoft, Google and among others.

Jeff Williams of Contrast Security by SRK Headshot Day

Jeff Williams

CTO at Contrast Security

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.


Paul Fox

Solutions Architect, at Twistlock

Paul Fox is a Solutions Architect at Twistlock, based out of the Washington, D.C. region. Paul comes from Microsoft where he supported their U.S. Government business. Prior to Microsoft Paul worked for the White House, U.S. Navy and a startup.

NC no flag

Nicolas Chaillan (IPA)

Special Advisor for Cloud Security and DevSecOps at Department of Defense

Nicolas M. Chaillan is the Special Advisor for Cloud Security and DevSecOps at the Department of Defense, OSD, A&S. He is the former Special Advisor for Cybersecurity and Chief Architect at the Department of Homeland Security. Mr. Chaillan designed the new robust, innovative and holistic .Gov cyber security architecture ( that mitigates cyber threats by leveraging best practices and implementable solutions with minimal impact to workforce efficiency.

Mr. Chaillan is a technology entrepreneur, software developer, cyber expert and inventor.
He is a Senior Executive with over 19 years of domestic and international experience with strong technical and subject matter expertise in cybersecurity, software development, product innovation, governance, risk management and compliance. He is an expert in numerous technological fields such as Cloud computing, Cybersecurity, DevSecOps, Big Data, multi-touch, mobile, IoT, Mixed Reality, VR, and wearables.


Adnan Sijercic, CISSP, CEH

Adi Global Networks

Adnan Sijercic has over 15 years of experience in IT and Cyber Security. Working for international, commercial and federal space. Bachelors from CU in Boulder and Masters from GMU. Some of successful stories include building up cyber security program for international bank, being technical insider threat lead for Capital One and always finding time to enjoy life. Some hobbies include soccer, skiing and traveling.


Special Instructions

ISACA Members from Other Chapters: You will need to bring your ISACA Membership Card to the event to verify your ISACA Membership.

Presentations: Conference presentations will be included in the registrants' final event-related email message containing the CPE certificate and evaluation survey when permission is received from the presenter and their organization. In some cases, permission is not received.

Requests for Assistance: If you require assistance for an audio, visual, or other disability, please contact the Programs Director to discuss your needs, as soon as possible.  We need as much advance notice as possible to determine whether requests can be accommodated. Thank You.

If your organization is interested in being an event sponsor, please take a look at the five (5) various event sponsorship packages and click this sponsorship link to become a sponsor.

CPE Information

Earn up to 7 Continuing Professional Education (CPE) credits in the area of Specialized Knowledge. The ISACA® GWDC is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:

CPE Distribution and Evaluation Survey

CPE's will be distributed via e-mail along with the event evaluation survey up to seven (7) business days after the completion of the event. Attendees must be present the full day to receive full CPE credit.

CPE-Related Details

  • Prerequisites and Advance Preparation: N/A
  • Program Knowledge Level: N/A
  • Delivery Method: Live in person event



GWDC Members: $105

Other ISACA Members: $135

Non-Members: $150

» Become an ISACA Member


We encourage early registration, as some events sell out.  

To register, click the green "Click to Register" button in the "Details" section below.



If you are unable to attend an event, you can cancel your registration. All cancellations must be received three days before the start of the course. A $15 cancellation fee is charged.

To cancel, access your payment confirmation e-mail message and click the UNREGISTER link.


April 11, 2019
8:00 am - 4:30 pm EDT
GWDC Member - $105, Other ISACA Member - $135, Non-ISACA Member: $150
Event Category:
Event Tags:
, , , , , , , , ,


Holiday Inn Rosslyn @ Key Bridge
1900 North Fort Myer Drive
Arlington, VA 22209 United States
+ Google Map
Please do not contact the venue directly regarding this event.