Hi [[ session.user.profile.firstName ]]

Getting Your Bearings in a DevSecOps World

Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software—quickly. By automating manual processes and building tools into the continuous integration and continuous delivery (CI/CD) pipeline, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together. In this webinar, you’ll learn how to build a DevSecOps culture in your organization with automated and integrated application security tools and the right training for each team.
Recorded Jul 12 2018 48 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Apoorva Phadke, Associate Principal Consultant, Synopsys
Presentation preview: Getting Your Bearings in a DevSecOps World

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • BSIMM9: Here’s What’s New! Recorded: Oct 25 2018 47 mins
    Mike Ware, Managing Principal, Synopsys
    In early October, we released the latest version of the BSIMM report, BSIMM9. While many things about the report haven’t changed much, it’s the new things that make it really exciting. Mike Ware will give a quick recap of the BSIMM and how organizations can use it before diving into the changes observed in BSIMM9, including these:
    - The incorporation of three new cloud-related activities and what that says about AppSec
    - The addition of retail as a stand-alone vertical
    - The growth in the number of security and developer resources
  • Securing Enterprise-Level Cloud Deployments Recorded: Oct 23 2018 54 mins
    Kinnaird McQuade, Senior Consultant, Synopsys Software Integrity Group
    When you’re operating in a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases—significantly affecting all aspects of IT security. Security must keep up with these demands without compromising on auditability, least privilege, and secure development practices while receiving the benefits of automation. In cloud environments, security must be built in with configuration management and infrastructure as code. This talk aims to piece all of it together while providing practical guidance (and examples) that will help your organization operate safely in this age of cloud computing.

    Topics will include:
    - Building security in with infrastructure as code
    - Pipeline-friendly OS hardening
    - Vulnerability scanning considerations for building cloud applications
    - Migrating to the cloud with rapid deployments in mind
  • Static Analysis Helps DevOps Teams Maintain Velocity Securely Recorded: Oct 11 2018 61 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Static application security testing (SAST) is the process of examining source code for security defects. SAST is one of many checks in an application security assurance program designed to identify and mitigate security vulnerabilities early in the DevOps process. Integrating SAST tools into DevOps processes is critical to building a sustainable program. And automating these tools is also an important part of adoption, as it drives efficiency, consistency, and early detection.

    But DevOps practitioners looking to integrate SAST tools into the DevOps pipeline often have questions:

    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - How can I use a tool in my DevOps pipeline?

    If you have questions like these, and you’re concerned about integrating SAST tooling into your DevOps process, this session will offer actionable advice to automate security testing that supports DevOps velocity.
  • The Future of Application Security: Enable DevSecOps with IAST Recorded: Oct 4 2018 57 mins
    Amy DeMartine, Forrester Principal Analyst and Ofer Maor, Director, Solutions Management at Synopsys
    IAST, or Interactive Application Security Testing, is an emerging technology that is transforming the way organizations secure their web apps at the speed of DevOps. IAST automatically and continuously scans apps during QA testing to detect security vulnerabilities earlier in the SDLC than traditional DAST or pen testing solutions—when it’s easier, faster, and cheaper to fix them. Using a combination of static and dynamic testing techniques, IAST produces highly accurate and actionable results that can be interpreted directly by the developers responsible for fixing the code.

    Join guest speaker and Forrester Principal Analyst, Amy DeMartine and Ofer Maor, Director of Solutions Management at Synopsys, as they unpack the promise of IAST from the perspective of an analyst and a technology provider. Learn about the unique benefits and use cases for IAST, as well as the technology’s limitations and which types of organizations stand to gain the most from it.
  • Container Security – What you need to know! Recorded: Oct 4 2018 45 mins
    Olli Jarva, Managing Consultant, Synopsys
    Containers are revolutionizing application packaging and distribution. They’re lightweight and easy to build, deploy, and manage. But what about security? Your containers include more than the applications your team builds. They also bundle all the third-party software and open source components those apps depend on. In our webinar “Container Security – What you need to know!”, Olli Jarva, Managing Consultant & Security Architect, outline how you can prevent vulnerable code hiding in your containers from compromising your applications and sensitive data and how you can take control in the event when a new vulnerability breaks out for open source component present in your containers.
  • Using Security Champions to Build a DevSecOps Culture Within Your Organization Recorded: Sep 13 2018 42 mins
    Brendan Sheairs, Managing Consultant, Synopsys Software Integrity Group (SIG)
    The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.

    Outside the software security group, Security Champions are the leaders of this cultural change. Embedding knowledgeable champions within development teams to assist with security activities and vulnerability remediation will help your organization see this cultural shift. As a result, you’ll build new features not only faster but also more securely. In this webinar, you’ll learn the foundations of a successful Security Champions program and the challenges you’ll face implementing such a program.
  • Open Source Supply Chains and Consumption Risk - Governance, Containers & Trust Recorded: Sep 4 2018 58 mins
    Tim Mackey, Technology Evangelist
    Organisations increasingly rely on open source software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace.
    Whether you’re an automotive company or a medical device manufacturer, use of open source software accelerates development schedules, and reduces costs, but how do you minimise security risks?

    One way some DevOps organisations are facing this challenge is by deploying their applications in containers.

    In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.

    Our webinar will arm you with the information to:
    •Explain the importance of open source security to your organisation
    •Why container environments present new application security challenges
    •Best practices and methodologies for deploying secure containers with trust
  • Enterprise Security at Scale With IAST Recorded: Aug 28 2018 50 mins
    Asma Zubair, Sr. Product Manager, Synopsys and Tamir Shavro, Sr. Engineering Manager, Synopsys
    With all the different application security testing tools available, you may be wondering whether interactive application security testing (IAST) makes sense for you. If you want to equip your developers with everything they need to fix vulnerabilities quickly and accurately in CI/CD workflows, then the answer is yes.

    In this webinar, Asma Zubair, Sr. Product Manager for Seeker, our IAST solution and Tamir Shavro, Sr. Engineering Manager at Synopsys, will show you how to gain unparalleled visibility into the security posture of your web applications and how to identify vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, and CWE/SANS). You’ll also learn how IAST can:

    - Be deployed in existing environments with ease
    - Give you real-time, accurate results
    - Integrate with software composition analysis
  • Security Champions: Only YOU Can Prevent File Forgery Recorded: Aug 22 2018 57 mins
    Marisa Fagan, Product Security Lead, Synopsys
    If you’re a developer, there will come a time when you realize that you have the power not only to ship awesome features but also to protect them so that no one else can tamper with all your hard work. Every developer is responsible for coding securely, but a brave few among us will take this duty one step further by wearing the mantle of a Security Champion.

    This webinar is your guide to becoming the Security Champion you always wanted to be, in just five easy steps. We’ll also talk about what benefits you’ll get out of it, besides saving the world, and what to do if your company doesn’t have a Security Champions program or even a product security program.
  • AppSec in Financial Services through the BSIMM Lens Recorded: Aug 14 2018 39 mins
    Nabil Hannan, Managing Principal, Synopsys Software Integrity Group (SIG)
    Do you ever wonder whether your software security program is the correct one for your organization? You spend time and money on processes, technology, and people. But how do you know whether the security efforts you’ve put in place even make sense? The Building Security In Maturity Model, or BSIMM, is a metrics-driven study of existing security initiatives at other organizations. BSIMM results help you assess the current state of your software security initiative and determine which areas need improvement.

    During the webinar, we’ll use a BSIMM broken down by the financial services industry to see what other companies are doing. We’ll also:

    · Use real data to help drive your software security initiative
    · Learn how organizations use the BSIMM to measure the maturity of their software security initiatives
    · Look at the aggregate data of the FSI vertical in the BSIMM
    · Discuss some of the most common activities that we observe with FSI companies and the drivers of those activities
  • DevSecOps: Security at the Speed of DevOps with Comcast Recorded: Aug 3 2018 50 mins
    Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
    Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

    What’s needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

    This webinar includes guidance on the characteristics of security tools compatible with DevOps, but it focuses primarily on the harder part: the people. This talk introduces the DevSecOps manifesto and provides you with a process model, based on agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture transformation. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
  • Reviewing Spectre 6 Months Later Recorded: Jul 25 2018 30 mins
    Taylor Armerding, Senior Security Strategist for Synopsys
    It’s been more than six months since the major design flaw in computer chips labeled Spectre became public. And, as predicted, it is still haunting the world of information technology. The CPU (central processing unit) is, after all, the “brain” of any computer, phone, tablet, modern TV, or other “smart” device.
    Since then, we’ve all learned a bit about terms some of us had never heard before—“speculative execution,” anyone? We’ve also been told that you can’t just patch a chip the way you can patch bugs in software. But you can create work-arounds with software patches.
    In this webinar, Taylor Armerding, senior security strategist for Synopsys Software Integrity Group, will address some of the questions that “regular”—i.e., nontechnical—users may have about Spectre:
    - What is it?
    - How does it work?
    - Why does it work?
    - Why didn’t chip makers catch a flaw of this magnitude during the design phase?
    - Why is a tool called static analysis the best way to work around Spectre without causing intolerable performance slowdowns?
  • Trends in Security: How to Create a Scalable Threat-modeling Practice Recorded: Jul 17 2018 45 mins
    Chandu Ketkar, Principal Consultant, Synopsys
    For most organizations, performing threat-modeling is a difficult and an expensive undertaking. There are good reasons why this is the case. Threat modeling traditionally requires an experienced security architect with knowhow in architecture patterns, design patterns, a breadth of technologies, and above all deep security knowledge.

    Join this webinar and learn:

    - Consistency/Reliability: Use of patterns allows us to identify recurring problems/patterns and provide consistently the same solution. In security this means that identifying patterns during threat modeling will allow us to create consistent design, development, testing, and risk guidance.

    - Efficiency: Use of patterns allows us to automate some part of a problem while leaving the more complex concerns to be tackled by experts. This creates efficiencies.

    - Commonly understood taxonomy: Patterns create a common taxonomy for organizing knowledge, training users/practitioners, communicating with stakeholders (developers, testers, architects, security analysts, etc.)
  • How can static analysis help DevOps teams maintain velocity securely? Recorded: Jul 17 2018 46 mins
    Meera Rao, senior principal consultant and director of the secure development practice - Synopsys Software
    Static application security testing (SAST) is the process of examining source code for security defects. SAST is one of many checks in an application security assurance program designed to identify and mitigate security vulnerabilities early in the DevOps process. Integrating SAST tools into DevOps processes is critical to building a sustainable program. And automating these tools is also an important part of adoption, as it drives efficiency, consistency, and early detection.

    If you have questions like these, and you’re concerned about integrating SAST tooling into your DevOps process, this session will offer actionable advice to automate security testing that supports DevOps velocity.

    But DevOps practitioners looking to integrate SAST tools into the DevOps pipeline often have questions:

    How do I manage false positives?
    How do I triage the results?
    What happens to new issues identified?
    How can I use a tool in my DevOps pipeline?
  • *AST in CI/CD - How to Make it Work Recorded: Jul 17 2018 58 mins
    Ofer Maor, Director, Solutions Management at Synopsys
    SAST, IAST, DAST, MAST, *AST – There are plenty of technologies and ways to test your software, but how do we do that without slowing us down in a rapid development environment. In this session we will give practical advice on how to integrate software security testing into your CI/CD and your development process so it works. The session will review the pros and cons of each of the testing technologies, how to adapt it to rapid development, and how to make testing work as organizations are moving to A/B testing. Finally, this session will guide on how to manage the balance between risk and speed to build the right process, so that real threats will become blockers, but other issues will be handled in a parallel, slower cycle, without slowing down the main delivery.
  • Getting Your Bearings in a DevSecOps World Recorded: Jul 12 2018 48 mins
    Apoorva Phadke, Associate Principal Consultant, Synopsys
    Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software—quickly. By automating manual processes and building tools into the continuous integration and continuous delivery (CI/CD) pipeline, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together. In this webinar, you’ll learn how to build a DevSecOps culture in your organization with automated and integrated application security tools and the right training for each team.
  • Building Your Application Security Toolkit: A Holistic Approach Recorded: Jun 22 2018 59 mins
    Stephen Giguere, Solution Engineer, Synopsys
    Open source management is a key part of any application security toolkit. But with so many different tools and techniques on the market, how can you decide what other tools you need to fully address the security risks of your applications? In this webinar, you’ll learn the benefits and limitations of several application security tools, including SAST, SCA, DAST, IAST, and fuzzing, as well as how they differ, so you can make informed decisions as you build your AppSec toolkit.
  • Do We Trust Software? Recorded: Jun 20 2018 46 mins
    Chris Clark, Principal Security Engineer – Strategic Initiatives, Synopsys
    Trying to keep pace in a highly connected world and increasingly hostile environment is a challenge for any developer, let alone an entire industry. To protect the software they write, developers turn to technologies and processes such as audits, reverse engineering, application firewalls, sandboxing, and many others to provide a level of protection. But these technologies also have the potential to become entry points for vulnerabilities. So do we really trust software?

    See how Synopsys started the software security journey and is taking an active role in providing industry expertise to help organizations deliver robust software security solutions. We will focus on how the cyber supply chain can have a direct and meaningful impact on the overall design and deployment of software. See how known vulnerability management, mitigation, and training can affect the known risk profile of overall software design. Learn about what we are working on and how you can participate in improving standards and programs that reduce cyber risk.
  • Ultimate Guide to Building Security into CI/CD Recorded: Jun 20 2018 45 mins
    Olli Jarva, Managing Consultant and Solution Architect, Synopsys Asia Pacific
    Security leaders must choose appropriate tools and build a culture that does not inhibit the development pipeline but supports it. In this webinar, Ultimate Guide to Building Security into CI/CD, Olli Jarva, Managing Consultant and Solution Architect, Synopsys Asia Pacific, outlines how security teams can work within a Continuous Delivery or Continuous Deployment model by building security into operational processes and an integrated, Continuous Integration toolchain. This integrated software security strategy is known as “Continuous Security.”
  • 2018 Open Source Audit Findings: How Do You Stack Up? Recorded: May 24 2018 28 mins
    Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
    Open source components are the foundation of modern applications, but ineffective management around open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
    Not surprisingly, 96% of the audited codebases contained open source components, and nearly 78% of the codebases contained at least one vulnerability. As the percentage of open source in codebases continues to grow, it’s clear that open source management practices need to improve.
    In this webinar, open source expert Evan Klein will walk through the report’s findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the benefits open source provides.
Application security is a journey.
We go beyond traditional application testing to empower you to build security into your software at every stage of your development process. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Getting Your Bearings in a DevSecOps World
  • Live at: Jul 12 2018 4:00 pm
  • Presented by: Apoorva Phadke, Associate Principal Consultant, Synopsys
  • From:
Your email has been sent.
or close