Secure DevOPs and Application Audit Conference

1. Dev[Sec]Ops Security at the Speed of DevOps - Larry Maccherone

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This talk includes guidance on the characteristics of security tools compatible with DevOps but it primarily focuses on the harder part... THE PEOPLE. This talk introduces the DevSecOps manifesto and provides you with a process model, based upon Agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.

2. DevOps Dread: A Call for CALMS - Ben Tomhave, MS, CISSP

For many non-dev people, the word "DevOps" evokes real trepidation and concerns that development and operations are embarking on a program lacking security, accountability, compliance, strategy, or any sense of reasonable control. Of course, nothing could be further from the truth, but only if we embrace all of what DevOps is and means rather than fighting against what is ultimately very meaningful organizational change and maturity.

3. Plugging the Security Gap in DevOps with DevSecOps - Gaurav "GP" Pal

Government Agencies and Organizations are rapidly adopting cloud services. The advent of readily available automation services are transforming the way we respond to security and systems events at scale. As developers accelerate the pace and frequency of code deployments, the security and compliance teams must constantly play catch-up. The use of DevSecOps methodologies and technologies can help integrate security and compliance functions into the Continuous Integration/Continuous Delivery (CI/CD) pipeline. The combination of DevSecOps when supplemented by management best practices can yield optimal results to help organizations detect and respond to incidents faster.

The talk will cover the following topics -
1. Introduction to DevSecOps
2. Overview of industry standards for DevSecOps, technologies and integration points
3. Description of specific examples relevant to Security and compliance including management oversight The focus will be on practical examples to help create awareness of emerging practices and technologies on FedRAMP Accredited cloud services such as AWS and Microsoft Azure.

4. Practical DevSecOps – Cheaper, Better, Faster Software Assurance Jeff Williams

Most likely, your next breach will be through a vulnerable web application or API.  The leaders in every sector are turning their businesses into software at an amazing rate.  Unfortunately, with the traditional “tool soup” approach to application security, it’s impossible for security teams to keep up with high-speed modern development.  But new technologies are changing these broken economics.  Rather than relying on noisy, “outside-in” scanning and firewalling, IAST and RASP use an embedded “inside-out” approach to accurately identify vulnerabilities, analyze open source, and prevent exploits at DevOps speed and portfolio scale.  Come learn how you can get started with *free* IAST and RASP tools today to take control of application security.

  * We will enable developers with real-time security feedback right in their IDE

  * We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities

  * We'll integrate security into the CI/CD process so that we can easily fail a build

  * We'll identify application layer attacks and create a whole new level of visibility for your SOC

  * We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

5. Microservices in the U.S. Government - Paul Fox

How the NIST SP 800-190 Application Container Security provides guidance for the implementation of these emerging services.  

6. Using DevSecOps and Cloud to Create DoD Software Factories - Nicolas Chaillan

Learn about the DoD Enterprise DevSecOps initiative which enables DoD Programs to rapidly move to DevSecOps leveraging a containerized based architecture with Kubernetes and ISTIO.

7. The More You Monitor, The More You Know You Don’t Know - Adnan Sijercic, CISSP, CEH

Learn how to improve communication between auditors and security analysts during evidence gathering and some lessons learned from point of view of an security analyst. We will also cover some interesting topics like: insider threat, threat intelligence, honeypots and picking and vetting a MSSP.