PNSQC 2018



We’re hitting the road to quality and we want you to join us!
Be a speaker at PNSQC 2018 – On the Road to Quality

Set your GPS for Portland, Oregon, home of PNSQC 2018. Come tell your peers about how you’re growing your QA team, improving UX, meeting deliverables with Agile, expanding automation – and learn from the tips they’ll share with you!

Submitting a proposal is straightforward and easy.
Tell us in a few paragraphs what you’d like to share with the software engineering community. Visit the PNSQC website – we’ve made some changes for 2018 conference, we offer some new ideas – and then simply submit your proposal! You’ve got until April 1, but the sooner you share your idea with us, the sooner we can help you hone your work into an amazing presentation!


Why get in the driver’s seat to be a speaker at PNSQC 2018?

  • A peer-supported process to ensure success
  • A career boosting advantage you can leverage
  • A chance to earn waived fees to the technical program
  • A perfect time to visit Portland, Oregon in the fall – food, beer, mountains and a river!

We’ll help you craft your presentation.

Does public speaking make you a bit nervous? We have lots of resources available to help you draft your presentation and paper. Deadline April 1 to submit a proposal. Come on, tell us, be a speaker, go to







The QUEST 2018 Conference is May 21-25, 2018 at the Hyatt Regency River Walk in San Antonio, Texas.


QUEST is the best source for new technologies and proven methods for Quality Engineered Software and Testing. Thought leaders, evangelists, innovative practitioners, and IT professionals from across North America gather together for a week packed with classes, tutorials, educational sessions, hand-on workshops, discussions groups, EXPO, and networking events. Let your quest to build, test, and deliver quality software begin with QUEST 2018!



Dr. Bill Curtis, CISQ Executive Director, presents a keynote:

Software Intelligence: Structural Quality Analysis and Machine Learning


The C-suite is fed up with software disasters putting the quarterly statement at risk as they digitize the business. They will demand more accountability and force improvements in software processes that may clash with agile culture. Business critical applications have become so complex and demand for functionality so immediate that human-based quality practices are no longer sufficient. Developer capabilities must be enhanced by improved software quality technology integrated into DevOps toolchains. Providing deeper intelligence about structural weaknesses and operational risks is enabled by new structural quality measurement standards supplemented by machine learning. Recent results from machine learning research in software quality will be discussed along with some caveats about what to expect. International standards for measuring the structural quality of software developed by the Consortium for IT Software Quality (CISQ) will be reviewed along with results of empirical research on how some of the most severe flaws are distributed in business applications. The talk will conclude with organizational requirements for successfully adopting these advances.




Joe Jarzombek, CISQ Governing Board Member and Global Manager, Software Supply Chain Solutions, Synopsys, presents:


Software Integrity: Integrated Focus for Software Quality and Security


Evolving roles for QA/Testing must focus on product integrity to reduce enterprise risks attributable to exploitable software. As the cyber threat landscape evolves and software dependencies grow more complex, understanding and managing risk throughout the software supply chain is more critical than ever and must focus on the entire lifecycle that includes development, acquisition, and testing. During his presentation, Joe will provide details on the types of test tools and services used to determine resilience of products and residual risk exposures attributable to software and the value proposition for software integrity as an integrating focus for software quality and security. He will also explain how software integrity is an enabler for IoT cybersecurity and how using standards-based automation enables the exchange of information internally and externally with vendors for IoT/ICT products. Everyone will leave understanding how addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by comprehensively identifying their risk exposure.



Click here to view the QUEST program and register





CISQ Webinar: Using Software Quality Standards with Outsourced IT Vendor Engagements – a Fortune 100 Case Study

Speaker: Marc Cohen, Vendor Management practitioner at Fortune 100 institution

Presented live on March 7, 2018


In this webinar, Marc Cohen will discuss how to use software quality standards from CISQ in vendor management engagements. Drawing from nearly two decades of technology deployment experience at American Express, he will explain how to derive better software, better development resources, and better vendor relationships by leveraging software quality standards.


Speaker bio:

Marc Cohen is a seasoned strategic analytical leader who focuses on creating and delivering successful transformational large-scale marketing, risk and information management initiatives. As Technology Vendor Manager at American Express, Marc developed, implemented and managed the American Express Technology Performance Measurement initiative. He led a process that enabled development teams to hold their IT labor vendors accountable by ensuring robust quality code development to contractual service level targets, resulting in the maximum optimization of over $1B in outsourced labor spending.


Watch the webinar on CISQ YouTube / Download the presentation deck




Webinar: Solving the Software Development Pipeline Crisis

Using Apprenticeships to Develop IT Talent


This hour-long webinar starting at 10:00am ET will feature two presenters implementing innovative apprenticeships in IT Coding and Cybersecurity:


Heather Terenzio, CEO of Techtonic Group and Tectonic Academy, started the Software Developer Apprenticeship Program to address talent deficiencies in software development. Techtonic Group operates a proprietary system to identify promising developer talent, help apprentices develop increasingly complex skills and prepare them for full-time employment.


Girish Seshagiri, Executive Vice President and Chief Technology Officer at ISHPI, partnered with the Carnegie Mellon Software Engineering Institute to start a U.S. Dept. of Labor Computer Programming for Secure Software/Cybersecurity Registered Apprenticeship. The program offers a standard college curriculum for secure software development resulting in a two-year degree for program graduates.


Add this webinar to your calendar







2018 SEI Software and Cyber Solutions Symposium: Agile and DevOps


One-day Symposium: March 27, 2018
Tutorials: March 26 and March 28, 2018



NRECA Building
4301 Wilson Boulevard
Arlington, VA 22203


This symposium sponsored by the Carnegie Mellon University Software Engineering Institute (SEI) will explore the challenges and realities in acquiring and developing software for our nation’s critical systems, with a specific focus on identifying effective practices in Agile and DevOps. The SEI has extensive experience helping DoD and government organizations adopt Agile and DevOps, and SEI presenters will present practical, actionable advice and insight based on this experience.


Highlights of the agenda include

  • Keynote addresses by Maj. Gen. Kimberly A. Crider, Mobilization Assistant to the Under Secretary of the Air Force and Air Force Chief Data Officer; Dr. Barry Boehm, TRW Professor of Software Engineering and Director Emeritus, Center for Software Engineering, University of Southern California; and Josh Corman, Chief Security Officer at PTC and Fellow at the Atlantic Council, with one more keynote soon to be announced.
  • Presentations by SEI technical leaders on Agile and DevOps, and by Maj. Jeffrey A. Mueller, the Deputy Chief, GPS OCX Systems Engineering, Space and Missiles System Center (SMC), who will share lessons learned in applying modern software development practices to a mission-critical Department of Defense program.
  • An expert panel discussion titled, “Adaptability, Security, Resiliency: Can Agile and DevOps Deliver All Three?”
  • Informal ”Ask an SEI Expert” sessions, facilitated discussions with experts on Agile and DevOps


The one-day symposium on Tuesday, March 27 is free to attendees. The SEI will also offer eight affordably priced half-day tutorials on the days before and after, March 26 and March 28. Tutorial topics include: using dashboards to communicate project status, emerging computational technologies (blockchain and causal learning), cybersecurity risk in Agile and DevOps environments, architecture practices for achieving Agile at scale, DevOps for managers and executives, Agile metrics, Agile in government, and achieving high availability and reliability with Agile.


For more information about SCSS 2018 and to register, please see






Preventing the Next Equifax – All CVEs Have Root Causes in CWEs

Tracie Berardi, Program Manager, CISQ


The Equifax data breach in 2017 was the result of attackers exploiting an unpatched vulnerability in Equifax software. The vulnerability – Apache Struts: CVE-2017-9805: Possible Remote Code Execution as titled in the NIST National Vulnerability Database – was a flaw discovered in Apache Struts web application software. Equifax was employing the open source code from Apache. The patch became available in March. The breach of Equifax occurred two months later in May. Outrage, lawsuits, and Federal investigations ensued…


A couple of key takeaways from the breach –


  1. Developers commonly use third-party components, both open source and commercial-off-the-shelf, in their code and products. It is critical for the development team to maintain an inventory of its third party components to manage the component’s source, versions, and patches. SAFECode has published an excellent guide on the subject. Read: Managing Security Risks Inherent in the Use of Third-party Components. In the case of Equifax, action came too late.
  2. Basic security prevention can help to protect against CVEs and future zero-day vulnerabilities. A subset of CVEs are issued with a mapping to relevant CWEs. The CWEs represent the vulnerability’s root causes and source vectors for exploitation. The Equifax CVE, for example, was mapped to CWE-20 (improper input validation) and OWASP A4 (broken access control) in the OWASP Top 10 2017.


The security weaknesses underlying the Equifax breach are highlighted in two major industry resources – the Top 25 CWEs maintained by MITRE Corp and OWASP Top 10 maintained by the Open Web Application Security Project (OWASP). As part of a secure development process, developers should continuously review their code for CWE-identified weaknesses. Many security tools automate detection of CWEs for this purpose. The CISQ Security measure is based on the Top 25 CWEs that can be detected through static code analysis. By mitigating CWEs early and often, a team can prevent future exploits and creation of future vulnerabilities.


As concluded in a recent CISQ board call, “Zero-day vulnerabilities really represent CWEs that were already there that somebody else was more committed to finding in your software than you were.” – Joe Jarzombek, Global Manager of Synopsys Software Integrity Group


There are a number of resources and stakeholders involved in helping the industry get further ahead on the zero-day CWE problem. In future posts we’ll explore what current mechanisms work and what the industry can do better to proactively address this issue.


Mar 2, 2018 Update:

Equifax identified additional 2.4 million affected by breach. Equifax Inc. said an additional 2.4 million Americans were affected by its massive data breach last year, the WSJ’s AnnaMaria Andriotis reports. The total number of U.S. consumers whose personal information was compromised now stands at 147.9 million.


QA Financial Forum: Milan 2018

Technology and Quality Assurance for Continuous App Delivery

The first ever QA Financial Forum Milan takes place on January 24th, 2018.


There is an impressive lineup of speakers, featuring experts from leading Italian financial firms and regulatory bodies.


CISQ is speaking on the panel, “Vendor Risk Management: New Models for Benchmarking Code Quality and Pricing.”


Reflecting on QA Financial’s track record of producing the leading industry events on quality assurance for financial software in London, Singapore and New York, this promises to be the ideal opportunity for professionals to learn and network.










Join TechWell at STAREAST software testing conference from April 29–May 4 at the Hyatt Regency Orlando in Orlando, FL. The conference helps you learn both classical testing practices and new methodologies to grow your skills, supercharge your knowledge, and re-energize your view of your profession.


Register using CISQ’s exclusive promo code — SECM — and save up to $200 off your registration! Additionally, if you register by March 30, you will save up to an additional $200 off with super early bird pricing — a combined savings of up to $400.*


Not ready to register yet? Explore the full program and discover what the conference has in store. Build your full week of learning and benefit from comprehensive tutorials, exceptional concurrent sessions, inspiring keynotes, networking activities, pre-conference training classes, the Expo, and much more.


*valid on packages over $400.






AFCEA DC Cybersecurity Technology Summit


Beyond the Breach

The Future of Federal Cyber


The 8th Annual Cybersecurity Technology Summit reflects the AFCEA DC chapter’s longstanding commitment to supporting the armed forces’ on-going development of cybersecurity strategies and tactics. The summit will provide attendees with insights into emerging innovations from the government and private sectors, education about acquisition policies and regulations, and the latest updates from government leaders about current and emerging cyber efforts.


The 2018 summit will open with a session including cyber talks and fireside chats with leading scientists, government officials, and private industry experts discussing the future of federal cybersecurity and information resilience. Other highlights include:

  • The final round and judging of the AFCEA Cybersecurity Shark Tank
  • Breakout sessions that include panel discussions, featuring subject matter experts from the military, industry and government, addressing such topics as artificial intelligence, federal cyber budgets, cyber threats to Infrastructure, the known and unknowns of emerging threats, and more.

CISQ is a proud partner of the AFCEA Washington, DC chapter.







Outsourcing World Summit (OWS) 18



The Reincarnation of Outsourcing: From Disruption to Domination (When Disruption is Everywhere)


The Outsourcing World Summit (OWS) series is hosted by the International Association of Outsourcing Professionals (IAOP).


*CISQ members receive a special discount on registration!* Apply the code OWS18CISQ to save $300 off the registration fee. Anyone who uses this code is eligible for a free room night (two night minimum) for a stay at the host hotel during the dates of the event, February 18-21.


It is happening fast. Old ways give to new business models, processes and philosophies; collaboration is imperative; innovation is not optional; the workplace is modernized. Technology, like RPA, cognitive, AI and blockchain, are at the forefront of this disruption, but it’s not just tech. Geopolitics have stormed to center stage, turning globalization on its head. The ‘gig economy’ is changing the labor force.


The race to deliver the most affordable and efficient services is on, how do you make sense of the opportunities and then maximize them?


Join IAOP and hundreds of customers, service providers, advisors and academics, on February 18-21, at the Renaissance Orlando, in Orlando, Florida, as we examine these and other topics critical to your success.