At the conference, you will meet Qualys engineers, the driving force behind our Qualys Cloud Platform, hear our roadmap for the future and have the opportunity to provide direct feedback and suggestions.
Listen to best practices and use case presentations, participate in round tables with our product managers and fellow Qualys customers, attend our free training and tally CPE credits.
CIOs, CSOs and CTOs; directors and managers of network, security and cloud; developers and DevSecOps practitioners; Qualys partners and consultants; or anyone passionate about security.
QSC Welcome Reception at Hyde Bellagio
Tuesday, November 13, 6:30 – 9:30 PM
Kick off QSC18 with a social evening in the chic indoor-outdoor Hyde nightclub! Take in views of the Bellagio fountains, enjoy cocktails, and connect with Qualys experts and peers.
|7:30 - 8:30 AM||Registration and Breakfast | Tower Ballroom 5|
|8:30 – 8:45 AM||
Our Journey in the Cloud – Where Are We Now? | Tower Ballroom 4
Our IT and security world is undergoing a profound transformation and there is no question that we all must now embrace the Cloud if we want to regain control of our networks. Philippe will retrace the journey Qualys undertook in the cloud as early as 1999 and highlight the founding principles that are helping Qualys transform security and make our computing world safer — one cloud app at a time.
|8:45 – 10:20 AM||
Keynote: Regaining Our Lost Visibility | Tower Ballroom 4
While digital transformation gave us the opportunity to build security in, it represents a new challenge in a world where public cloud platforms and an avalanche of new IT security such as container security technology are forcing enterprises to rethink both their IT infrastructure, applications and security. Sumedh will discuss the ways that Qualys’ Cloud Platform, with its new global IT asset inventory capabilities, is rapidly becoming a keystone that unifies IT, Security and compliance across on-premises, hybrid clouds, endpoints, mobile devices, OT and IoT environments.
|10:20 – 10:40 AM||
Break | Tower Ballroom 5
|10:40 – 11:10 AM||
Looking Under the Hood: What Makes Our Cloud Platform so Scalable and Powerful | Tower Ballroom 4
This session will focus on the Digital Transformation Qualys is going through which has enabled us to expand our platform at such high velocity into a highly scalable and integrated solution.
|11:10 AM – 12:25 PM||
Real-Time Vulnerability Management | Tower Ballroom 4
This talk will demonstrate the new features in Qualys Cloud Platform 10.0, and introduce the new Patch Management app. Qualys Cloud Platform 10.0 introduces a new customizable Vulnerability Management Dashboard for faster pivoting through vulnerability data, Custom Remote Detections for developing your own signatures, and Unified Dashboarding for mixing and matching widgets from multiple apps into a single view. Our new Patch Management app now lets you detect missing patches on a system and patch your entire environment with just a few clicks, using existing Qualys Cloud Agents. Learn how vulnerability data is leveraged by Patch Management in security patch detections, allowing you to quickly target and patch a CVE without the need to track down the specific security bulletins.
|12:25 – 12:50 PM||
Bringing IOC to the Next Level | Tower Ballroom 4
This talk demonstrates how threat actors are rapidly weaponizing known vulnerabilities to target, exploit, and take over organization’s network for financial motivations, customer account and intellectual property theft, and sabotage. Learn how to using Qualys Indication of Compromise and other Cloud Apps to address mutant, dormant, and fileless malware; and best practices for streamlining Threat Hunting and Incident Response by instantly identifying compromised and suspicious devices across endpoints and networks.
|12:50 – 2:00 PM||
Lunch Keynote: Toward Continuous Security: Future Reality, or the Ultimate Threat? | Tower Ballroom 5
“Continuous” has become a watchword of modern IT. Modern concepts of availability, elasticity and scale have made it possible for IT to function without any interruption whatsoever – even when security or availability issues must be resolved as they occur. Changes to applications are rolled out on an ongoing basis without any interruption to service or resource integrity. Users almost never know when such changes have been made.
Meanwhile, threats and vulnerabilities emerge constantly, and the number discovered every day can be overwhelming. Can security really maintain continuous visibility and control over this reality? Or does this overwhelming scale of data and exposures pose an existential threat to security itself? Learn about the scale and scope of automation, analytics and availability that organizations must embrace if they hope to get a handle on the immediacy and pace of security today, and be best prepared for tomorrow.
|2:00 – 2:20 PM||
Vulnerability Management, DevSecOps and the Cloud … Oh My!! | Tower Ballroom 4
In the land of technology, many of us are merrily skipping down the yellow brick road with our sights set on the Emerald City aka The Cloud. We have visions of better, faster, cheaper options to achieving our business goals. But, as we can all probably attest to, the journey to the Emerald City is not an easy one—with plenty of scary flying monkeys and witches along the way.
Cox Automotive’s journey has been no different, but with the help of some innovative wizardry (no ruby red slippers required), we’ve successfully created novel ways to integrate security into the DevSecOps process allowing us to test AWS AMIs in the marketplace and perform continuous vulnerability testing using agents post deployment.
|2:20 – 2:50 PM||
A 360° Approach to Securing the Cloud | Tower Ballroom 4
Users are increasingly adopting multicloud for their hybrid IT strategies to drive digital transformation, and securing clouds requires shared security responsibility. This session will introduce the inherent threats and solutions needed to secure your cloud stack, from workloads to infrastructure. This demonstrate how to gain visibility of your public clouds, secure workloads from both internal and perimeter vulnerabilities, and set up continuous security monitoring of cloud resources to avoid issues such as data leaks and cryptomining attacks through your cloud infrastructure. Also learn best practices from real-world examples of customers transparently orchestrating security into their practices and DevOps pipelines.
|2:50 – 3:20 PM||
The New Frontier of Container Security | Tower Ballroom 4
Containers are the most sought after development tool for microservices. Their simplicity and portability allow DevOps to create true agile builds within development cycles. However, this new kind of environment brings a new set of security threats at every phase of this cycle—from unvalidated software entering the environment to running containers drifting and breaking immutable behaviors. This talk outlines how to build security into every phase. Learn about detecting anomalies and preventing security breaches in an extremely agile runtime environment, enabling you to efficiently manage security at the speed and scale of DevOps.
|3:20 – 4:10 PM||
Web Applications: The Soft Belly of the Cloud | Tower Ballroom 4
One of the main drivers in adopting cloud services is quick and easy deployment of web applications and APIs that support your business. But attackers view them as ripe targets because they handle sensitive data and are often developed without security in mind. Any web application could be a foothold into your organization and lead to a data breach if a latent vulnerability such as SQL injection or remote code execution were successfully exploited. Using Qualys Web Application Scanning (WAS) continues to be an effective way to identify app-layer vulnerabilities quickly and reliably across different environments. This session will describe new capabilities in Qualys WAS such as better scan coverage and vulnerability detection, improved usability, automated scanning in CI/CD pipelines, and much more. This talk will also dive into the WAS roadmap for 2019, including some exciting changes coming to the UI and API testing capability.
|4:10 – 4:40 PM||
Managing Digital Certificates | Tower Ballroom 4
A safe browsing experience is good for business, driving HTTPS adoption to the extent that browsers now mark web pages NOT using TLS and certificates as “Not Secure”. In order to stay ahead of risk amidst the rise of DevOps and public clouds, organizations must automate visibility and tracking of their certificate deployments. Qualys CertView allows them to do so by centralizing visibility and lifecycle management of certificates as well as TLS configuration assessments into their overall continuous view of security and compliance state, and by enabling customers to rapidly see and remediate expired or vulnerable certificates. Learn how CertView can help you prevent downtime and outages, audit and compliance failures, mitigate risks associated with expired or vulnerable certificates and simplify the process of renewing, revoking and acquiring certificates into just a few clicks.
|4:40 – 5:00 PM||
Break | Tower Ballroom 5
|5:00 – 5:40 PM||
With so many overlapping and vague compliance requirements, selecting appropriate technical and procedural controls continues to be a challenge for organizations of all sizes in every industry. On the other side, there's always a race to make sure our environment is free from vulnerability, configuration and overall security issues, through robust cybersecurity procedures. Learn how innovations in the compliance family of apps can help you overcome common compliance challenges, simplify the control selection process and overall continuous compliance monitoring. You will see a preview of new automation to simplify control selection & assessment, continuous visibility into mandated requirements, and find new ways to get more data into the Qualys platform for a complete view of your compliance landscape.
|5:40 – 6:15 PM||
First Look Showcase | Tower Ballroom 4
Expanding our prevention, detection and response solution
|6:15 – 6:30 PM||
Closing Remarks | Tower Ballroom 4
|6:30 – 8:30 PM||
Dinner Reception and Networking | Tower Ballroom 5
|8:00 – 9:00 PM||
Transportation to Mystère Theatre
Mystère by Cirque du Soleil | Treasure Island
Qualys Security Conference and the pre-conference training will be held at the Bellagio Hotel.
3600 S Las Vegas Blvd
Las Vegas, NV 89109
T: (702) 693-7111
Attendance at QSC is complimentary. This includes access to all general sessions, breakout sessions, breakfast, lunch, breaks, and receptions.
Pre-conference training is also complimentary, but requires separate registration.
Travel and hotel accommodations are not included with QSC or pre-conference training.
Secure your accommodations now at the Bellagio Hotel.
Join us to learn how to effectively secure your hybrid IT environment, streamline your security and compliance initiatives and enable digital transformation.
There is no cost to attend this event.
Scott Crawford is Research Director for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market.
Well known as an industry analyst covering information security prior to joining 451 Research, Scott has experience as both a vendor and an information security practitioner. At IBM, Scott guided offering strategy and development with a primary focus on security intelligence for IBM Security Services. He is the former CISO of the Comprehensive Nuclear-Test-Ban Treaty Organization (CTBTO) International Data Centre in Vienna, Austria, where he pioneered the implementation of security policy and architecture for a non-governmental organization (NGO) serving more than 150 nations.
Mark O'Neill advises on strategy for API management and the API economy as part of an overall digital platform and business ecosystem. He advises on how API management relates to SOA and products such as ESBs. He also advises on strategy for banking APIs, including PSD2 in Europe. This includes API security. With his background in B2B, he covers the usage of APIs for B2B, as well as the relationship between APIs and traditional B2B technologies.
Charles Henderson is the Managing Partner and Global Head of X-Force Red. Throughout his career, Charles and the teams he has managed have specialized in network, application, physical, and hardware/device penetration testing as well as vulnerability research. X-Force Red’s clients range from the largest on the Fortune lists to small and midsized companies interested in improving their security posture.
Charles is also an enthusiastic member of the information security community and an advocate of vulnerability research. He has been a featured speaker at various conferences (including Black Hat, DEFCON, RSA, SOURCE, OWASP AppSec USA and Europe, and SXSW) around the world on various subjects relating to security testing and incident response. He has also appeared on or in The Today Show, CBS Evening News, CNN, Fox News, MSNBC, BBC, The Wall Street Journal, Forbes, USA Today, The Register, SC Magazine, Engadget, eWeek, Reuters, Car & Driver, and various other media outlets.
Demonstrating a unique mix of technical vision, marketing and business acumen, Philippe Courtot has repeatedly built innovative companies into industry leaders. As CEO of Qualys, Philippe has worked with thousands of companies to improve their IT security and compliance postures. Philippe received the SC Magazine Editor’s Award in 2004 for bringing on demand technology to the network security industry and for co-founding the CSO Interchange to provide a forum for sharing information in the security industry. He was also named the 2011 CEO of the Year by SC Magazine Awards Europe.
Before joining Qualys, Philippe was the Chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign’s payment division, based on the Signio technology, handles 30% of electronic transaction in the U.S., processing $100-million in daily sales. Prior to Signio, Philippe was President and CEO of Verity, where he re-engineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe’s direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40% market share while competing directly against IBM and Microsoft. Acknowledging the market leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991. In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees for The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet. French and Basque born, he holds a master’s degree in physics from the University of Paris, came to the US in 1981 and has lived in Silicon Valley since 1987.
As Chief Product Officer at Qualys, Sumedh oversees worldwide engineering, development and product management for the Qualys software-as-a-service (SaaS) platform and integrated suite of security and compliance applications. A core systems and database engineer, Sumedh started at Qualys in 2003, architecting and delivering Qualys’ PCI compliance platform to meet the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. Today, more than 69 percent of ASVs and 50 percent of QSAs worldwide use Qualys PCI to perform PCI DSS certification.
A long time advocate of the SaaS model and cloud computing, Sumedh worked at Intacct, a cloud-based financial and accounting software provider, before working at Qualys. Previous to Intacct, Sumedh worked at Northwest Airlines to develop complex algorithms for yield and revenue management for their backend reservation system.
Sumedh is active in the PCI and security community working closely with the PCI Council on the development and enhancement of PCI DSS. He co-authored “PCI Compliance for Dummies,” an easy-to-read guide designed to educate merchant organizations about PCI. Sumedh has a bachelor’s degree in computer engineering with distinction from the University of Pune.
Jerry Hughes, a founding member of Compass IT Compliance, LLC, has over 25 years of experience helping companies become compliant with internal, industry and government regulations such as PCI-DSS, Sarbanes-Oxley, HIPAA and GLBA. Mr. Hughes, a Certified Information Systems Auditor (CISA), Qualified Security Assessor (QSA), and Certified in Risk and Information Systems Control (CRISC), has extensive IT auditing experience—especially within the financial industry, Healthcare industry, and the retail sector—and has participated in hundreds of PCI Risk Assessments and Audits.
Mr. Hughes has helped develop Compass IT Compliance, LLC into one of the nation’s premier consulting firms in the area of IT Governance, Assurance, Security and Compliance services. His team of CISA-certified auditors, all certified in the international framework called Control Objectives for Information and related Technologies (COBIT), offers a full suite of IT Compliance services within the banking, insurance, retail, health care, energy and education sectors.
Frank Catucci is currently the Director of Application Security and DevSecOps for ImagineX Consulting. He is also the former Director of Product Management for Application Security at Qualys. Frank is an appsec and infosec leader, hacker and consultant during the day and a security researcher by night and by life. Decades of experience spanning Fortune 500 enterprise, financial services, university/higher education, government, and a fair share of start-ups and businesses, both public and private, grants him the unique ability to see and lead information security with a unique, complete, and widely encompassing approach in all aspects of cybersecurity.
Brian Canaday is a senior engineer for the vulnerability and configuration management program at CSAA Insurance Group, a AAA Insurer. With over 21 years of system administration, information security and governance risk & compliance, Brian brings a unique balance of technical and regulatory experience. Having worked in the private sector and in the government sector he is well rounded in the different environments of security.
Michael Smith has been working as an Information Security Professional for 19 years. In that time, he has worked across multiple global organizations such as Paypal, General Dynamics, SAIC, and Deloitte. He now currently works within the Amadeus Information Security team for their Hospitality business handling enterprise risk management, compliance, and audit.
Sarah Kennedy is currently working at HCA, Inc. specializing in security vulnerability assessment. She received her Master’s in Information Security from Lipscomb University and her undergraduate in Telecommunications Systems Management from Murray State University.
Robert Sloan has been with HCA, Inc. for the past 15 years, currently on the Vulnerability Management team. He and his team are responsible for the security assessments of diverse systems over a complex healthcare network across the US and UK.
Dilip Bachwani is Vice President of Engineering at Qualys, responsible for spearheading Qualys’ Cloud Platform Engineering, DevOps and SRE initiatives. An Agile and DevOps champion passionate about its transformational potential on organizational productivity and success, Dilip has deep technology and architecture expertise and over 18 years experience in building complex scalable distributed systems.
Jimmy Graham is the Director of Product Management for Vulnerability Management. He has been deeply involved in information security and vulnerability management for over 10 years, and has managed teams covering security operations, incident response, application security, vulnerability management, penetration testing, governance, and compliance.
Chris Carlson is a vice president of product management at Qualys, where he is in charge of the product definition, roadmap and strategy for the Cloud Agent Platform. During his 20+ year career in the infosec industry, Carlson has attained expertise in multiple areas, ranging from firewalls, VPNs and intrusion prevention systems to real-time event-processing, security analytics and next-generation endpoint platforms. Prior to joining Qualys, he held security architecture roles at UBS and at Booz Allen Hamilton, and product management positions at venture-funded startups and at leading vendors, including Hexis Cyber Solutions, Agent Logic, Informatica and Trustwave.
Scott Crawford is Research Director for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market.
Patricia Smith is Vice President and Chief Information Security Officer for Cox Automotive, the world’s leader in automotive software solutions for auto dealers, consumers, financial institutions and OEMs. Cox Automotive is a subsidiary of Atlanta-based Cox Enterprises. Patricia was named to this position in June 2016. She is responsible for developing and managing the security strategy for Cox Automotive, as well as all aspects of risk management & compliance, security operations, security engineering & architecture, vulnerability management, business resiliency and security culture & awareness.
Patricia has spent over 15 years designing, building, and managing Information Security programs that focus on delivering innovative security solutions while partnering with the business to enable innovation and business success.
Dave Ferguson is Director of Product Management for Web Application Security at Qualys. After writing code and developing applications for over a decade, Dave transitioned to focus on application security. Prior to Qualys, he led the global application security program at Sabre Corporation and worked as a Principal Consultant at FishNet Security (now Optiv). Dave is author of the OWASP Forgot Password Cheat Sheet and holds CISSP and CSSLP certifications.
Asif Karel is the director of product management for Qualys CertView. He has over 20 years of experience in Information Security including online fraud detection, PKI, strong authentication and single sign-on. Prior to joining Qualys, he was a subject matter expert in digital certificates and certificate solutions at VeriSign and Symantec, a solutions architect in the CASB space at CipherCloud and a solutions manager at Venafi.
Tim White, is Qualys’ director of product management for policy compliance. With more than 20 years of experience in IT GRC, he has worked with a variety of large enterprises across many different verticals while shaping products in the industry. He also has significant experience in broader Information Security, working with products ranging from Firewalls, Network Security, and Host Security.
Shailesh Athalye (CISA, CRISC, CEH, ISO 27001 LA), is Director of compliance solutions at Qualys, heading product innovation as well as engineering. With over 15 years of experience in IT risk, compliance and cybersecurity domains, he has been a driving force for engineering risk & compliance line of products at leading security product companies, helping customers go beyond compliance and drive their IT GRC objectives.
Nelrose Viloria is the Product Manager for Vulnerability Management Services (VMS) at Secureworks, a Dell Technologies company. She has an extensive background in product management, marketing, and strategic planning in various industries, with a heavy focus in technology. Her key focus is to drive the VMS portfolio to help clients optimize their vulnerability management program and make the most out of their vulnerability scanner to keep their business or enterprise secure.
Pablo Quiroga is a Director of Product Management at Qualys, where he is in charge of the product definition, roadmap and strategy for the IT asset visibility & management initiatives. With over 10 years of experience in Enterprise Software and the IT industry, Pablo has helped numerous customers gain significantly better visibility to support data-powered decision that often led to multi-million-dollar savings and risk avoidance.
Peeyush Patel is Vice President of Information Security within the Experian Global Security Office (GSO). He is responsible for the strategy, leadership and governance of Experian’s GSO, including Application Security, Threat Management, Data Protection, and Offensive Security programs.
Jacques Declas, founder and CEO of 42 Crunch, is an entrepreneur with more than 20 years in the Enterprise Software industry and a record of scaling international sales team. He has an extensive knowledge of the API Security market having served in senior VP roles in Forum Systems, Vordel (acquired by Axway) and Intel. During his career Jacques has built worldwide partnership with Software vendors such as Computer Associates, Oracle and Microsoft and leading consulting firms such as Accenture, Atos and CSC. Jacques holds a bachelor of Financial Management and European Business Law.
Don Leatham is a 15-year veteran of the security software market. Having held senior roles in security product management, OEM technologies, and strategic technology alliances, Don provides a unique perspective and understanding of how security technologies, products, and market relationships come together to form today’s complex InfoSEC environment.
Constantine Vorobetz worked as a Computer Software Engineer/Security Analyst at Montana State University (MSU) located in Bozeman, MT where he implemented and currently manages their Qualys use. He has over seven years working in Information Security. He graduated from Montana State University with a Bachelor of Science Degree in 2002 and later completed his Master of Science in 2007 from the University of Cincinnati. He completed his Certification as a Computer Forensic Examiner (CFCE) from the International Association of Computer Investigative Specialists (IACIS) in 2013.
Hari Srinivasan is director of product management for Qualys’ security for cloud and virtualization. He has expertise in numerous enterprise software disciplines including cloud security and analytics, automation, systems management, data center transformation, Hybrid Cloud, PaaS - DBaaS, compliance and configuration management. He previously worked at Oracle both as an engineer and spent over a decade in multiple areas in product management positions.
Colleen Csech is a Manager on the Vulnerability Management Team in Capital One’s Cyber division where she leads the development, implementation, and maintenance of vulnerability best practices for applications in the server space for both on-premises and cloud environments. Colleen began her career working for a federal consulting company in the Washington, DC area where she worked as a Cyber security policy and compliance analyst specializing in vulnerability scanning security documentation.
Dan Wilson is a Sr Manager within Capital One's Cyber organization based in Chicago, IL. He leads the Vulnerability Management Team which drives vulnerability remediation and configuration compliance across all lines of business and all platforms within the enterprise. Prior to Capital One, he spent more than decade serving in local law enforcement. He specialized in computer forensic investigations and assisted multiple agencies, ranging from the federal and state agencies, as well as other law enforcement agencies within Wisconsin.
Asif is a passionate cybersecurity entrepreneur with a broad business and technology expertise that spans enterprise, healthcare and financial domains, and cloud, mobile and deep learning technologies. He was the founder and CTO of Layered Insight till it was acquired recently by Qualys. He is now the CTO for Container Security at Qualys. Layered Insight was a pioneer in the container security space that offered a solution for providing deep visibility and protection for containerized and serverless workloads, using an innovative application-centric approach. It's the only infrastructure and orchestration agnostic solution that's zero-touch to developers and DevOps, and fully portable for cloud and edge workloads.
Asif is a pioneer in the Mobile Application Management space. Back in 2011, he identified a serious gap in the enterprise solutions being offered for BYOD, envisioned an innovative user-space virtualization solution, and founded Plursona to build that solution and realize the business vision. Plursona was acquired in 2012 by HPE (Aruba Networks) for its best-in-class technology. Asif has held various technology and business leadership positions at HPE (Aruba Networks), Motorola Mobility, Wells Fargo, Juniper Networks and Boston Scientific (Guidant).