Hi [[ session.user.profile.firstName ]]

Introducing Veracode DevOps Penetration Testing

DevOps can be challenging for many organizations when thinking about all the different areas of the DevOps process that require security testing. Organizations that begin to “shift left” often find significant gaps in the security of infrastructure and operational components that are now integrated into the development process. Many of the technologies being used in DevOps are also very new to most organizations and are more recently starting to become “mainstream”. Containers like Docker, orchestration technology like Kubernetes, cloud storage like Amazon S3 and MongoDB instances, not to mention existing cloud infrastructure which can all be misconfigured or have vulnerabilities that have led to countless data leaks and breaches in the news. But we also can’t forget about the developers either. What can be found being discussed on GitHub, Stack Overflow or other online sources about your applications through Open Source Intelligence (OSINT)? While there is no question that automating security testing in your DevOps process is a requirement, there still is a need for penetration testing, which provides more than just finding and exploiting vulnerabilities, but also a look into the attacker perspective.

In this webinar you’ll learn about:

•The challenges organizations face when “shifting left” from a security testing perspective
•How vulnerabilities in DevOps infrastructure, operations, and the developers themselves are leveraged by attackers to compromise applications
•How Veracode’s DevOps Penetration Testing offering can be part of your DevOps process for security testing and compliance
Recorded Jun 5 2019 32 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Tom Eston, Manager, Penetration Testing at Veracode
Presentation preview: Introducing Veracode DevOps Penetration Testing

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Speed Matters in AppSec: How to Start Improving Your Fix Rate Jul 17 2019 8:00 pm UTC 45 mins
    Pejman Pourmousa, Vice President, Services, Veracode and Amy DeMartine, Research Director, Forrester Research
    The most important function of an application security program is effectively fixing flaws once they’re discovered. But the speed of that fix rate matters — the time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, and sometimes hours. Yet our most recent State of Software Security report found that one in four high and very high severity flaws aren’t addressed within 290 days of discovery.

    Improving your fix rate is critical, but the sheer volume of vulnerabilities present in most organizations’ application portfolios makes it necessary for them to make daily tradeoffs between security, practicality, and speed.

    This might seem like an insurmountable problem, but our data also presents hopeful glimpses at potential prioritization and software development methods that could help organizations reduce risk more quickly. In this session, we’ll share some steps and best practices that will start lowering your fix rate.

    This webinar is part of the "Your AppSec Game Plan" Veracode Summit.

    About the speakers:
    Pejman Pourmousa is Vice President of Services at Veracode, where he is responsible for the successful adoption of Veracode’s solutions by its customers. He has spent the last seven years building cohesive teams that help customers develop, deploy and mature their App Sec programs. Using his depth of experience, he guides top leaders of organizations on how to realize the potential of their application security programs. Pejman has spent the entirety of his career in the area of services management and delivery specifically around Compliance, Risk and Security.

    Amy DeMartine is the Research Director at Forrester Research and helps security, risk professionals transform their current software, and application security practices to support continuous delivery and improvement, focusing on strong partnerships with application development, operations, and business teams.
  • Shifting Security Right: Know What You Own Jul 17 2019 7:00 pm UTC 45 mins
    Bipin Mistry, Director of Product Management, Veracode
    It’s more common that you would imagine that organizations and brands have more web apps than they realize. In fact, our customers often find roughly 30 percent more applications than they knew about. With one project we worked on for a high street bank in the UK, we discovered 1,800 website that had yet to be logged.

    There are a number of reasons unknown or unlogged web applications continue to live in your portfolio. For example, through M&A activity, more than just a company or brand is acquired – you also acquire their web assets. Further, the digital landscape is decorated with marketing promotional sites meant to attract attention. And the very thing meant to draw attention to your brand and boost your bottom line is the same target attackers go after to infiltrate your organization.

    Join this session, part of the "Your AppSec Game Plan" Veracode Summit, to learn how to uncover unknown web applications in your portfolio to ensure their security from cyberattackers.

    About the speaker:
    Bipin Mistry is Director of Product Management for WAS product line. Prior to joining CA/Veracode he was VP Product Management for NEC/Netcracker in their SDN/NFV and Security business unit. At NEC/Netcracker Bipin’s primary focus is to develop solutions and architectures specifically mapped to NFV/SDN and Orchestration. He has over 28 years expertise in Security, Software Architectures, Mobile and Core Networking Technologies, Product Management, Marketing, Engineering and Sales. Prior to joining NEC/Netcracker Bipin was VP President of Product Management for a security startup in the field of DDoS analysis and mitigation. Bipin has also held architectural and management roles at both Juniper Networks (Chief Mobile Architect) and Cisco Systems (Sr. Director of SP Architecture).

    Bipin lives Shrewsbury MA with his wife and 2 children. In his spare time, Bipin is a keen runner and is currently attempting to learn Spanish.
  • Practical Steps to Start Using Open Source Code More Securely Jul 17 2019 6:00 pm UTC 45 mins
    Javier Perez, Director of Product Management, Veracode
    Open source frameworks have changed the business world in profound ways. They’ve ushered in a level of speed, innovation, and convenience that significantly alters the IT equation. With large numbers of developers and others contributing to a project, it’s possible to advance and evolve software in ways that wouldn’t have been imaginable in the past. What’s more, this form of open collaboration benefits everyone by making software available at a lower cost point — and sometimes even at no cost.

    Make no mistake, open source software libraries are here to stay – and they can introduce new and sometimes dangerous risks to an enterprise. The use of open source code increases the number of users affected as well as the number of exposure points. It’s vital to have a strategy and framework in place to manage open source libraries and components. Otherwise, the road to digital transformation will likely be paved with frustrations, problems, and even failures.
    Open source software risks revolve around three key areas: visibility, security, and governance.

    In this session, part of the overall "Your AppSec Game Plan" Veracode Summit, we will help you understand these factors and how to formulate a stronger cybersecurity strategy that protects you from open source risk.
  • Steps to Creating Security Champions on your Development Team Jul 17 2019 5:00 pm UTC 45 mins
    Ryan O'Boyle, Manager, Product Security, Veracode
    One of the most powerful things an organization can do to improve its security posture is to cultivate security-mindedness in its developers. Security and development teams often feel at odds with one another and yet they share a common goal: to put quality code into production. Bringing these teams into closer contact gives them a deeper understanding of each other’s pressures, priorities, and processes.

    Developers are well-positioned to address application security. By designing applications with security in mind, and finding and fixing flaws early in the software development lifecycle, developers shift security left. In doing so they both lighten the burden on the security team and reduce unplanned work for themselves down the road.

    An interested developer—given the right direction, encouragement, and tools—can become an effective security champion.

    Join this session to learn how to identify the right developers for this role and how to best train and support them over time. Your security champions will advocate for security as a non-negotiable component of code quality and in turn foster security-mindedness in their peers, amplifying security knowledge across the organization.

    This session is part of the "Your AppSec Game Plan" Veracode Summit

    About the speaker:
    Ryan O’Boyle is a Principal Security Researcher at Veracode, and a certified ScrumMaster. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments, where he was focused not only on finding vulnerabilities but helping engineers fix them and avoid them altogether.
  • Which AppSec Testing Type is Right for You? Jul 17 2019 4:00 pm UTC 45 mins
    Chris Kirsch, Director Product Marketing, Veracode
    Although there are a variety of application security technologies, there is no silver bullet. You need to gather the strengths of multiple analysis techniques along the entire application lifetime — from development to testing to production — to drive down application risk. Each testing type, from static to dynamic to software composition analysis and manual pen testing, has different strengths and weaknesses and are better in different scenarios, but you won’t be effective without taking advantage of them all.

    Join this session, part of the "Your AppSec Game Plan" Veracode Summit, to understand the strengths and weaknesses of the different AppSec testing types, how they work together, and how to get started.

    About the speaker:
    Chris Kirsch works on the products team at Veracode and has 22 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.
  • Shifting Security Left: Where to Start Jul 17 2019 3:00 pm UTC 45 mins
    Chris Wysopal, CTO, Veracode
    The demands of modern software development and the rise of DevOps are shifting security left into the early phases of the development lifecycle. Companies that navigate this significant cultural, organizational, and technological change well are outpacing their competitors. But where to begin?

    In this session, we will describe five essential steps for shifting security left:

    1) Make security autonomous from day one.
    2) Integrate as you code.
    3) Avoid false alarms.
    4) Create security champions.
    5) Maintain operational visibility.

    Equipped with this guidance you can begin to make the changes that will transform application security into a responsibility that is shared by development and security and that continues once applications are in production and operation. By shifting security left, you unburden your security team, empower your developers to write better code from the start, and deliver stronger, better applications than your competitors.

    This is part of the "Your AppSec Game Plan" Summit

    About the speaker:
    Chris Wysopal is Chief Technology Officer at Veracode. He oversees technology strategy and information security. Prior to co-founding Veracode in 2006 Veracode, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec.

    In the 1990’s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software.

    Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

    Chris is often called upon to download the latest Minecraft mods for his 6-year-old son. An avid photographer and nature-lover, Chris spends his free time hiking the many conservation trails near his home outside Boston.
  • Sécurisation des applications et des conteneurs Docker avec Veracode Jun 27 2019 9:00 am UTC 45 mins
    Nabil Bousselham, Solution Architect at Veracode
    La conteneurisation des logiciels aide les entreprises à modifier complètement la manière dont les applications sont déployées pour répondre aux exigences des clients. La technologie a le potentiel de réduire radicalement le coût de possession des capacités et confère un pouvoir énorme aux ingénieurs de DevOps.

    Ces avantages changent également la nature de la manière dont le risque doit être traité dans le cycle de développement. L’application logicielle doit non seulement respecter les normes de sécurité de l’organisation dans le conteneur Docker, mais également l’image de base doit être exempte de vulnérabilités exploitables.

    Dans ce webinaire, je voudrais bien vous montrer les challenges de sécurité liées á l’utilisation des librairies tierces open source dans les applications et les conteneurs Docker. Je vais aussi vous présenter comment Veracode peut vous aider á les sécuriser.
  • Secure By Design: Internet of Things Jun 25 2019 10:00 am UTC 45 mins
    Fulya Sengil, Solution Architect & Adam Reyland, Regional Marketing Specialist at Veracode
    Many commentators observe that the IoT devices just aren’t up to scratch, when it comes to security. GDPR requires vendors to and service providers to design things with security as standard. In February 2019, the European Standards body ETSI published security guidelines for the consumer Internet of Things aligning with IOT Security Compliance Framework.

    IoT requires the best in all aspects of security — physical, operational technology, and cybersecurity. Thus, it makes sense to envisage IoT security as an ecosystem in itself. Unexpected challenges are likely to erupt because of the existence of several layers in the IoT ecosystem. This calls upon leaders to initiate regular automated risk assessments and simulations such that IoT specific breaches can be monitored closely. This helps businesses build reliable playbooks that enable organizations to respond to IoT security challenges.

    Software installed on these devices could be potentially vulnerable, if it has not an automated security assessment before deployment. We take a look at how it’s possible to make the software that drives these devices and the backend serverless technologies secure based on requirements in IOT Security Compliance Framework.
  • Integrating AppSec into Developer Tools and Processes Recorded: Jun 19 2019 51 mins
    Tim Jarrett, Product Management at Veracode
    Securing code during development increases speed to market and reduces cost – but developers can resist security testing if it’s disruptive to their workflow. That’s why planning your application security program with developer tools and processes in mind often means the difference between success and failure. This session will help you understand how, where, and when application security fits into a modern development organization.

    Key Takeaways:
    •Learn how to make security invisible, automate security checkpoints and integrate with popular tools like IDEs, ticketing, bug tracking, and build systems.
    •Scan as early as possible in the Software Lifecycle, as early as when code is written in an IDE.
    •How to proactively approach open source code your developers are using.
  • Securing the Sugar out of Azure DevOps Pipeline Recorded: Jun 19 2019 43 mins
    Colin Domoney DevSecOps Consultant at Veracode
    This webinar will provide a comprehensive look at the security features of the Azure DevOps CD/CD platform. The topics include built-in security features such as user access controls and branch policies; and an overview of best practice for the incorporation of various 3rd party security tooling such as Veracode Greenlight within your pipeline.

    Other topics include best practices for pipeline telemetry, reporting, pipeline protection and templates for security best practices. Whether you are a software developer using Azure DevOps, a security manager or a DevOps expert this webinar should further enhance your expertise in secure software delivery with Azure DevOps.

    Register for this live webinar where Colin Domoney - DevSecOps Consultant at Veracode - will leave you with a clear understanding of how to Secure your DevOps Pipeline.
  • If Developers Own Security Testing in DevOps - What is Security's Role? Recorded: Jun 19 2019 42 mins
    Chris Wysopal, CTO at Veracode
    Application security is “shifting left.” As the responsibility for ensuring the stability and security of software shifts to developers, what does this mean for security professionals? What does their job look like if developers are responsible for security testing?

    •What the security professional’s role and responsibilities look like in a DevSecOps shop
    •The DevSecOps cultural changes that will affect security
    •The attributes that security tools will need in this new landscape
    •Best practices for security professionals looking to not only survive, but thrive, in a DevSecOps world
  • The State of DevSecOps - Featuring Amy DeMartine of Forrester Research Recorded: Jun 19 2019 56 mins
    Chris Eng, Veracode Vice President of Research and guest, Forrester Research Principal Analyst Amy DeMartine
    In our recent State of Software Security Volume 9 report, Veracode examined fix rates across 2 trillion lines of code shows that the number of vulnerable applications remains staggeringly high. More than 85 percent of all applications contain at least one vulnerability following the first scan, and more than 13 percent of applications contain at least one very high severity flaw.

    One thing is certain: the sheer volume of vulnerabilities present in most organizations’ application portfolios makes it necessary for them to make daily tradeoffs between security, practicality, and speed.

    There are just too many vulnerabilities for organizations to tackle all at once, which means it requires smart prioritization to close the riskiest vulnerabilities first. For the first time, our report shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps. In fact, the most active DevSecOps programs fix flaws more than 11.5 times faster than the typical organization, due to ongoing security checks during continuous delivery of software builds, largely the result of increased code scanning.

    Join guest presenter Amy DeMartine, Principal Analyst, Forrester Research Inc., and Veracode’s Chris Eng as they deliver valuable takeaways for business leaders, security practitioners and development teams seeking to secure their applications. Listeners will learn potential prioritizations and software development methods that could help their organizations reduce risk more quickly.
  • Panel: How Your Company Can Move From Understanding DevSecOps to Implementing It Recorded: Jun 18 2019 49 mins
    Chris Wysopal, Veracode | Paul Keim, Cox Communications | Pejman Pourmousa, Veracode
    All our preceding sessions have described the key elements of a shift to DevSecOps. Now get practical tips, best practices and next steps on migrating to DevSecOps from our panel of experts. During this session, we will continue the conversation in an open discussion format and break for audience Q&A.

    Bring your questions and get ready to contribute your thoughts and ideas during this “ask the experts” session.

    Chris Wysopal - Chief Technology Officer - Veracode
    Paul Keim - Senior Security Architect - Cox Communications
    Pejman Pourmousa - Vice President, Services - Veracode
  • Integrating App Security Policies into a DevOps World Recorded: Jun 18 2019 39 mins
    Pejman Pourmousa, VP, Services at Veracode
    Securing code during development increases speed to market and reduces cost – but developers can resist security testing if it’s disruptive to their workflow. That’s why planning your application security program with developer tools and processes in mind often means the difference between success and failure. This session will help you understand how, where, and when application security fits into a modern development organization.

    Key Takeaways:
    •Learn how to make security invisible, automate security checkpoints and integrate with popular tools like IDEs, ticketing, bug tracking, and build systems.
    •Scan as early as possible in the Software Lifecycle, as early as when code is written in an IDE.
    •How to proactively approach open source code your developers are using.
  • DevSecOps Beyond the Myths: Cutting Through the Hype and Doubt to Get Results Recorded: Jun 18 2019 34 mins
    Sam King, CEO at Veracode
    DevSecOps is moving beyond the buzzword stage and into the real world. But there are obstacles standing in the way of widespread adoption. Perhaps the biggest obstacle is a lack of understanding about what DevSecOps is, which can discourage IT leaders, developers, and security teams who fear that it is a bridge too far to cross from DevOps, let alone Waterfall and Agile methodologies. Despite these myths and doubts, DevSecOps is producing real results in organizations that embrace it. For example, Veracode’s analysis of thousands of application scans found that applications scanned for security flaws early in the development process had a 48% higher fix rate (reduction in flaws) than other applications.

    In this keynote address, Veracode General Manager Sam King will introduce the concepts of DevSecOps that will form the basis of this virtual summit. Sam will discuss:

    -A simple definition of what DevSecOps is, beyond the hype and the myths, and why it holds promise for bringing together the assurances of AppSec with the speed and agility of DevOps

    -Why the evidence says that DevSecOps is attainable in the real world – how Veracode scanning data shows that there is a genuine shift to DevOps and DevSecOps happening, one step at a time.

    -Overview of the challenges that stand in the way – cultural, process, and technological – and how best practices can break down barriers to change.

    -Welcome to speakers and setting the stage for what you should expect and come away with from the event.
  • Asegurar Aplicaciones y Contenedores Docker con Veracode Recorded: Jun 13 2019 42 mins
    Antonio Reche, Solution Architect at Veracode
    La contenedores de software están ayudando a las empresas a cambiar completamente la forma en que se implementan las aplicaciones para satisfacer las demandas del negocio. La tecnología tiene el potencial de reducir radicalmente costes, dando una enorme responsabilidad a los equipos e ingenieros DevOps.

    Estos beneficios también cambian la naturaleza de los riesgos y cómo deben abordarse en el ciclo de vida del desarrollo. Las aplicaciones no solo deben cumplir con los estándares de seguridad en el contenedor Docker, sino que además deben garantizar estar libres de vulnerabilidades explotables.

    Únase a Antonio Reche - Solution Architect en Veracode – en este seminario web en vivo en el que se tratarán diferentes enfoques en el uso seguro de contenedores.
  • Advancing and Maturing your Application Security Program with Veracode Recorded: Jun 12 2019 44 mins
    Brad Smith, Veracode Principal Security Program Manager
    A mature application security program might seem intimidating to some organizations. The good news is that you only need to start small, keep things simple, and prove value before you mature your program over time. Hear from one of our customer-facing Services experts who will outline a series of steps you can take when developing an application security program. Specifically you will learn how to:

    1.Define your program and communicate the mission internally
    2.Assess applications and start remediation efforts before moving on to advanced testing methods and metrics analysis
    3.Implement fully automated scanning earlier in the SDLC and implement metrics to measure program success

    Based on first-hand customer interactions, you will come away with tips on how to build security assessments into the development process – making the path to maturity less daunting.
  • Mit Veracode Anwendungen und Docker-Container Sicher Machen Recorded: Jun 11 2019 45 mins
    Julian Totzek Hallhuber, Solution Architect at Veracode
    Durch die Containerisierung von Software können Unternehmen die Art und Weise ändern, wie Anwendungen eingesetzt werden, um die Anforderungen des Unternehmens zu erfüllen. Die Technologie hat das Potenzial, die Betriebskosten radikal zu senken, und gibt dem DevOps-Ingenieur enorme Möglichkeiten.

    Diese Vorteile ändern auch die Art und Weise, wie Risiken im Entwicklungslebenszyklus angegangen werden müssen. Die Softwareanwendung muss nicht nur den Sicherheitsstandards der Organisation innerhalb des Docker-Containers erfüllen, sondern auch das Basis-Image muss frei von ausnutzbaren Schwachstellen sein.

    Nehmen Sie an diesem Live-Webinar mit Julian Totzek - Hallhuber - Solution Architect bei Veracode - teil, in welchem Sie Ansätze erklären, die die sichere Verwendung von Containern in Pipelines umfassen.
  • Ask the AppSec Expert: How to Secure the Applications you Build, Buy & Manage Recorded: Jun 6 2019 13 mins
    Paul Farrington, Veracode | Yotam Gutman, Cybersecurity Marketing Community
    Tomorrow's businesses need a simpler and more scalable way to increase the resiliency of global application infrastructure, without slowing innovation, today.

    Join this interactive 1-2-1 discussion where EMEA Chief Technology Officer, Paul Farrington (CISSP, MBCS) will share how leading businesses are;

    - Improving the level of security awareness and addressing the skills deficit
    - Enabling developers to fix flaws and prevent new ones
    - Prioritising and triaging the most exploitable flaws
    - Automating application security
    - Providing software development leaders with really useful security metrics
    - Incentivising secure development as part of their culture

    This session will show you how architects and developers are making smarter choices in designing secure software. You will also learn how to report success, and investment justification, to the board whilst setting realistic expectations throughout the software development lifecycle and not just at the destination.
  • Livestream Video - Application Security in a DevOps World Recorded: Jun 6 2019 37 mins
    Keith Batterham, DevSecOps Evangelist | Moshe Lerner, Checkmarx | Paul Farrington, Veracode | Yotam Gutman
    With today's enterprises leveraging around 1000 applications and multiple clouds, application security is becoming a key area of focus. Application security testing is being integrated into the DevOps process early on, while automation, speed and coverage and becoming critical to the success of DevSecOps programs.

    Join this interactive panel of industry experts to learn more about:
    - Why application security is critical
    - Key principles for building application security into DevOps
    - Best practices for leveraging automation
    - Speed vs Security: Where do you draw the line?
    - Recommendations for improving security in 2019

    Paul Farrington, EMEA CTO, Veracode
    Keith Batterham, CTO - CISO - DevSecOps Evangelist
    Moshe Lerner, SVP Product Strategy & Corporate Development, Checkmarx

    Moderated by Yotam Gutman, Founder & Community Manager, Cybersecurity Marketing Community
Cloud-Based Application Security
Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-attackers can find and exploit them, Veracode helps enterprises deliver innovation to market faster — without sacrificing security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Introducing Veracode DevOps Penetration Testing
  • Live at: Jun 5 2019 3:00 pm
  • Presented by: Tom Eston, Manager, Penetration Testing at Veracode
  • From:
Your email has been sent.
or close