Managing Security in IoT: Vulnerabilities in the Cyber Supply Chain
Modern software development practices dominated by component-based engineering and short development cycles have largely been a catalyst for rapid advancements in technology. These practices, however, have also resulted in an epidemic of known vulnerabilities baked into third-party software components of IoT applications and devices. These widespread security flaws, many of which are critical in nature, often remain unnoticed or unaddressed throughout the software or device lifecycle, posing significant risks to the people and organizations that rely on them.
As software continues to permeate the ever-expanding Internet of Things, software vulnerabilities represent a greater and greater threat. IoT devices, like traditional computers, run on software that is susceptible to malicious attacks. As more devices become connected, understanding how to identify and manage security vulnerabilities within widely used third-party software components is critical for all stakeholders, including manufacturers and end-users.
In this webinar, our diverse panel of security experts will:
•Propose an expanded definition and understanding of IoT and the stakeholders at risk
•Present research highlighting the pervasiveness of vulnerabilities in third-party software components of IoT devices
•Draw some conclusions about the state of software security in IoT today
•Discuss some simple approaches to addressing these problems
RecordedMar 24 201561 mins
Your place is confirmed, we'll send you email reminders
Taylor Armerding, Senior Security Strategist for Synopsys
It’s been more than six months since the major design flaw in computer chips labeled Spectre became public. And, as predicted, it is still haunting the world of information technology. The CPU (central processing unit) is, after all, the “brain” of any computer, phone, tablet, modern TV, or other “smart” device.
Since then, we’ve all learned a bit about terms some of us had never heard before—“speculative execution,” anyone? We’ve also been told that you can’t just patch a chip the way you can patch bugs in software. But you can create work-arounds with software patches.
In this webinar, Taylor Armerding, senior security strategist for Synopsys Software Integrity Group, will address some of the questions that “regular”—i.e., nontechnical—users may have about Spectre:
- What is it?
- How does it work?
- Why does it work?
- Why didn’t chip makers catch a flaw of this magnitude during the design phase?
- Why is a tool called static analysis the best way to work around Spectre without causing intolerable performance slowdowns?
Ofer Maor, Director, Solutions Management at Synopsys
SAST, IAST, DAST, MAST, *AST – There are plenty of technologies and ways to test your software, but how do we do that without slowing us down in a rapid development environment. In this session we will give practical advice on how to integrate software security testing into your CI/CD and your development process so it works. The session will review the pros and cons of each of the testing technologies, how to adapt it to rapid development, and how to make testing work as organizations are moving to A/B testing. Finally, this session will guide on how to manage the balance between risk and speed to build the right process, so that real threats will become blockers, but other issues will be handled in a parallel, slower cycle, without slowing down the main delivery.
Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software—quickly. By automating manual processes and building tools into the continuous integration and continuous delivery (CI/CD) pipeline, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together. In this webinar, you’ll learn how to build a DevSecOps culture in your organization with automated and integrated application security tools and the right training for each team.
Open source management is a key part of any application security toolkit. But with so many different tools and techniques on the market, how can you decide what other tools you need to fully address the security risks of your applications? In this webinar, you’ll learn the benefits and limitations of several application security tools, including SAST, SCA, DAST, IAST, and fuzzing, as well as how they differ, so you can make informed decisions as you build your AppSec toolkit.
Chris Clark, Principal Security Engineer – Strategic Initiatives, Synopsys
Trying to keep pace in a highly connected world and increasingly hostile environment is a challenge for any developer, let alone an entire industry. To protect the software they write, developers turn to technologies and processes such as audits, reverse engineering, application firewalls, sandboxing, and many others to provide a level of protection. But these technologies also have the potential to become entry points for vulnerabilities. So do we really trust software?
See how Synopsys started the software security journey and is taking an active role in providing industry expertise to help organizations deliver robust software security solutions. We will focus on how the cyber supply chain can have a direct and meaningful impact on the overall design and deployment of software. See how known vulnerability management, mitigation, and training can affect the known risk profile of overall software design. Learn about what we are working on and how you can participate in improving standards and programs that reduce cyber risk.
Olli Jarva, Managing Consultant and Solution Architect, Synopsys Asia Pacific
Security leaders must choose appropriate tools and build a culture that does not inhibit the development pipeline but supports it. In this webinar, Ultimate Guide to Building Security into CI/CD, Olli Jarva, Managing Consultant and Solution Architect, Synopsys Asia Pacific, outlines how security teams can work within a Continuous Delivery or Continuous Deployment model by building security into operational processes and an integrated, Continuous Integration toolchain. This integrated software security strategy is known as “Continuous Security.”
Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
Open source components are the foundation of modern applications, but ineffective management around open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
Not surprisingly, 96% of the audited codebases contained open source components, and nearly 78% of the codebases contained at least one vulnerability. As the percentage of open source in codebases continues to grow, it’s clear that open source management practices need to improve.
In this webinar, open source expert Evan Klein will walk through the report’s findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the benefits open source provides.
Jay Lyman, Principal Analyst, Cloud Management and Containers, 451 Research; Meera Rao, Senior Principal Consultant, Synopsys
To learn more about the realities of DevSecOps today and the real degree to which security is or is not being included in enterprise continuous integration/continuous delivery workflows, we surveyed 350 decision-makers at large enterprises across a variety of industries.
What we found is that only about half of enterprise CI/CD workflows include any security elements at all, highlighting ample room for improvement. Enterprises did seem to show an awareness of the importance of adding security elements into DevOps releases, but they are not necessarily injecting security early in the process -- ideally at code commit and in pre-implementation. This webinar will cover these and other results of our survey, and offer guidance on how enterprise organizations can effectively integrate security tools, thinking and people into their CI/CD workflows to reduce rework and risk without sacrificing velocity.
And all that code needs to be secure. This presentation will discuss what happens when unsecured code on IoT/Embedded devices are released to the unsuspecting public and how the security industry (Synopsys) can help prevent this in the future. I will cover how the latest software development techniques can also incorporate the latest cutting edge tools to help eliminate security vulnerabilities before they make it to production. And finally how you can be a part of the solution instead of part of the problem.
James Croall, Director of SAST Product Management at Synopsys
The recently discovered Spectre security vulnerability has taken the tech industry and security world by storm. By exploiting security vulnerabilities inherent in the design of many modern microprocessors, Spectre attacks can cause damaging leakage of personal information and data.
There are several proposed workarounds to protect applications affected by Spectre. However, they can adversely affect performance and be time consuming for developers.
A novel solution to mitigate Spectre is to use a static analysis tool that quickly identifies vulnerable code patterns that are likely to be exploited and reduces potential app performance degradation. In this webinar, James Croall, director of SAST product management at Synopsys, will detail how this works and cover the following:
-What is Spectre and how is the attack carried out?
-What are the various ways to mitigate the effects of this attack?
-What can software development organizations do to help secure their apps against Spectre?
-What are some best practices and examples of how to use Synopsys Static Analysis (Coverity) to better secure your apps against Spectre attacks?
Bryan Cross, Sr. Solutions Engineer, GitHub; Dave Meurer, Alliances Technical Mgr, Black Duck by Synopsys
It's time to add “Sec” into DevOps! But while moving towards newer processes and technologies like agile methodologies, cloud and containers can help you build faster and deliver continuously, there's always the fear that adding security can severely slow things down. By using GitHub with Black Duck by Synopsys, you can automate your secure development workflows, shift security left, and avoid software rot.
Whether you are an open source developer or enterprise software engineer, GitHub and Synopsys have solutions to help you put “Sec” into the center of DevOps without sacrificing speed and agility. In this live webinar, the experts from Synopsys and GitHub will demonstrate solutions for both open source and enterprise developers. Some highlights will include:
- The real life of a vulnerability in 2017: Apache Struts
- Black Duck CoPilot: It’s Free!
- Black Duck your Pull Requests
Lisa Bryngelson, Sr. Product Manager, Black Duck by Synopsys
Organizations of all kinds increasingly rely on third-party software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace. Whether you’re an automotive company or a medical device manufacturer, use of third-party software libraries is now commonplace and essential to success in the competitive global marketplace.
One of the biggest challenges companies face with third-party software is they often have no visibility into the open source libraries being used in the software they embed in their products. Over the last year, a continuous stream of news stories has attributed major security breaches to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail and media.
These incidents shine a light on the need for organizations to carefully manage the open source used in the third-party libraries they consumer in order to protect themselves—and their customers—from the consequences of catastrophic security breaches.
Our webinar will arm you with the information and statistics needed to:
-Explain the importance of open source security to your organization
-Understand the key differences between identifying open source in source code vs. binaries
-Define a clear road map for unearthing, managing, and securing the open source hiding in your software supply chain
-Take the steps to help your company avoid becoming the next security breach media story
Today’s automobiles are advanced, complex machines relying on dozens of computers and millions of lines of software code. They are also increasingly targets for sophisticated hackers. In fact, the software running on your car could contain multiple flaws that allow an attacker to take over control of the vehicle – either in your driveway or on the freeway. What steps are manufacturers taking to secure all of that code?
Register for our webinar to learn about these topics and more:
- The kinds of security flaws that are possible and how were they're exploited
- How vulnerabilities can be mitigated
- Ways to build security in from the beginning of the software/system development process
- Unique approaches manufacturers are taking to deal with some of these issues and what that means to you
Application security is quickly becoming a "must have" for security teams. High profile breaches, including Equifax and a multitude of ransomware attacks, have the attention of senior management of company Boards. Knowing where to start can be difficult.
Not every company has the same needs or organizational maturity to manage a full-blown application security program. This webinar will cover some of the tools and exercises deployed by application security teams to build security into their processes, including:
- Tools and security tips for each phase of the development lifecycle
- Which tools to use for different types of code
- In-house and 3rd party options for starting an application security program
Tim Mackey, Sr. Technology Evangelist at Black Duck by Synopsys
Open source software is embraced by developers, enterprises, and governments at every level, and with it comes many strong opinions and few facts. How much open source is really being used in the applications you buy? Does the "many eyes" theory make open source more secure? Does traditional security testing address vulnerabilities in open source?
With organizations becoming more agile but facing increasing regulatory governance, understanding how open source software development works, and how to secure open source, is increasingly important. In this session we’ll cover:
- Code contribution and IP management
- Fork management
- Release process
- Security response processes
- Realities of IP risk and open source
- Pass through security risk and responsibility
- Keeping up with scope of impact changes within a single disclosure
- Automating awareness of security risk from development through integration and delivery to deployment
Amy DeMartine, Forrester Principal Analyst and Patrick Carey, Synopsys
While software grows more complex and the pace of development accelerates, the stakes for building secure software have never been higher. If you’re like most teams embracing a DevOps culture, you’re focused on breaking down silos, streamlining workflows, and cranking out functional software at a nearly continuous clip. Amid all these fundamental changes, how do you ensure your software is secure without clogging up the pipeline?
Listen as guest Forrester Principal Analyst, Amy DeMartine and Black Duck Open Source Security Expert, Patrick Carey come together to discuss how to automate and distribute application security testing across the SDLC. In this webinar, we’ll discuss
- Why it's important to build application security into your development and operations toolchains and processes
- Best practices for integration application security throughout the application lifecycle
- How to use SAST and SCA together to maximize the security of the software your teams deliver
Elena Kvochko is the CIO for the Group Security Function within a leading financial services organization. Previously she was an information technology manager at World Economic Forum, where she led global partnership programs on cyber resilience and the Internet of Things. She was also responsible for building relationships with information technology industry partners. Elena is the author of numerous articles and has contributed to Forbes, the New York Times, Harvard Business Review, and other media outlets. She is also a member of the Wall Street Journal CIO Network. She holds full CISSP and CEH certifications and has a master’s degree in technology policy from the University of Massachusetts, as well as executive certificates from MIT and Yale. She lives in New York City.
Listen as Gary and Elena discuss security policy, security technology, the role of a CIO, holistic security tactics, the economics of a security breach, and more.
Adam Brown, Manager, Security Solutions at Synopsys, Daniel Hedley, Partner at Irwin Mitchell LLP
If your organisation competes in the global market, you should expect GDPR to have a critical influence on the software that powers your business. Having a disciplined software security approach will help you not only identify, remediate, and prevent weaknesses in your software but also avoid violating GDPR.
Listen as experts Adam Brown of Synopsys and legal expert Dan Hedley of Irwin Mitchell, LLP provide insights into what GDPR requirements mean for your security initiative, how your existing security activities can support compliance, and best practices to keep in mind as you look to mature your software security program.
About the Presenters:
Adam Brown is Associate Managing Consultant at Synopsys in the software security consulting division. His background is in software security testing focusing on data centric web application security. Currently he specialises in helping organisations set up their software security initiatives, delivers training in software security and takes a keen interest in the GDPR from both data security and data privacy threat perspectives.
Dan Hedley is a partner at UK law firm Irwin Mitchell LLP. He is a specialist IT lawyer, focusing in particular on software licensing and development, IT service contracts, outsourcing and cloud services. He also advises on open source compliance, data protection, software IP issues and the IT aspects of M&A and IPO transactions. He regularly acts for both established corporates and early-stage and fast growth businesses.”
SAST, IAST, DAST, MAST, *AST – There are plenty of technologies and ways to test your software, but how do we do that without slowing us down in a rapid development environment. In this talk we will give practical advice on how to integrate software security testing into your CI/CD and your development process so it works. The talk will review the pros and cons of each of the testing technologies, and how to adapt it to rapid development, and how to manage the balance between risk and speed to build a proper signoff process, so that real threats will become blockers, but other issues will be handled in a parallel slower cycle, without slowing down the main delivery.
Gary McGraw, VP Security Technology, Synopsys Scott Crawford & Dan Kennedy, Research Director, 451 Research
CISOs play an important role in our software-driven world, but what they do on a daily basis—and why—have largely remained a mystery—at least until we studied them in the wild and created the CISO Report.
Join us as Gary McGraw, CISO Report author and VP of security technology at Synopsys, along with analysts Scott Crawford and Dan Kennedy from 451 Research discuss the evolving role of the CISO and what this novel study reveals:
- What are the four newly identified CISO tribes, and which characteristics distinguish them?
- How can knowing your tribe advance your organization’s security initiatives and spur career development?
-Why does your CISO’s tribe reflect the priorities and dynamics within your organization?
We go beyond traditional application testing to empower you to build security into your software at every stage of your development process. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.