Save the Date: Defense in Depth 2015



In 2013, a few Red Hatters wanted to host a security-focused technology day. After running the idea past our DoD/IC/Civilian communities, we hosted the first “Defense in Depth” day in June 2013. Over 2 years, Defense in Depth has become the largest technical event of Red Hat Public Sector — second to the Red Hat Summit!

With great pleasure, we’d like to announce Defense in Depth 2015! It will be on Wednesday 1-OCT-2015 in Tysons Corner, VA.

Since 2013, the Defense in Depth workshops have brought Red Hat Security Engineering leads to Washington D.C. for a day of technical collaboration, briefings, labs, and networking. It’s a chance for you to learn about the latest developments (upstream and enterprise) directly from project maintainers, and for Red Hat Engineering to hear directly from you to better understand the challenges you’re facing.

When we say technical, we mean it. Red Hat Public Sector fronts the costs to fly our core engineers to Washington D.C. for the day. Speakers include Steve Grubb (maintainer of the Linux Audit subsystem), Dan Walsh (“Mr SELinux” and principal engineer for Docker/Linux Containers), Jason Callaway (Senior Architect for U.S. Intelligence Programs), Joe Swartz (Chief Scientist, CSCF) and many others.

Defense in Depth is hosted as a community event by Red Hat Public Sector. While there are no registration fees, we only have ~200 attendance slots available. Generally, these slots fill up within 5-7 days of opening registration. We like to keep the event small (to encourage candid conversations), but we’re also restricted by conference room sizes.

Defense in Depth 2015 will be on Wednesday 1-OCT-2015.

The 2015 registration form can be found here:

We’ll be joined by special guest speakers from some every interesting Defense and Intelligence programs!

– Open Sourced: NSA System Integrity Management Platform (SIMP) Overview
   (Trevor Vaughan, NSA’s Lead SIMP Engineer)

Recently released by the NSA, SIMP is a platform designed to assist
with flexible policy compliance across RHEL based infrastructures.
This presentation will introduce the audience to the goals and components
of NSA SIMP as well as an overview of our public development process.
A demonstration of the system installation will be provided as part of the


C2S Meets DevOps: Building an OpenShift-based PaaS platform on C2S for the
   U.S. Intelligence Community
   (Jason Callaway, Sr Architect, Intelligence Programs, Red Hat)

OpenShift v3 combines Docker, Kubernetes, geard and Project Atomic into a single
platform. We’ll step through the OpenShift v3 roll out on the Intelligence Community’s
C2S environment, which will bring PaaS to the JWICS community. We’ll step through
the user experience (via OpenShift), containerized services (xPaaS + Docker Hub
+ Marketplace), Orchestration (Google Kubernetes), Container APIs (Docker) and
Container Hosts (RHEL + Atomic).

– Lockheed Martin & the Centralized Super Computing Facility (CSCF)
   (Joe Swartz, Chief Scientist, CSCF)

With permission from their US Intelligence Community COTR,
Lockheed Martin will discuss the Centralized Super Computing Facility
program. Specifically, their Chief Scientist will review how they
architected, implemented, and support a cross-domain super computing
environment in support of HPC, ISR, and big data analysis/fusion.

CSCF will review their SELinux-based architecture and features, their
usage of the Lustre filesystem for big data storage and processing, application
performance on SELinux (Vectorization and Parallelization algorithms), and
their deployment of Accumulo and Hadoop for analysis.

CSCF has received ATO, and followed the ICD 503 and CNSSI 1253 (cross domain
overlay) processes. We’ll chat through how they navigated C&A while satisfying
security controls from a dozen defense, intelligence, and civilian agencies.


We’ve tried to balance technical breakouts with user experience sessions.

– Super Privileged: Linux Containers and Atomic Host (Dan Walsh, Red Hat)
*Top 10 Session @ Red Hat Summit 2015!

– Scan all the Things: Security Automation with Red Hat Satellite 6 & SCAP
(Matt Micene, DLT) *Top 10 Session @ Red Hat Summit 2015!

– PKI All the Things: Identity and Access Management
[PKI, LDAP, Single Use Tokens] (Lee Kinser, Red Hat)

– Continuous Delivery of Gold Disks: Using Packer to Automate “Gold Disk” creation
for AWS AMIs, OpenStack, KVM, and VMWare (Dave Sirrine, Red Hat)

– Infrastructure Auditing at Scale: Capabilities of the Linux Audit Subsystem
(Steve Grubb, Linux Audit Subsystem Maintainer, Red Hat)

– Practical SELinux Use Cases (Robin Price, North American Security SME Lead, Red Hat)

– Strategies to Create a Cloud Stronghold: OpenStack Security Overview
(Ted Brunell, Principal OpenStack Architect, Red Hat)

– Achieving Compliance, Security Automation, and Remediation Through
Integrating Red Hat CloudForms with Satellite

– Technology Show & Tell: Application Whitelisting with Steve Grubb

DISA FSO, NSA and others are working towards application whitelisting policies.
We’ve quietly been working towards enabling this in Linux — which, in theory, will
help minimize (or stop) malware and rogue applications on Linux platforms.

For the first time publicly, Steve Grubb will step through emerging technologies
to enable Application Whitelisting within the Linux kernel. This is a “show and tell”
session, reflecting ongoing and emerging upstream technologies. This is your
chance for a sneak preview, and also give feedback to how application whitelisting
evolves in RHEL platforms.

– Automating DoD STIG compliance with OpenSCAP with Shawn Wells
*Top 10 Session @ Red Hat Summit 2015!

While SCAP was recently an emerging technology, it has evolved to become an
important part of security compliance. DHS CDM mandates SCAP and DoD STIGs
are now authored in SCAP formats. RHEL6+ now ships content natively, commercial
and government baselines are established, integration with Satellite is complete,
and SCAP Workbench is now available to customize content.

In this session, we’ll give you a better understanding of SCAP use cases and capabilities.
Through a series of live demos given by OpenSCAP’s upstream developers, you will:
– See how to use SCAP Workbench to tailor predefined security baselines, such as DoD STIG
– View a demo of the OpenSCAP workflow from provisioning to continuous monitoring,
locating security vulnerabilities and misconfiguration.

Additionally, Shawn will talk through the future of Common Criteria, STIG, the USGCB, and how
attendees can become involved in the policy development process.

Between government programs speaking publicly (some for the first time), engineering flying to Washington D.C., and the excellent discussions, Defense in Depth 2015 is geared up to be amazing. I hope to see you guys there!

Extended abstracts and registration can be found on the Defense in Depth 2015 webpage:

Questions? Feel free to sound off on the gov-sec mailing list!