Hi [[ session.user.profile.firstName ]]

Managing Security in IoT: Vulnerabilities in the Cyber Supply Chain

Modern software development practices dominated by component-based engineering and short development cycles have largely been a catalyst for rapid advancements in technology. These practices, however, have also resulted in an epidemic of known vulnerabilities baked into third-party software components of IoT applications and devices. These widespread security flaws, many of which are critical in nature, often remain unnoticed or unaddressed throughout the software or device lifecycle, posing significant risks to the people and organizations that rely on them.

As software continues to permeate the ever-expanding Internet of Things, software vulnerabilities represent a greater and greater threat. IoT devices, like traditional computers, run on software that is susceptible to malicious attacks. As more devices become connected, understanding how to identify and manage security vulnerabilities within widely used third-party software components is critical for all stakeholders, including manufacturers and end-users.

In this webinar, our diverse panel of security experts will:
•Propose an expanded definition and understanding of IoT and the stakeholders at risk
•Present research highlighting the pervasiveness of vulnerabilities in third-party software components of IoT devices
•Draw some conclusions about the state of software security in IoT today
•Discuss some simple approaches to addressing these problems
Recorded Mar 24 2015 61 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Mikko Varpiola (Co-Founder, Codenomicon), Tyler Shields (Sr Analyst, Forrester), Todd Carpenter (Chief Engineer, Adventium)
Presentation preview: Managing Security in IoT: Vulnerabilities in the Cyber Supply Chain

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Breaking Down DevSecOps: Build AppSec Into Your CI/CD Pipeline with SAST and SCA Mar 1 2018 5:00 pm UTC 60 mins
    Amy DeMartine, Forrester Principal Analyst; Mel Llaguno, Synopsys; Patrick Carey, Synopsys
    While software grows more complex and the pace of development accelerates, the stakes for building secure software have never been higher. If you’re like most teams embracing a DevOps culture, you’re focused on breaking down silos, streamlining workflows, and cranking out functional software at a nearly continuous clip. Amid all these fundamental changes, how do you ensure your software is secure without clogging up the pipeline?

    Listen as guest Forrester Principal Analyst, Amy DeMartine, Black Duck Open Source Security Expert, Patrick Carey, and Synopsys Open Source Solution Manager, Mel Llaguno come together to discuss how to automate and distribute application security testing across the SDLC. In this webinar, we’ll discuss

    - Why it's important to build application security into your development and operations toolchains and processes
    - Best practices for integration application security throughout the application lifecycle
    - How to use SAST and SCA together to maximize the security of the software your teams deliver
  • GDPR’s Influence on Security: Best Practices to Support GDPR Feb 22 2018 12:00 pm UTC 60 mins
    Adam Brown, Manager, Security Solutions at Synopsys, Daniel Hedley, Partner at Irwin Mitchell LLP
    If your organisation competes in the global market, you should expect GDPR to have a critical influence on the software that powers your business. Having a disciplined software security approach will help you not only identify, remediate, and prevent weaknesses in your software but also avoid violating GDPR.

    Listen as experts Adam Brown of Synopsys and legal expert Dan Hedley of Irwin Mitchell, LLP provide insights into what GDPR requirements mean for your security initiative, how your existing security activities can support compliance, and best practices to keep in mind as you look to mature your software security program.

    About the Presenters:

    Adam Brown is Associate Managing Consultant at Synopsys in the software security consulting division. His background is in software security testing focusing on data centric web application security. Currently he specialises in helping organisations set up their software security initiatives, delivers training in software security and takes a keen interest in the GDPR from both data security and data privacy threat perspectives.

    Dan Hedley is a partner at UK law firm Irwin Mitchell LLP. He is a specialist IT lawyer, focusing in particular on software licensing and development, IT service contracts, outsourcing and cloud services. He also advises on open source compliance, data protection, software IP issues and the IT aspects of M&A and IPO transactions. He regularly acts for both established corporates and early-stage and fast growth businesses.”
  • *AST in CI/CD - How to Make it Work Recorded: Feb 13 2018 55 mins
    Ofer Maor
    SAST, IAST, DAST, MAST, *AST – There are plenty of technologies and ways to test your software, but how do we do that without slowing us down in a rapid development environment. In this talk we will give practical advice on how to integrate software security testing into your CI/CD and your development process so it works. The talk will review the pros and cons of each of the testing technologies, and how to adapt it to rapid development, and how to manage the balance between risk and speed to build a proper signoff process, so that real threats will become blockers, but other issues will be handled in a parallel slower cycle, without slowing down the main delivery.
  • Going Tribal With CISOs Recorded: Jan 31 2018 67 mins
    Gary McGraw, VP Security Technology, Synopsys Scott Crawford & Dan Kennedy, Research Director, 451 Research
    CISOs play an important role in our software-driven world, but what they do on a daily basis—and why—have largely remained a mystery—at least until we studied them in the wild and created the CISO Report.

    Join us as Gary McGraw, CISO Report author and VP of security technology at Synopsys, along with analysts Scott Crawford and Dan Kennedy from 451 Research discuss the evolving role of the CISO and what this novel study reveals:

    - What are the four newly identified CISO tribes, and which characteristics distinguish them?
    - How can knowing your tribe advance your organization’s security initiatives and spur career development?
    -Why does your CISO’s tribe reflect the priorities and dynamics within your organization?
  • Silver Bullet Podcast #142 with Craig Froelich Recorded: Jan 17 2018 31 mins
    Gary McGraw
    Craig Froelich is the chief information security officer (CISO) for Bank of America. He leads the Global Information Security team responsible for security strategy, policy, and programs. Before moving to Bank of America through acquisition, he was responsible for Countrywide’s cyber security technology, networks, crisis management, and security operations. Craig has over a decade of experience in product management and application development for software and hardware companies. He also serves on the board of FS-ISAC and the executive committee of BITS. On Twitter, he describes himself as “a SoCal dude learning to be a southern gentleman” as a Los Angeles transplant to Charlotte, North Carolina, where he lives with his family.

    Listen as Gary and Craig discuss the role of the CISO in the financial services ecosystem and the newly released 2018 CISO Report.
  • The 2017 Open Source Year in Review Recorded: Jan 17 2018 60 mins
    Mark Radcliffe, Partner, DLA Piper/Counsel OSI; Phil Odence, Sr. Director / GM at Black Duck Software by Synopsys
    Gain insights into these important legal developments from two of the leading open source legal experts, Mark Radcliffe, Partner at DLA Piper and General Counsel for the Open Source Initiative and Phil Odence, Sr. Director and General Manager at Black Duck Software by Synopsys. This annual review will highlight the most significant legal developments related to open source software in 2017, including:
    - Current litigation
    - An open source security update
    - Blockchain and its forks
    - Software Package Data Exchange (SPDX) and OpenChain
    - GDPR
    - And more
    Live attendees will be receiving a CLE credit for this webinar.
  • Silver Bullet Podcast #141 with Bruce Potter Recorded: Dec 28 2017 34 mins
    Gary McGraw
    Bruce Potter is CISO at Expel, where he is responsible for cyber risk and ensuring the secure operation of Expel’s services. Previously, Bruce co-founded Ponte Technologies (sold to KeyW Corporation). He then served as CTO at KeyW for 2 years. Before that, Bruce was a security consultant at Cigital. In a seemingly previous life, Bruce founded the Shmoo Group. To this day, he helps run the annual hacker conference ShmooCon. He has co-authored several books, including “802.11 Security,” “Aggressive Network Self-Defense,” and “Host Integrity Monitoring.” Bruce regularly speaks at DEF CON, Black Hat, and O’Reilly Security conferences. He lives in Maryland with his family.

    Listen as Gary and Bruce discuss ShmooCon, the state of software security books, network security trends, hacking back, the relationship between preventative security engineering and operational security, DevOps, the CISO role, and more.
  • 4 Steps to Risk Ranking Your Vulnerabilities Recorded: Dec 19 2017 29 mins
    Mike Pittenger, VP Security Strategy, Black Duck Software
    Vulnerabilities are an inevitable part of software development and management. Whether it’s open source or custom code, new vulnerabilities will be discovered as a code base ages. A 2017 Black Duck analysis of code audits conducted on 1,071 applications found that 97% contained open source, but 67% of the applications had open source vulnerabilities, half of which were categorized as severe. As the number of disclosures, patches, and updates grows, security professionals must decide which items are critical and must be addressed immediately and which items can be deferred.
    Join Black Duck’s VP of Security Strategy, Mike Pittenger, for a 30-minute discussion of best practices in open source security and vulnerability management. You’ll learn:
    - Methods for determining which applications are most attractive to attackers, and which pose the greatest risk
    - Ways to assess the risk associated with a disclosed open source vulnerability
    - Strategies to minimize the impact of open source security vulnerabilities when immediate fixes can’t be made
  • Black Duck Container Security MasterClass - Deploying Containers at Scale Recorded: Dec 14 2017 58 mins
    Tim Mackey, Sr. Technology Evangelist, Black Duck
    IT operations teams are now deploying and running hundreds or even thousands of containers at any given time. This rapid deployment surfaces challenges in validating the contents and security of container images being deployed. In this session, Black Duck container and virtualization expert Tim Mackey will provide an overview of technologies and solutions such as Red Hat OpenShift that enable organizations to deploy containers at scale securely.

    In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.

    Attend and you'll learn:

    - How to maintain visibility and control for the open source deployed in hundreds of containers
    - How to help your development and operations teams work together to maintain the security of containers in production
    - How to build security into your deployment of container orchestration platforms
    - Measures you can take to proactively identify risks and remediate risks on containers in production
    - How you can use Black Duck OpsSight to scan containers being created, updated or deployed through their container orchestration platforms
  • Balancing Speed & Security in a DevOps World Recorded: Dec 12 2017 49 mins
    Stephen Elliott, Product Manager Google Container Registry and Dave Meurer, Director Technical Alliances
    DevOps teams are using cloud platforms and containers to build, deploy, and manage applications faster than ever, and utilizing large amounts of open-source software to increase agility. Google Cloud platform makes building and shipping containers even easier with Google Container Builder, Google Container Engine (GKE), and Google Container Registry (GCR). But when you deploy a container or cloud-native application, it’s hard to know exactly what contents are inside, and that can make managing security painful.
    Secure DevOps means having full visibility and control of your software supply chain to implement security and governance policies. How do you protect your DevOps without slowing down? Join experts from Google and Black Duck to discuss how to secure the software supply chain including:
    - Understanding the modern attack landscape
    - How to select safe and healthy open source software in development
    - How you can automate open source control and visibility in containers with Black Duck and both Google Container Builder and GCR
    - The Grafeas and Kritis projects, and the work Google and Black Duck are doing to enhance security visibility and provide policy enforcement for containers.
  • Buyer and Seller Perspectives on Open Source in Tech Contracts Recorded: Nov 30 2017 59 mins
    Phil Odence, Black Duck Software and David Tollen, Tech Contracts Academy
    Join Black Duck and Tech Contracts Academy as they discuss the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.

    David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and will aim to educate participants on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
  • Lessons from Equifax: Open Source Security & Data Privacy Compliance Recorded: Nov 16 2017 46 mins
    Bob Canaway, CMO, Black Duck; Mike Pittenger, VP Security Strategy, Black Duck
    The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities.
    Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play.
    Join Mike Pittenger and Bob Canaway as they discuss how organizations can more effectively manage open source, the strengths and weaknesses of testing methodologies in identifying vulnerable open source components, and how data privacy standards such as PCI, Section 5 of the FTC Act, and GDPR necessitate a change in how organizations address vulnerabilities in their code.
  • Fuzz Testing From Synopsys Recorded: Nov 2 2017 2 mins
    What if you could test software for unknowns? You can with fuzz testing. Fuzz testing manipulates input data to send until the malformed input causes the software to crash. Our fuzzing solution provides pre-built test suites that eases the burden of manual black box test creation. And our fuzz testing solution runs on any VM or Windows or Linux computer to produce a detailed remediation package that helps identify and fix software issues fast.
  • Software Composition Analysis from Synopsys Recorded: Nov 2 2017 2 mins
    Wouldn’t it be great to minimize the risks of 3rd party code? Introducing software composition analysis – or SCA -- from Synopsys. Our SCA solution quickly and accurately scans virtually any software package. It produces a bill of materials listing third-party components, their versions, and their location. And our SCA solution runs on either source code or binary, either as a managed service, or as an on premise virtual appliance, so that you always know for certain what’s in your software.
  • Synopsys is Software Security Recorded: Nov 2 2017 2 mins
    As the world's 16th largest software company, Synopsys has a history of being a global leader and was recognized by Gartner as a leader in software quality and security solutions. At Synopsys, we offer the most comprehensive solution for integrating security and quality into your SDLC and supply chain and work with over 1,500 industry-leading companies across all sectors including: 17 of the top 20 commercial banks 9 of the top 10 software companies 4 of top 5 managed healthcare firms 3 of top 4 US wireless providers By injecting software quality and security at the right time, at the right depth within your development environment, our software integrity platform promotes productivity and efficiency that empowers customers to develop secure, high-quality software. Our testing solutions improve the accuracy of findings, speeds up the delivery of results, and reduces the level of noise faced by developers.
  • Software Architecture & Design from Synopsys Recorded: Nov 2 2017 2 mins
    How well do your security controls align with industry best practices? Software design flaws account for up to 50 percent of security vulnerabilities. If you are only checking for bugs in your code or running fuzz tests against your system you might still miss up to half of the security vulnerabilities in your software. Auditing controls, authorizations, and component updates are essential strategies to help reduce security flaws and lower your risk of a breach. But how do you know whether they are implemented correctly? Introducing Software Architecture and Design from Synopsys. Our experts evaluate the design of your key security controls against industry best practices to determine if any are misconfigured, weak, misused, or missing.
  • Red Teaming from Synopsys Recorded: Nov 2 2017 2 mins
    Do you know how well your organization's people, processes, and technologies can withstand a real-life cyberattack? What level of access and information that an attacker might gain? Personal Identifying Information, Personal Account Number, or corporate intellectual property. What damage might a severe data breach cause? What harm such an attack might bring to the organization’s brand and reputation? Introducing Red Teaming from Synopsys. Red Teaming simulates an attack on the client’s organization to measure how well their people, process, and technologies can withstand a real-life attack situation.
  • Building Security In Maturity Model or BSIMM from Synopsys Recorded: Nov 2 2017 2 mins
    Your company spends a certain amount of money and time on its software security initiative but serious security initiative questions remain. Are we spending enough in Processes? Technology? People? Do the security efforts we have in place today even make sense? And, more critically, what are the other guys doing? Wouldn't it be great if you could compare your security model to others? You can. Introducing Building Security In Maturity Model or BSIMM from Synopsys. It's an analytical process that compares observations of your own software security initiative with that of others.
  • Managed Services from Synopsys Recorded: Nov 2 2017 2 mins
    Really good security experts are difficult to find and expensive to hire. On top of that, you may not have a consistent need for their skill set. Wouldn't it be great to pay only for what you need, only when you need it? Introducing Managed Services from Synopsys, a security-as-a-service (SaaS) for all your software security needs.
  • Silver Bullet Podcast #139 with Matias Madou Recorded: Oct 31 2017 26 mins
    Gary McGraw
    Matias Madou is a co-founder and the CTO of Secure Code Warrior, where he provides the company’s technology vision and oversees the engineering team. He has over 15 years of hands-on software security experience. Matias was a researcher at HP Fortify and a founder of Sensei Security. He also holds 10 patents and has been very active in technology transfer from the lab to commercial products. He’s a sought-after speaker as well, and we’re proud of his presence at the 2017 BSIMM Community Conference. Matias holds a Ph.D. in computer engineering from Ghent University and currently lives in Belgium with his family.

    Listen as Gary and Matias talk about effective software security testing methods, security research, secure development training, and more.
Application security is a journey.
We go beyond traditional application testing to empower you to build security into your software at every stage of your development process. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Managing Security in IoT: Vulnerabilities in the Cyber Supply Chain
  • Live at: Mar 24 2015 6:00 pm
  • Presented by: Mikko Varpiola (Co-Founder, Codenomicon), Tyler Shields (Sr Analyst, Forrester), Todd Carpenter (Chief Engineer, Adventium)
  • From:
Your email has been sent.
or close