The QUEST 2018 Conference is May 21-25, 2018 at the Hyatt Regency River Walk in San Antonio, Texas.


QUEST is the best source for new technologies and proven methods for Quality Engineered Software and Testing. Thought leaders, evangelists, innovative practitioners, and IT professionals from across North America gather together for a week packed with classes, tutorials, educational sessions, hand-on workshops, discussions groups, EXPO, and networking events. Let your quest to build, test, and deliver quality software begin with QUEST 2018!



Dr. Bill Curtis, CISQ Executive Director, presents a keynote:

Software Intelligence: Structural Quality Analysis and Machine Learning


The C-suite is fed up with software disasters putting the quarterly statement at risk as they digitize the business. They will demand more accountability and force improvements in software processes that may clash with agile culture. Business critical applications have become so complex and demand for functionality so immediate that human-based quality practices are no longer sufficient. Developer capabilities must be enhanced by improved software quality technology integrated into DevOps toolchains. Providing deeper intelligence about structural weaknesses and operational risks is enabled by new structural quality measurement standards supplemented by machine learning. Recent results from machine learning research in software quality will be discussed along with some caveats about what to expect. International standards for measuring the structural quality of software developed by the Consortium for IT Software Quality (CISQ) will be reviewed along with results of empirical research on how some of the most severe flaws are distributed in business applications. The talk will conclude with organizational requirements for successfully adopting these advances.




Joe Jarzombek, CISQ Governing Board Member and Global Manager, Software Supply Chain Solutions, Synopsys, presents:


Software Integrity: Integrated Focus for Software Quality and Security


Evolving roles for QA/Testing must focus on product integrity to reduce enterprise risks attributable to exploitable software. As the cyber threat landscape evolves and software dependencies grow more complex, understanding and managing risk throughout the software supply chain is more critical than ever and must focus on the entire lifecycle that includes development, acquisition, and testing. During his presentation, Joe will provide details on the types of test tools and services used to determine resilience of products and residual risk exposures attributable to software and the value proposition for software integrity as an integrating focus for software quality and security. He will also explain how software integrity is an enabler for IoT cybersecurity and how using standards-based automation enables the exchange of information internally and externally with vendors for IoT/ICT products. Everyone will leave understanding how addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by comprehensively identifying their risk exposure.



Click here to view the QUEST program and register





CISQ Webinar: Using Software Quality Standards with Outsourced IT Vendor Engagements – a Fortune 100 Case Study

Date/Time: March 7, 2018 at 11:00am ET (30 minutes) check your time zone


Speaker: Marc Cohen, passionate Fortune 100 technologist driving enterprise scale transformation



In this webinar, Marc Cohen will discuss how to use software quality standards from CISQ in vendor management engagements. Drawing from nearly two decades of technology deployment experience at American Express, he will explain how to derive better software, better development resources, and better vendor relationships by leveraging software quality standards.


His bio:

Marc Cohen is a seasoned strategic analytical leader who focuses on creating and delivering successful transformational large-scale marketing, risk and information management initiatives. As Technology Vendor Manager at American Express, Marc developed, implemented and managed the American Express Technology Performance Measurement initiative. He led a process that enabled development teams to hold their IT labor vendors accountable by ensuring robust quality code development to contractual service level targets, resulting in the maximum optimization of over $1B in outsourced labor spending.








Webinar: Solving the Software Development Pipeline Crisis

Using Apprenticeships to Develop IT Talent


This hour-long webinar starting at 10:00am ET will feature two presenters implementing innovative apprenticeships in IT Coding and Cybersecurity:


Heather Terenzio, CEO of Techtonic Group and Tectonic Academy, started the Software Developer Apprenticeship Program to address talent deficiencies in software development. Techtonic Group operates a proprietary system to identify promising developer talent, help apprentices develop increasingly complex skills and prepare them for full-time employment.


Girish Seshagiri, Executive Vice President and Chief Technology Officer at ISHPI, partnered with the Carnegie Mellon Software Engineering Institute to start a U.S. Dept. of Labor Computer Programming for Secure Software/Cybersecurity Registered Apprenticeship. The program offers a standard college curriculum for secure software development resulting in a two-year degree for program graduates.


Add this webinar to your calendar







2018 SEI Software and Cyber Solutions Symposium: Agile and DevOps


One-day Symposium: March 27, 2018
Tutorials: March 26 and March 28, 2018



NRECA Building
4301 Wilson Boulevard
Arlington, VA 22203


This symposium sponsored by the Carnegie Mellon University Software Engineering Institute (SEI) will explore the challenges and realities in acquiring and developing software for our nation’s critical systems, with a specific focus on identifying effective practices in Agile and DevOps. The SEI has extensive experience helping DoD and government organizations adopt Agile and DevOps, and SEI presenters will present practical, actionable advice and insight based on this experience.


Highlights of the agenda include

  • Keynote addresses by Maj. Gen. Kimberly A. Crider, Mobilization Assistant to the Under Secretary of the Air Force and Air Force Chief Data Officer; Dr. Barry Boehm, TRW Professor of Software Engineering and Director Emeritus, Center for Software Engineering, University of Southern California; and Josh Corman, Chief Security Officer at PTC and Fellow at the Atlantic Council, with one more keynote soon to be announced.
  • Presentations by SEI technical leaders on Agile and DevOps, and by Maj. Jeffrey A. Mueller, the Deputy Chief, GPS OCX Systems Engineering, Space and Missiles System Center (SMC), who will share lessons learned in applying modern software development practices to a mission-critical Department of Defense program.
  • An expert panel discussion titled, “Adaptability, Security, Resiliency: Can Agile and DevOps Deliver All Three?”
  • Informal ”Ask an SEI Expert” sessions, facilitated discussions with experts on Agile and DevOps


The one-day symposium on Tuesday, March 27 is free to attendees. The SEI will also offer eight affordably priced half-day tutorials on the days before and after, March 26 and March 28. Tutorial topics include: using dashboards to communicate project status, emerging computational technologies (blockchain and causal learning), cybersecurity risk in Agile and DevOps environments, architecture practices for achieving Agile at scale, DevOps for managers and executives, Agile metrics, Agile in government, and achieving high availability and reliability with Agile.


For more information about SCSS 2018 and to register, please see






Preventing the Next Equifax – All CVEs Have Root Causes in CWEs

Tracie Berardi, Program Manager, CISQ


The Equifax data breach in 2017 was the result of attackers exploiting an unpatched vulnerability in Equifax software. The vulnerability – Apache Struts: CVE-2017-9805: Possible Remote Code Execution as titled in the NIST National Vulnerability Database – was a flaw discovered in Apache Struts web application software. Equifax was employing the open source code from Apache. The patch became available in March. The breach of Equifax occurred two months later in May. Outrage, lawsuits, and Federal investigations ensued…


A couple of key takeaways from the breach –


  1. Developers commonly use third-party components, both open source and commercial-off-the-shelf, in their code and products. It is critical for the development team to maintain an inventory of its third party components to manage the component’s source, versions, and patches. SAFECode has published an excellent guide on the subject. Read: Managing Security Risks Inherent in the Use of Third-party Components. In the case of Equifax, action came too late.
  2. Basic security prevention can help to protect against CVEs and future zero-day vulnerabilities. A subset of CVEs are issued with a mapping to relevant CWEs. The CWEs represent the vulnerability’s root causes and source vectors for exploitation. The Equifax CVE, for example, was mapped to CWE-20 (improper input validation) and OWASP A4 (broken access control) in the OWASP Top 10 2017.


The security weaknesses underlying the Equifax breach are highlighted in two major industry resources – the Top 25 CWEs maintained by MITRE Corp and OWASP Top 10 maintained by the Open Web Application Security Project (OWASP). As part of a secure development process, developers should continuously review their code for CWE-identified weaknesses. Many security tools automate detection of CWEs for this purpose. The CISQ Security measure is based on the Top 25 CWEs that can be detected through static code analysis. By mitigating CWEs early and often, a team can prevent future exploits and creation of future vulnerabilities.


As concluded in a recent CISQ board call, “Zero-day vulnerabilities really represent CWEs that were already there that somebody else was more committed to finding in your software than you were.” – Joe Jarzombek, Global Manager of Synopsys Software Integrity Group


There are a number of resources and stakeholders involved in helping the industry get further ahead on the zero-day CWE problem. In future posts we’ll explore what current mechanisms work and what the industry can do better to proactively address this issue.


QA Financial Forum: Milan 2018

Technology and Quality Assurance for Continuous App Delivery

The first ever QA Financial Forum Milan takes place on January 24th, 2018.


There is an impressive lineup of speakers, featuring experts from leading Italian financial firms and regulatory bodies.


CISQ is speaking on the panel, “Vendor Risk Management: New Models for Benchmarking Code Quality and Pricing.”


Reflecting on QA Financial’s track record of producing the leading industry events on quality assurance for financial software in London, Singapore and New York, this promises to be the ideal opportunity for professionals to learn and network.










Join TechWell at STAREAST software testing conference from April 29–May 4 at the Hyatt Regency Orlando in Orlando, FL. The conference helps you learn both classical testing practices and new methodologies to grow your skills, supercharge your knowledge, and re-energize your view of your profession.


Register using CISQ’s exclusive promo code — SECM — and save up to $200 off your registration! Additionally, if you register by March 30, you will save up to an additional $200 off with super early bird pricing — a combined savings of up to $400.*


Not ready to register yet? Explore the full program and discover what the conference has in store. Build your full week of learning and benefit from comprehensive tutorials, exceptional concurrent sessions, inspiring keynotes, networking activities, pre-conference training classes, the Expo, and much more.


*valid on packages over $400.






AFCEA DC Cybersecurity Technology Summit


Beyond the Breach

The Future of Federal Cyber


The 8th Annual Cybersecurity Technology Summit reflects the AFCEA DC chapter’s longstanding commitment to supporting the armed forces’ on-going development of cybersecurity strategies and tactics. The summit will provide attendees with insights into emerging innovations from the government and private sectors, education about acquisition policies and regulations, and the latest updates from government leaders about current and emerging cyber efforts.


The 2018 summit will open with a session including cyber talks and fireside chats with leading scientists, government officials, and private industry experts discussing the future of federal cybersecurity and information resilience. Other highlights include:

  • The final round and judging of the AFCEA Cybersecurity Shark Tank
  • Breakout sessions that include panel discussions, featuring subject matter experts from the military, industry and government, addressing such topics as artificial intelligence, federal cyber budgets, cyber threats to Infrastructure, the known and unknowns of emerging threats, and more.

CISQ is a proud partner of the AFCEA Washington, DC chapter.







Outsourcing World Summit (OWS) 18



The Reincarnation of Outsourcing: From Disruption to Domination (When Disruption is Everywhere)


The Outsourcing World Summit (OWS) series is hosted by the International Association of Outsourcing Professionals (IAOP).


*CISQ members receive a special discount on registration!* Apply the code OWS18CISQ to save $300 off the registration fee. Anyone who uses this code is eligible for a free room night (two night minimum) for a stay at the host hotel during the dates of the event, February 18-21.


It is happening fast. Old ways give to new business models, processes and philosophies; collaboration is imperative; innovation is not optional; the workplace is modernized. Technology, like RPA, cognitive, AI and blockchain, are at the forefront of this disruption, but it’s not just tech. Geopolitics have stormed to center stage, turning globalization on its head. The ‘gig economy’ is changing the labor force.


The race to deliver the most affordable and efficient services is on, how do you make sense of the opportunities and then maximize them?


Join IAOP and hundreds of customers, service providers, advisors and academics, on February 18-21, at the Renaissance Orlando, in Orlando, Florida, as we examine these and other topics critical to your success.







Cyber Resilience Summit: Strategies to Modernize & Secure Government IT

Cyber Resilience Summit March 2018


Topic: Reducing Modernization Risk through Compliance to Software and Risk Management Standards


Hosted by: Consortium for IT Software Quality (CISQ) in cooperation with the Object Management Group (OMG) and IT Acquisition Advisory Council (IT-AAC)


Date: Tuesday, March 20, 2018 from 8:00am – 3:00pm


Venue: Hyatt Regency Reston, 1800 Presidents Street, Reston, VA


Registration: Government admission is complimentary; Industry $250; lunch and refreshments included


RSVP: 781-444-1132 x149


Knowledge Repository:


**Speakers and attendees, to submit content for the knowledge repository, please send to**



Government employees and elected or appointed officials representing federal, state or local government, please use the registration code CISQGOV18.



The 5th semiannual Cyber Resilience Summit: Strategies to Modernize & Secure Government IT returns to Reston, Virginia in March. Invited to speak are National Cybersecurity Leaders from the White House, Department of Defense, and Congress to discuss action plans outlined Executive Order 13800, the American Technology Council’s IT Modernization Report, and the Modernizing Government Technology (MGT) Act – just signed into law to accelerate the modernization and security of our nation’s critical IT infrastructure.


The government’s plan is to maximize the use of commercial innovation, commercial standards and commercial best practices to modernize and secure legacy systems that right now are the #1 cyber threat.


The Cyber Resilience Summit will discuss standards and best practices for risk-managed digital transformation and the practical application of systems engineering to support agile acquisition, cloud readiness, big data, technical debt control, and cyber risk management of complex mission, C2, weapon and citizen-facing systems.






8:00 Welcome and Introductions
– Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality
– John Weiler, Vice Chair, IT Acquisition Advisory Council
8:15 Keynote: Jeanette Manfra, National Protection and Programs Directorate (NPPD) Assistant Secretary for the Office of Cybersecurity and Communications (CS&C), U.S. Department of Homeland Security
Assistant Secretary Jeanette Manfra is the chief cybersecurity official for DHS and supports its mission of strengthening the security and resilience of the nation’s critical infrastructure.
8:45 Action Plans for Executive Order 13800 and Modernizing Government Technology Act
– Rob Joyce, Special Assistant to the President and Cybersecurity Coordinator, National Security Council
– Major General Burke E. “Ed” Wilson, Deputy Principal Cyber Advisor to the Secretary of Defense and Senior Military Advisor for Cyber, Office of the Under Secretary of Defense for Policy, Office of the Secretary of Defense, the Pentagon, Washington, D.C.
10:00 Refreshment break & networking
10:20 Standards for Managing Cyber Security, Risk and Technical Debt
Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality
11:00 Using Software Quality Standards with Outsourced IT Vendors – a Fortune 100 Case Study
Marc Cohen, passionate Fortune 100 technologist driving enterprise scale transformation
11:15 Lessons Learned from Major IT Outages and Security Breaches
Moderator: Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality
– Dr. Ron Ross, Computer Scientist and Fellow, NIST
– Adam Isles, Principal, Chertoff Group
– Michael Chung, Head of Solutions, Government, Bugcrowd
12:00 Lunch – sponsored by Bugcrowd
1:00 Risk Management Standards in Practice
Moderator: Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality
– Dr. Ron Ross, Computer Scientist and Fellow, NIST
– Robert Martin, Senior Principal Engineer, MITRE
– Herb Krasner, University of Texas at Austin (ret.), Texas IT Champion
– Brian E. Finch, Partner, Pillsbury Winthrop Shaw Pittman LLP
– Underwriters Laboratories (UL)
2:00 Success Factors for Effective IT Modernization – FITARA and CISO Perspectives
– Jose Arrieta, Deputy Assistant Secretary for Acquisition and Senior Procurement, U.S. Department of Health and Human Services
– Chad Sheridan, CIO, Risk Management Agency, U.S. Department of Agriculture
– Rod Turk, Acting CIO, U.S. Department of Commerce
Edward Brindley, Principal Director, DCIO (CS) and Deputy Chief Information Security Officer, U.S. Department of Defense -invited
3:00 Close



Thank You Sponsors





Thank you Partners