Red Hat global preferences


Learn what's happening for Red Hat customers around the world:


2017 Defense in Depth

  • October 3, 2017
  • Tysons Corner, VA
  • Sheraton Tysons Hotel


No one can solve IT security issues alone. Connecting with a community and solving problems together is the future of technology.

Please join Defense in Depth 2017 where public sector Cybersecurity professionals can learn and network alongside Red Hat security experts and industry peers.


Since 2013, the Defense in Depth event has brought Red Hat Security Engineering leads to Washington, D.C. for a full day of collaboration and networking. It's a chance to learn about the latest developments (upstream and enterprise) from government and industry experts, and for Red Hat engineering to hear from you about the challenges you face.


This event is intended for government employees, contractors, and partners with a security focus.


Event Time: 8:00 a.m. - 5:00 p.m.

8:00 - 9:00 a.m. Registration Check-In, Breakfast and Networking
9:00 - 9:15 a.m. Welcome
9:15 - 10:00 a.m. Keynote: The Changing Tactics of Hackers - David Kennedy, Binary Defense Systems
10:15 - 11:00 a.m. Breakout session 1

Track 1: Evolution of Containers
   Dan Walsh, Consulting Engineer, Red Hat

Track 2: Automating Security Compliance for Physical, Virtual, Cloud, and Container Environments
   Lucy Kerner, Principal Technical Marketing Manager, Red Hat

Track 3: Getting Serious About Enterprise Middleware Security
   Glen Wilcox, Emerging Technology Solutions Architect, Red Hat

Track 4: GitHub + Open Shift = Transparent secure pipeline to production
   Jamie Jones, Lead Federal Solutions Architect, GitHub

11:15 - 12:00 p.m. Breakout session 2

Track 1: The Anatomy of Security in DevOps and Container Platforms
   Tariq Islam, Senior Specialist Architect, Red Hat

Track 2: Identity Teamwork Panel: Defense Manpower Data Center and Red Hat Partnership Success Story
   Ted Brunell, Principal Solutions Architect, DoD Programs, Red Hat
   Colonel Tom Clancy, Office of the CIO Identity Management Programs, U.S. Department of Defense
   Chris Heath, Enterprise Service Director, Defense Manpower Data Center (DMDC)
   Dmitri Pal, Engineering Director, Red Hat
   Donny Davis, DOD Public Sector Solution Architect, Red Hat

Track 3: Microservices Application Security Compliance at Scale with Open Source Technologies
   Prasad Kunchakarra, Founder/Chief Architect, Capitis Solutions Inc.
   Vikas Gupta, Senior DevSecOps Architect, Capitis Solutions Inc.
   Lorenzo Anderson, Senior Information Security Architect, Capitis Solutions Inc.

Track 4: Protecting OpenShift Deployments with In-Depth Transparent Encryption
   Juan Asenjo, Technology Partner Integrations Manager, Thales

12:00 - 1:30 p.m. Lunch and Innovation Discussion
Why We are Still Losing the InfoSec Battle and How do we Get Back in the Race?
   Steve Orrin, Federal CTO, Intel
   Shawn Wells, Chief Security Strategist, Red Hat
1:45 - 2:30 p.m. Breakout session 3

Track 1: Improving Security with Containers at USCIS
   Adrian Monza, Chief, Cyber Defense Branch Information Security Division
U.S. Citizenship & Immigration Services

Track 2: Understanding Security Risks and Mitigation Across the Virtualization Stack
   Tony James, Senior Solution Architect, Red Hat

Track 3: Modern Mobile Security
   Karl MacMillan, Chief Technology Officer, Strajillion, Inc.

Track 4: Securing PostgreSQL -- Exploring the PostgreSQL STIG and Beyond
   Joe Conway, VP Engineering, Crunchy Data

2:45 - 3:30 p.m. Breakout session 4

Track 1: Using Containers for Trusted Path
   Dan Walsh, Consulting Engineer, Red Hat

Track 2: Securing Automated Decryption
   Nathaniel McCallum, Principal Software Engineer

Track 3: Government Ready OpenStack Roadmap
   Keith Basil, Sr. Principal Product Manager, Red Hat

Track 4: Taming the Container Security Beast
   Tim Mackey, Senior Technology Evangelist - Black Duck Software

3:45 - 4:30 p.m. Breakout session 5

Track 1: Project Boise: Modernizing the ATO Process with 18F
   Aidan Feldman, GSA 18F

Track 2: Security Automation for Containers and VMs with OpenSCAP
   Martin Preisler, Senior Software Engineer - Security, Red Hat

Track 3: The Enterprise Linux Exploit Mapper (ELEM) and Demo
   Jason Callaway, Principal Solutions Architect, Red Hat
   Kenneth Evensen, Solutions Architect, Red Hat

Track 4: A Human-Centric Approach to Secure Supply Chain Management
   Greg Gorman, NIST Specialist & Senior Enterprise Account Manager, Forcepoint

4:30 - 5:00 p.m. Networking Reception

The Changing Tactics of Hackers

9:15 - 10:00 a.m.

David Kennedy

David Kennedy, Founder of TrustedSec and Co-Founder and Chief Hacking Officer of Binary Defense Systems

Attackers are continuously changing the methods of attack, but at the heart of the techniques are much of the same from twenty years ago. As an attacker, it's important to understand the organization, the infrastructure, and most importantly the people. Regardless of the architecture or operating system, the techniques used by hackers don't shift much. This talk will dive into understanding where the attackers used to focus on, and where they are heading, and why now it's most important to develop a solid strategy on attackers.

Evolution of Containers

10:15 - 11:00 a.m. - Track 1

Dan Walsh

Dan Walsh, Consulting Engineer, Red Hat

This talk will cover the current state of container technology, and where we are heading. I will cover the standardization of containers including the runtime and the bundle format. We will look at the breaking apart of the big container runtime daemon into its core components. We will examine how we can then use these sub components to run containers in different and potentially more secure ways. The talk will cover the four key components required for using containers in production.

• OCI Container Runtime Specification and implementation using runc
• OCI Container Bundle Specification and its importance
• Container/image library for moving Container images between different types of storage and container registries
• Container/Storage for storing and building container images

Then we will examine new ways of using these technologies in simple ways.

• System Containers, containers run during early boot which can provide base services to the Operating System - Future look towards Standalone containers covering thoughts on new ways of shipping system software
• Buildah a new tool for building container images with minimal size and content without requiring a container daemon.
• Skopeo tool for moving container images back and forth between container registries and services
• CRI-O a new simplified fully open container runtime for servicing OpenShift/Kubernetes work loads.

Automating security compliance for physical, virtual, cloud, and container environments

10:15 - 11:00 a.m. - Track 2

Lucy Kerner

Lucy Kerner, Principal Technical Marketing Manager - Security, Red Hat

In this session, you'll learn how to easily provision a security-compliant host and quickly detect and remediate security and compliance issues in physical, virtual, cloud, and container environments. We’ll discuss possible compliance challenges and show how a combination of Red Hat CloudForms, Red Hat Satellite, Red Hat Insights, and Ansible Tower can help you quickly achieve compliance, automate security , and complete remediation. You’ll learn how you can integrate Red Hat CloudForms with OpenSCAP, Red Hat Satellite and Ansible Tower to perform audit scans and remediations on your systems and automate security to ensure compliance against various profiles, such as:

• The U.S. Government Configuration Baseline (USGCB).
• The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG).
• The Centralized Supercomputing Facility (CSCF) baseline.
• The U.S. Government Commercial Cloud Services (C2S) baseline.
• The Certified Cloud and Service Provider (CCSP) baseline.
• Center for Internet Security (CIS) Benchmarks.
• The Payment Card Industry Data Security Standard (PCI DSS)
• Or your custom policies

You’ll also learn how you can ensure governance and control with Red Hat CloudForms and Ansible Tower and learn how to do proactive vs reactive security with Red Hat Insights.

Getting Serious About Enterprise Middleware Security

10:15 - 11:00 a.m. - Track 3

Glen Wilcox

Glen Wilcox, Emerging Technology Solutions Architect, Red Hat

In April 2016, security researchers published a report that over 3.2 million unpatched JBoss Application Servers still have known security vulnerabilities which can be used to spread ransomware and other malicious software. The reports also noted that the patch to correct the vulnerability was release over 6 years ago by Red Hat. The issue of middleware security vulnerabilities is not unique to JBoss middleware and the goal of this session is to raise awareness of the need to ensure architecture and security best practices are followed to prevent middleware from becoming the weakest link in your enterprises security. This session will begin with a demonstration of how one Web Shell exploit works. The remainder of the session will discuss several common reasons that middleware is not maintained and how adopting enterprise best practices, for architecting, deploying and managing security updates (CVEs) via patching can improve the resiliency your enterprise middleware against such exploits.

GitHub + Open Shift = Transparent secure pipeline to production

10:15 - 11:00 a.m. - Track 4

Jamie Jones

Jamie Jones, Lead Federal Solutions Architect, GitHub

Do you know what code is in production? Are you certain that what you tested is what your users are seeing? GitHub and OpenShift can settle your fears. This session will explore using GitHub Enterprise, your secure on-premises software platform, in conjunction with Red Hat OpenShift to meet your security requirements as well as providing a transparent deployment pipeline. This session will explore use of the rich APIs provided by both GitHub Enterprise and OpenShift v3 to create a repeatable deployment pipeline that not only accelerates the development cycle but creates a secure and transparent process supporting of a continuous monitoring posture. After reviewing the APIs , we'll review an open source implementation of this process that attendees can implement immediately.

The Anatomy of Security in DevOps and Container Platforms

11:15 a.m. - 12:00 p.m. - Track 1

Tariq Islam

Tariq Islam, Senior Specialist Architect, Red Hat

Security is more than just a bullet point on a slide deck. And in the context of deploying containerized applications and microservices into a container platform, it's crucial that security become an integral and all-pervasive enabling aspect in each component of the processes and the technologies being employed. Its anatomy must be a default and comprehensive approach to the deployment culture. This includes container platforms, deployment pipelines, actors, and the relationships between all of them. In this session, we'll walk through the primary tenets of security as they pertain to DevOps and container platforms. We will discuss how security can and must be interwoven into every component and every step of the deployment process. We will look at practical real-world deployment pipeline examples as well as examine the necessary implementation attributes of a container platform and its tool-chain to produce a robust and viable solution for federal agencies and beyond. From the underlying kernel to the running applications, all the way through to the acting users and monitoring tools, you will walk away with a better understanding of what security really means for DevOps and container platforms, and how to get there.

Identity Teamwork Panel: Defense Manpower Data Center and Red Hat Partnership Success Story

11:15 a.m. - 12:00 p.m. - Track 2

Ted Brunell

Moderator: Ted Brunell, Principal Solutions Architect, DoD Programs, Red Hat

Integrating the DoD Common Access Card (CAC) with Red Hat Enterprise Linux (RHEL) has historically been burdensome and affected the overall manageability and compliance of RHEL on government networks. In this session we will investigate the success of a recent partnership between the Defense Manpower Data Center (DMDC) and Red Hat. As a result of the collaboration, new multi-factor identity capabilities were included in RHEL to fully support the DoD CAC and allow the advanced management features of IdM to be utilized in DoD networks. The discussion will focus on the challenges that were faced, how the teams integrated together to tackle the challenges, and how this success will increase the overall security posture of RHEL on Government networks.

Ted Brunell

Colonel Tom Clancy, Office of the CIO Identity Management Programs, U.S. Department of Defense
Dmitri Pal

Dmitri Pal, Engineering Director, Red Hat
Donny Davis

Donny Davis, DOD Public Sector Solution Architect, Red Hat

Microservices Application Security Compliance at Scale with Open Source Technologies

11:15 a.m. - 12:00 p.m. - Track 3

Prasad Kunchakarra, Founder / Chief Architect, Capitis Solutions
Vikas Gupta, Senior DevSecOps Architect, Capitis Solutions
Lorenzo Anderson, Senior Information Security Architect, Capitis Solutions

Why is this topic important? The speed of delivery is driving the adoption of microservices architecture by organizations at a rapid pace. Microservices increase the complexity of security implementation and compliance due to the increase in number of applications, inter process communication channels, and database instances. In addition, cloud native deployments add additional complexity to security compliance due to just in time environment provisioning, scale-in and scale out of service instances, and the interaction between cloud platform services and custom developed services. Several open source and commercial tools exist for infrastructure security compliance and cloud platform services, but very few choices and reference implementations exist for custom developed microservices applications. In this session, we are going to discuss a solution, along with best practices and lessons learned, for scaling custom developed microservices application security compliance using open source software such as Ansible, and other open-source validation frameworks such as Inspec. What makes your presentation special? We will share our experiences of a large-scale security compliance implementation of a microservices platform for a financial customer on the AWS platform. The developed solution is being used to determine operational readiness of both production and warm standby environments, each comprising of about 20 microservices deployed over 100 servers. About 10,000 checks are performed on each environment in under an hour, and the results are presented on a Splunk dashboard for reporting and analysis. In addition, we will present a demo that will show case key principles and practices using Ansible and Inspec (open-source) implemented on a RHEL platform. Our presentation will give a unique perspective on the complexities associated with the security compliance of microservices and how to extend infrastructure compliance frameworks to the application security compliance area. What will the attendee leave with? You will learn: How to scale security compliance for hundreds of custom developed microservices instances interacting with cloud platform services In this session, we will discuss: NIST-800-53 security controls as applied to microservices applications on the AWS platform, baseline application security configuration management, application security configuration drift, integration with CI/CD pipeline, Inspec, Ansible, and reporting using dashboards. After this session, you will understand: How to scale security compliance continuously by using open source technologies.

Protecting OpenShift Deployments with In-Depth Transparent Encryption

11:15 a.m. - 12:00 p.m. - Track 4

Juan Asenjo

Juan Asenjo, Technology Partner Integrations Manager, Thales e-Security

In-depth transparent encryption enables organizations to deploy production applications that use the most sensitive and closely regulated information in containers safely and securely. Container technology continues to see rapid adoption. A recent study by 451 Research showed that 40% of enterprises worldwide are already using containers in production, with 18% deploying in mission critical applications. When asked in the same survey to identify the number one IT security control that would allow them to increase deployment of production applications to containers, their top answer was encryption. Vormetric Transparent Encryption has been engineered to run in the Red Hat OpenShift platform environment to enable customers to use new container technology with confidence. Vormetric Transparent Encryption addresses enterprises’ business challenges including compliance requirements such as HIPPA, PCI DSS, and GDPR, as well as, the control of privileged users and insiders. In this session, we will discuss how to:

• Deploy containers without affecting usability or compromising security in multi-tenant, cloud, and on-premises environments
• Utilize encryption fully transparently, without changing containers or their applications
• Leverage policy-based encryption, access controls, and audit logging

Why We are Still Losing the InfoSec Battle and How do we Get Back in the Race?

12:00 - 1:30 p.m. - Lunch and Innovation Discussion

Steve Orrin

Shawn Wells

Steve Orrin, Chief Technologist, Intel Federal LLC at Intel Corporation
Shawn Wells, Chief Security Strategist, Red Hat

In the current security paradigm, security teams are losing to threat actors and falling further behind. Intel and Red Hat have begun to investigate how to pull the key solutions and technologies across security and cyber defensive tactics and methodologies to address and combat the asymmetric challenge we all face. The panelists will explore novel approaches to reducing the threat curve by integrating solutions across cyber threat intelligence and analytics, continuous monitoring, automation, and information sharing. Analytics and Machine Learning have had a transformative impact on threat intelligence. It’s a paradigm-shifting improvement as-is, and its impact can be further augmented by the application of continuous monitoring, information sharing, and automation. These key elements working in concert will change the security landscape from its current gradual pace to a much more rapid rate of improvement and risk reduction. The session will look to engage the audience in an interactive conversation about strategies, innovations and how we as a community must come together to meet the evolving threats and risks to agencies, organizations and our data.

Improving Security with Containers at USCIS

1:45 - 2:30 p.m. - Track 1

Adrian Monza, Chief, Cyber Defense Branch Information Security Division
U.S. Citizenship & Immigration Services

Containers make it easier to deploy the applications that drive business value, but also profoundly challenge existing security models. The speed of deployment in conjunction with integrated new technologies like software defined networking and container orchestration require a new way of thinking and managing security. This session explores these challenges and how USCIS turned them into opportunities to improve security.

Understanding Security Risks and Mitigation Across the Virtualization Stack

1:45 - 2:30 p.m. - Track 2

Tony James

Tony James, Senior Solution Architect, Red Hat

Maintaining a secure environment for running virtualized workloads and containers is critical in today's world. In this session we will learn about the technologies that are used in the KVM hypervisor with Red Hat Virtualization and Red Hat OpenStack Platform to provide a secure base platform.

Modern Mobile Security: The Good and Bad for the Enterprise

1:45 - 2:30 p.m. - Track 3

Karl MacMillan

Karl MacMillan, Chief Technology Officer - Strajillion, Inc.

Modern mobile apps – both custom and popular commercial apps – often use advanced techniques to protect their interactions with backend services. While this is generally positive, there are often unintended consequences for defensive technologies that use deep-packet inspection – like insider threat detection, data loss prevention, and compliance enforcement. This talk will examine the state-of-the-art security for commercial apps, from common approaches such as certificate pinning to more advanced techniques include end-to-end encryption, request signing, and anti-reverse engineering. Each technique's potential benefits for enterprise apps will be examined as well as it's impact on enterprise security and management. A live demo inspecting traffic from commercial apps will show how open source software can be used to understand mobile app traffic.

Securing PostgreSQL -- Exploring the PostgreSQL STIG and Beyond

1:45 - 2:30 p.m. - Track 4

Joseph Conway

Joseph Conway, VP Engineering, Crunchy Data

There are many aspects and considerations when securing PostgreSQL. This talk will cover some examples of the dangers associated with typical default installations, along with built-in features and extensions available to mitigate them. It will focus on the recently published DISA PostgreSQL STIG. PostgreSQL is the first completely open source database to receive a published STIG. Specifically, we will cover:

• The PostgreSQL STIG (Security Technical Implementation Guide)
• Security related postgresql.conf settings
• pg_hba.conf rules
• pgaudit
• set_user

The audience is anyone interested in security within a relational database. Attendees can expect to learn how the DISA STIG is utilized to provide significantly enhanced security in PostgreSQL.

Using Containers for Trusted Path

2:45 - 3:30 p.m. - Track 1

Daniel Walsh

Daniel Walsh, Consulting Engineer - Red Hat

This talk will explain and demonstrate using container technology to setup a trusted path system. Traditionally systems that handled sensitive data and moving data from one network to another required you to setup an MLS system. This talk will explain how you can build more secure trusted path systems with tools provided by containers, including SELinux, Namespaces, Cgroups and other technologies, With container technology you can build a much more secure system then relying on just MLS alone. You can even build a trusted path system without requiring MLS!

Securing Automated Decryption

2:45 - 3:30 p.m. - Track 2

Nathaniel McCallum

Nathaniel McCallum, Principal Software Engineer, Red Hat

Keeping secrets is tough. It is hard enough when you have control over the full computing chain. But now we are expected to keep secrets while storing those secrets in cloud and SaaS infrastructures. At least we can trust the network providers, right? Of course, the answer is to encrypt the data. But then how do we know who should have access to the data and when? This talk will look at the new strategies and cryptographic techniques implemented by the Clevis (client) and Tang (server) open source projects, now shipping in RHEL 7.4. Tang aims to be a replacement for key escrows, using simple algorithms to bind data to third party entities. Clevis is a decryption automation framework which permits sophisticated unlocking policies that go beyond password management.

Government Ready OpenStack Roadmap

2:45 - 3:30 p.m. - Track 3

Keith Basil

Keith Basil, Sr. Principal Product Manager, Red Hat

OpenStack is now serious platform for business with huge momentum in government and telco industries the world over. In these verticals regulatory and security requirements are difficult to manage and OpenStack must rise to meet compliance frameworks such as FedRAMP, ANSSI and ETSI.

In this session, we will discuss OpenStack concerns and explore the latest in compliance tooling. In the spirit of "Compliance as Code" we've completed a proof of concept integration of OpenControl and OpenStack. With this work we'll show how security control remediation can be layered to create meaningful security documentation, gap analysis and reporting.

In this session we explore:

• OpenControl (and compliance masonry) with OpenStack

• Compliance Masonry for Security Documentation

• An OpenStack FedRAMP HIGH public sector profile

Taming the Container Security Beast

2:45 - 3:30 p.m. - Track 4

Tim Mackey

Tim Mackey, Senior Technology Evangelist - Black Duck Software

Container orchestration solutions introduce a level of security complexity into the lifecycle of an application. Continuous deployment of container images is fundamentally challenged by the rate of security disclosures. Understanding if a vulnerable image exists, what the vulnerabilities within an image might be and where the images are deployed is a daunting task. One traditional response is to invest in perimeter defenses, but what happens when you don’t own or control the perimeter? Taking a step back, we realize the applications and dependencies are what’s under attack. Having a clearly defined security model covering development, staging and deployment is required. That security model also needs to take into account the vulnerability lifecycle from defect discovery through patch creation with a focus on when malicious actors have an advantage.

Project Boise: Modernizing the ATO Process with 18F

3:45 - 4:30 p.m. - Track 1

Aidan Feldman

Aidan Feldman, GSA 18F

The 18F "Project Boise" team is evaluating the ATO landscape and determining where GSA can provide the most value. In the long term, the Project Boise team hopes toreduce the burden (time, cost, and pain) and improve the effectiveness of the federal government’s software security compliance processes. This session will discuss 18F's work on modernizing ATOs and RedHat's initiatives to package ATO tooling and content natively in Red Hat technologies.

Security Automation for Containers and VMs with OpenSCAP

3:45 - 4:30 p.m. - Track 2

Martin Preisler

Martin Preisler, Senior Software Engineer - Security, Red Hat

SCAP is a set of specifications related to security automation. It is heavily used in government, defense, and finance industries. We will focus on ensuring a system is configured according to a predefined policy. We will start with scan of single machine for compliance with one of the profiles in SCAP Security Guide. For demonstration purposes we will use USGCB but the same workflow works for any profile. Customizing SCAP content to better fit the needs will follow - selecting extra rules, unchecking unsuitable rules and altering values. Using customized SCAP content, we will perform scan of bare machine, virtual machine and container. Then we will discuss ways to scan multiple targets continuously using Satellite 6.

The Enterprise Linux Exploit Mapper (ELEM) and Demo

3:45 - 4:30 p.m. - Track 3

Jason Callaway

Kenneth Evensen

Jason Callaway, Principal Solutions Architect, Red Hat
Kenneth Evensen, Solutions Architect, Red Hat

Patching immediately is the single best thing an administrator can do to protect their Linux systems. But many admins can't patch right away. Their applications may be brittle and sensitive software versions. Some systems, like spacecraft, are patched only rarely.

Red Hat Security Errata use the NVD CVSS scoring system to help administrators decide when to patch, but many of the vulnerabilities remediated by those errata address theoretical exploits.

The Enterprise Linux Exploit Mapper (ELEM) is a new project from the Fedora Red Team that tells administrators if a vulnerability on their system can be leveraged by a known exploit. By mapping CVE data to exploit data sources, ELEM can help an administrator decide when systems are a super-critical risk.

This talk will show ELEM in use on a RHEL 7.0 system, including a demo of a mapped local privilege escalation.

A Human-Centric Approach to Secure Supply Chain Management

3:45 - 4:30 p.m. - Track 4

Greg Gorman

Greg Gorman, NIST Specialist & Senior Enterprise Account Manager, Forcepoint

Securing the supply chain has long been an issue for agencies and large enterprises alike. In order to combat this ever-growing issue, the he U.S. Federal Government announced it is requiring all federal contractors to secure systems that create, process, store and receive sensitive information with baseline security standards. This regulation was released by The Department of Commerce, National Institute of Standards and Technology (NIST) and outlines a list of 109 security controls that all contractors must have in place by the end of 2017. Consequently, companies that do not meet the guidelines by December 31, 2017 will lose their current contracts. This impending regulation presents a substantial challenge for businesses to implement as they seek to innovate while securing their employees, critical data and IP. Combining intelligent systems and understanding employee behavior will be critical for compliance and ultimately, preventing data loss. This session will address the importance of a human-centric approach for secure supply chain management. This session will discuss:

• The NIST SP 800-171 regulation and why compliance is important
• An overview of the security control categories
• Three steps in working toward compliance
• Solutions to accelerate the path to compliance





Date: Tuesday, October 3

Time: 8 a.m. - 5 p.m.

David Kennedy, Binary Defense Systems

David Kennedy David Kennedy is the Founder of TrustedSec and Co-Founder and Chief Hacking Officer of Binary Defense Systems (BDS). David has had guest appearances on Fox News, CNN, and other high-profile media outlets. David is the founder of DerbyCon, a large-scale security conference in Louisville Kentucky. David also co-authored Metasploit: The Penetration Tester's’ Guide book which was number one on in security for over 6 months. David was also one of the founding members of the “Penetration Testing Execution Standard (PTES)“. PTES is the industry leading standard and guidelines around how penetration tests should be performed and methodologies. David is the creator of several widely popular open-source tools including The Social-Engineer Toolkit (SET) and many more.
Ted Brunell, Red Hat

Ted Brunell Ted is a Red Hat Certified Architect (Level III) and serves as the Principal Architect for Red Hat's DoD team. He works with customers, Red Hat Business Units and multiple sales teams across the North America Public Sector to discuss customer requirements and solutions that Red Hat can provide to meet them. Ted has been at Red Hat since 2011 and brings with him a unique view and knowledge on tactical and DoD-centric data communications based on 20 years of active duty in the United States Marine Corps. During his tenure in the Marine Corps, Ted worked at every echelon of command, including the Marine Network Operations and Security Command and the I Marine Expeditionary Force, where he served as a Data Chief. Since joining Red Hat, Ted has been recognized for is efforts by being awarded the Red Hat Chairman's Award in 2015.
Colonel Tom Clancy, U.S. Department of Defense

Tom Clancy COL Clancy serves as IdAM and PKI Lead in the Office of the Secretary of Defense’s Deputy CIO for Cybersecurity staff. Originally commissioned as an Armor Officer from the United States Military Academy, Clancy was assessed into Functional Area 53 (Information Systems Management) in 1998. He has deployed in automation services and cyber security roles at the Brigade, Division, Corps, and Joint Task Force echelons. He most recently served as Chief of USTRANSCOM’s Joint Cyber Center. He holds a BS in Systems Engineering from the United States Military Academy, an MS in Computer Science from SUNY Stony Brook, and an MS in National Resource Strategy from the Industrial College of the Armed Forces.
Chris Heath, DMDC

Tom Clancy Chris Heath Serves as the Enterprise Service Director for Defense Manpower Datacenter (DMDC). His previous role was as the Architecture Division Chief in DMDC. He retired as a LTC Chemical Officer in the Army as a Functional Area 53 (Information Systems Management). He has served in various roles in the Army in information technology at the theater level in logistics, Intelligence, and C2 (Command and Control). He holds a Bachelor of Science in Chemistry and Master of Science in Management.
Dmitri Pal, Red Hat

Dmitri Pal Dmitri Pal is responsible for a subset of security and identity management related technologies and products in the Red Hat portfolio, including OpenSCAP, SELinux Crypto, IPSec VPN, Firewalld, Red Hat Directory Server, certificate system, Samba, Kerberos, key and secrets management projects, SSSD (System Security Services Daemon) and the IdM server built using FreeIPA (Identity, Policy, Audit) technology. Dmitri has nearly 20 years of security-related software engineering and product management experience.
Donny Davis, Red Hat

Donny Davis Donny Davis started his career in the US Army as a 25S (Satellite Communications Operator/Maintainer) in 2002. He went to Basic Combat Training at Fort Jackson, SC and Advanced Individual Training in Fort Gordon, GA. He spent 13 years in the US Army, with tours to Iraq, and Afghanistan. He got out of the Army as a Staff Sergeant in 2015, and came to work for Red Hat as a Solutions Architect supporting the US Army Team. Donny currently holds two certifications from Red Hat, RHCVA and RHCE.
Tariq Islam, Red Hat

Tariq Islam Tariq began his career in technology 11 years ago as an app developer within the federal government. He has held several engineering roles ranging from development to deployment operations. In that time, Tariq worked under a variety of development disciplines and managed deployment lifecycles of multiple flavors. After a brief period in consulting, Tariq made the move to becoming a Solution Architect where he has the privilege of working with an incredibly diverse set of customers and agencies, helping them modernize their workloads and associated processes, stemming from best practices learned over the years in the industry. Throughout his career, Tariq has enjoyed helping agencies meet their mission through the adoption of better technologies that enable improvements in processes that impact the people closest to that mission.
Daniel Walsh, Red Hat

Daniel Walsh Daniel Walsh has worked in the computer security field for over 35 years. Dan is a Consulting Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years. Dan has made many contributions to the docker project. Dan has also developed a lot of the software on Project Atomic. He has led the SELinux project, concentrating on the application space and policy development. Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute. Twitter: rhatdan Blog: Email:
Keith Basil, Red Hat

Keith Basil Basil is focused on leading the product management, positioning, and business strategy for security within the Red Hat OpenStack Platform product. Working cross-functionally, he's introduced and structured an effective, compliance-driven approach to cloud infrastructure security. Compliance frameworks of interest include: FedRAMP, ANSSI, ETSI and the work being done by the Cloud Security Alliance.
Joseph Conway, Crunchy Data

Joseph Conway Joe Conway is an innovative leader with broad experience in a wide array of disciplines and extensive international business exposure. He has been involved with the PostgreSQL community since 1998, presently as a PostgreSQL Committer, Major Contributor, and Infrastructure Team member. He is also the author and maintainer of a PostgreSQL procedural language handler for the R language, PL/R. Joe is currently VP PostgreSQL Engineering at Crunchy Data Solutions and a Board Member at the United States PostgreSQL Association (PgUS).
Nathaniel McCallum, Red Hat

Nathaniel McCallum If you're looking for someone to blame for software projects such as FreeOTP, José, Clevis and Tang, Nathaniel is the guy. He also regularly breaks projects such as FreeIPA and MIT Kerberos with his "contributions." Not satisfied with unleashing poor software on the world, he works on dismantling the Internet via new IETF Internet Drafts and dabbling in cryptography. Many have suffered through the talks he has given at conferences such as FOSDEM, DevConf, LISA, SCALE, Ping Identity Summit, et cetera. Outside the office, he tries to corrupt the minds of today's youth through philosophy. His legacy of destruction is all but ensured due to his five children. Also, his wife tolerates him.
Jamie Jones, GitHub

Jamie Jones Jamie is a recovering development lead who has spent more than a decade helping the Department of Defense build software, one project at a time. He now works for GitHub as the Lead Solutions Architect specializing in Government, helping agencies build better software through agile transformation & modernization, Innersource, open source, secure Dev Ops and leaving Subversion behind forever. He's been with GitHub for over two and a half years, and has worked with all manners and sizes of Federal customers, and the different requirements (and opportunities) they all bring. Jamie and his family live in Alexandria, VA. When he's not closing pull requests, he enjoys history and hiking with their dog, Franklin.
Prasad Kunchakarra, Capitis Solutions Inc.

Prasad Kunchakarra is the founder and Chief Architect of Capitis Solutions Inc., a Maryland based information technology company. He has over 20 years of industry experience and has successfully architected large scale, secure cloud native applications. He holds a Masters Degree in computer science from Virginia Tech.

Over the last decade, Mr. Kunchakarra has architected large scale modernization programs for both Government agencies and Private Sector organizations. He is passionate about building event driven microservices with stringent information security requirements. Capitis Solutions Inc. offers innovative DevSecOps services to organizations with security controls implementation and compliance needs under the leadership of Mr. Kunchakarra.
Vikas Gupta, Capitis Solutions Inc.

Vikas Gupta is a senior DevSecOps architect at Capitis Solutions. He has over 12 years of information technology experience and holds a Masters Degree in Computer Science from University of Roorkee, India. Vikas is currently automating information the security controls and compliance of a major financial platform on AWS cloud. He has extensive experience with DevOps automation tools and implementing mature microservices pipelines.
Lorenzo Anderson, Capitis Solutions Inc.

Lorenzo Anderson is a senior information security architect at Capitis Solution. Mr. Anderson has over 10 years of information technology experience with a degree in electrical engineering from DeVry University. He is a technology visionary and cyber security professional who thrives on solving complex problems. He has extensive experience in information security with a focus on perimeter defense, secure network design, vulnerability discovery, cloud security and design, compliance and intrusion detection systems.
Glen Wilcox, Red Hat

Glen Wilcox Glen Wilcox is a Solutions Architect with Red Hat’s Public Sector team. His current focus is on helping customers with application modernization via open source software adoption, container-based architectures and IT automation. Glen has 20+ years’ experience in the software industry and began working with Java/JEE in early 2000. He has assisted customers in architecture, development and delivery of middleware solutions across a wide variety of environments including aerospace, telecommunications and financial services. Prior joining Red Hat, he worked for the government middleware teams for Oracle, IBM and BEA Systems. When he is not at work, Glen enjoys taking advantage of the many outdoor recreation opportunities Colorado has to offer.
Steve Orrin, Chief Technologist, Intel Federal LLC at Intel Corporation

Steve Orrin Experienced CTO and Product/Solution Architect. Concentration on Security and Security related topics & technologies as well as E-business challenges. Have founded 2 ISV Start-ups and brought them through productization and customer delivery. Have taken an development stage security company through acquisition. Regular speaker on Security, Privacy, and Web Services topics.

Specialties: Internet Security, PKI, Cloud Security and Trusted Clouds, Virtualization Security, Malware and Botnet Detection, Cryptography, Web Services/SOA/Web 2.0, XML Threats, Steganography, Legacy Applications, Mainframe Architecture, The Internet/Technology Start up Process, Secure Development Process and Best Practices
Shawn Wells, Chief Security Strategist U.S. Public Sector

Shawn Wells Shawn is focused on creating strategic approaches, frameworks and technologies to elevate the competitive superiority of the U.S. Government’s Information Assurance capabilities.

This work often takes on the most difficult, controversial, and frequently classified, capability development collaborations between Red Hat and the U.S. Government. Utilizing rapid innovation that open source development enables, combined with an engineering rigor process, Shawn is responsible for producing mission-critical quality technology for offensive and defensive purposes. Specifically, Shawn focuses on “Radical Innovations,” defined as technologies new to existence, and “Next Generation,” which pushed existing capabilities into completely different operating windows.

Prior to this role Shawn was the Director of Innovation Programs. Chartered with helping the Defense and Intelligence Community build innovation climates, Shawn engaged these communities in internal venturing and intrapreneurship to create and incubate new ideas and drive enabling technologies. Shawn built a portfolio of innovation programs, defined as emerging ideas and mission capabilities, and drove them into open source development projects for transition into formal government-industry partnerships.

Previous roles include serving as Technical Director for U.S. Intelligence Programs, where he oversaw Red Hat’s classified technical initiatives with agencies such as the NSA, CIA, and NRO; Global System z Practice Lead, building a global sales, strategy, and marketing organization for Mainframe computing; and formerly an NSA civilian, Shawn was the architect of the Al-Qaeda Senior Leadership SIGINT Database (AQSLDB), which ingested, exploited, and analyzed High Power Cell Phone collections in support of capture or kill missions.

Government programs frequently encounter extreme loss aversion and threat rigidity responses. Often attributed to organizational complexities, there is poor understanding of where new capability opportunities originate, poor selection patterns for innovation portfolios, and frequently inflexible processes for execution biased to incremental projects. There’s no way to run small, cheap, radical experiments. Shawn frequently leads the “how and why” conversation behind Red Hat’s open innovation and collaboration models, sharing success stories from across public sector.
Tony James, Red Hat

Tony James Tony James is a Senior Solution Architect in Red Hat's North America Public Sector organization. With over 15 years of experience in the information technology industry, Tony has experience supporting the DoD, Intelligence Community, and now Civilian Government agencies. Tony is a Red Hat Certified Architect and uses his broad expertise to help customers achieve their mission using open source solutions.
Jason Callaway, Red Hat

Jason Callaway Jason Callaway is a principal solutions architect at Red Hat, specializing in cybersecurity. In his current role, Jason is the technical lead working across US Government agencies to help implement their cyber and cloud migration strategies. Prior to joining Red Hat, Jason deployed the first mission OpenShift Platform as a Service environment in the Department of Defense. Jason speaks frequently at open source and cybersecurity meetups, his blog is at
Kenneth Evensen, Red Hat

Jason Callaway Ken Evensen is a solutions architect with Red Hat, and is passionate about assisting customers in integrating complex information systems securely and advancing their capabilities. With a background in Software Engineering, Ken has spent his entire professional career in service of the public sector starting as a Flight Software Engineer at the NASA Jet Propulsion Lab. At Red Hat, Ken employs his subject matter expertise in automation and security to assist customers with intelligent IT transformation. Ken is a contributor to Kubernetes, has submitted multiple Ansible modules upstream, and has founded the Enterprise Linux Exploit Mapper project. Ken is a Red Hat Certified Architect as well as an Offensive Security Certified Expert.
Aidan Feldman, 18F

Aidan Feldman Aidan is an Innovation Specialist and developer at 18F, which is part of the United States General Services Administration’s Technology Transformation Service. Aidan works on, some interesting “bureaucracy hacks,” and tackling the remaining barriers to real technological change within the federal government.
Juan Asenjo, Thales e-Security

Juan Asenjo Juan C. Asenjo, PhD., CISSP Juan has worked in the information security field for over 25 years – in government, military, and private sector. He is currently responsible for cryptographic integrations with partner solutions, focusing on identity management, authentication, and encryption. Holding degrees in Engineering, Business and Information Science, and a certified a CISSP, Juan helps technology companies reach more customers with integrated solutions that reduce risk and enhance security.
Greg Gorman, Forcepoint

Greg Gorman Greg Gorman is Senior Enterprise Account Manager for Forcepoint’s Global Government business and also serves as a NIST Specialist. He has been with Forcepoint for five years and has worked on DFARS for the past two. He’s been involved in the cyber industry for about eight years – working for both solution providers and financial service institutes. In addition, Gorman served as a member of the AFCEA NOVA board for four years. Gorman holds a bachelor’s degree in economics from the University of North Carolina Chapel Hill, and in his spare time, practices magic.
Lucy Kerner, Red Hat

Lucy Kerner Lucy Kerner is currently a Principal Technical Marketing Manager for Security at Red Hat. In this role, she is the global Security technical evangelist and helps drive thought leadership and the global go-to-market strategy for Security across the entire Red Hat portfolio. In addition, she helps create and deliver security related technical content to the field, customers, and partners. Prior to this role, she was a Senior Cloud Solutions Architect for the North America Public Sector team at Red Hat. With her domain expertise in cloud technologies, she supported the Red Hat cloud sales efforts by presenting and designing Red Hat Cloud solutions for a wide range of North America Public Sector customers. Lucy has over 15 years of professional experience as both a software and hardware development engineer and a pre-sales solutions architect. Prior to joining Red Hat, she worked at IBM as both a Mainframe microprocessor design engineer and a pre-sales solutions architect for IBM x86 servers. She has also interned at Apple, Cadence, Lockheed Martin, and MITRE, where she worked on both software and hardware development. Lucy graduated from Carnegie Mellon University with a Master of Science (M.S.) and Bachelor of Science (B.S.) in Electrical and Computer Engineering and a Minor in Spanish.
Martin Preisler, Red Hat

Martin Preisler Martin Preisler works as a Software Engineer at Red Hat, Inc. He is working in the Security Technologies team, focusing on security compliance using Security Content Automation Protocol. He is the principal author of SCAP Workbench, a frequent contributor to OpenSCAP and SCAP Security Guide, and a contributor to the SCAP standard specifications. Outside of work he likes playing guitar, skiing, billiards and indoor climbing.
Tim Mackey, Black Duck Software

Tim Mackey Tim Mackey is a technology evangelist for Black Duck Software specializing in the secure deployment of applications using virtualization, cloud and container technologies. Prior to joining Black Duck, Tim was most recently the community manager for XenServer and was part of the Citrix Open Source Business Office. Tim has held roles in mission critical engineering, performance monitoring, and large-scale data center operations. He has spoken globally on a variety of topics and at well-known events such as OSCON, LinuxCon, CloudOpen, Interop, CA World, Cloud Connect, USENIX LISA and the CloudStack Collaboration Conference. Mr. Mackey is an O'Reilly published author.
Karl MacMillan, Strajillion, Inc.

Karl MacMillan I am an experienced technology executive and creative software developer, primarily focused on cyber-security. I've extensively researched how commercial mobile apps secure themselves while building a deep-content inspection product for mobile. I've also written software that ships with every Android device sold today, lead the development of a secure version of Android, consulted about security with major mobile device manufacturers.

Speakers Coming Soon!

Travel Information


Sheraton Tysons Hotel

8661 Leesburg Pike

Tysons, VA 22182

Get directions.

Tysons Corner


Join the conversation

Rocket Fuel