www.us-cert.gov/resources/ncats

Bobby Thompson is a member of DHS’ National Cybersecurity Assessment and Technical Services (NCATS) team leading the effort to secure our nation’s critical infrastructure and government resources. NCATS is responsible for conducting comprehensive penetration tests, red team assessments, persistent vulnerability scanning, and architecture design reviews for federal, local, state, territorial, tribunal, private sector and critical infrastructure partners. Mr. Thompson has worked in the Information Technology and Security industry for over 20 years in both private and government sectors throughout his career. Mr. Thompson has been active in the cybersecurity community speaking and has served as a presenter at various conferences and engagements throughout the United States.

Breaking and Entering: Emulating the Digital Adversary in 2019

As one of the United States government’s premier assessment and penetration testing organizations, the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) team is responsible for proactively identifying risk against federal, state, local, territorial, and critical infrastructure networks. This session will provide detailed insight on how DHS emulates the digital adversary in order to identify and mitigate risk against our nation’s infrastructure through core capabilities in vulnerability scanning, penetration and red team testing, design review, and phishing assessments. The quantifiable and objective data gained by the NCATS team will allow attendees to gain a comprehensive understanding of the issues that affect government networks and how DHS is helping to overcome them.

Come see Bobby at RVAsec! Register now.

www.pharossecurity.com

@desmondholden

Dan Holden is CEO of Pharos Security measures, aligns, and guides optimization of the ROI and level of protection of a security program and translates the security program into business level terminology. Mr. Holden has 25 years in information security having served as CTO of the Retail and Hospitality ISAC, and Chief Technology Strategist at Arbor Networks. His experience includes building multiple teams from scratch as well as having brought multiple products to market while at IBM, TippingPoint, and Arbor Networks. Throughout his career he has a broad range of experience across multiple business functions including engineering, product management, sales, and marketing.

CISO of 2025

So much of the news related to CISOs today is negative. The reasons are clear because the challenges are enormous. Many CISO’s believe they are not given a fair chance – essentially obstructed from doing their job. Often there can be poor trust with the board, primarily due to not having a pragmatic, cost effective plan, to solve board level problems. CISOs have failed largely in this regard as their security plans have been tactical and not delivering on strategic goals. The common argument is executives just don’t ‘get it’, but most do, and they realize that security doesn’t provide great value with historic or conventional approaches. They might say the business only wants check-box security, but executives understand that to a great degree that is the only material benefit offered by security – so may as well get it at best cost. This talk will explore where and why things have happened the way they have, and how to move towards a definition for the CISO of 2025.

Come see Dan at RVAsec! Register now.

www.samlanning.com

@samlanning

Sam started working at Semmle in October 2014, after deciding to drop out of his Masters at Oxford University after having completed his undergraduate Computer Science degree there. Sam was the first full-time developer for Semmle’s LGTM platform, and worked on it for over 3 years before becoming a developer advocate. Sam’s has been an active member of the security and privacy community for a while, with a particular interest in vulnerability research, cryptography and peer-to-peer networks, having previously contributed to Signal’s Android and Desktop clients, among other open source projects. Most recently, in his free time he’s been working on an open source project that ties together music and lighting.

No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day.
With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

Come and see Sam at RVAsec! Register Now.