Although there are a variety of application security technologies, there is no silver bullet. You need to gather the strengths of multiple analysis techniques along the entire application lifetime — from development to testing to production — to drive down application risk. Each testing type, from static to dynamic to software composition analysis and manual pen testing, has different strengths and weaknesses and are better in different scenarios, but you won’t be effective without taking advantage of them all.
Join this session to understand the strengths and weaknesses of the different AppSec testing types, how they work together, and how to get started.
About the speaker:
Chris Kirsch works on the products team at Veracode and has 22 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.
This session is part of Veracode's "Your AppSec Game Plan" Summit.
RecordedJul 17 201943 mins
Your place is confirmed, we'll send you email reminders
Paul Farrington, EMEA CTO at Veracode | Calvin Mills, Software Engineer | Jamie Keegan, QA Test Lead
What if I told you that you could improve the rate at which you fix your security issues up to 88% faster, without spending money on expensive consultants or blinky lights. 'Security Champions' could be the answer.
Gartner predicts 3.4 million unfilled security roles by 2022 - simply because there are not enough expertise. DevOps teams in particular are leading the way in identifying Security Champions to help promote secure coding and reduce friction within teams. Rather than relying exclusively on a centralised security team, that can’t scale - we can go faster by nurturing security advocates in each development team. We talk about how to harness the existing talent in your teams and provide insights into how you can force-multiply the effect of security across your organisation, in a way that is likely to be received positively by your development teams.
Metrics — or perhaps more accurately, the right metrics — are crucial for understanding what’s really happening in your AppSec program. They serve a dual purpose: They demonstrate where your organization is at but also show what progress it’s making in achieving its objectives.
Join this session to get our advice on what to measure in your AppSec program, and how to measure it. We’ll cover measuring your compliance against your own internal AppSec policy, your scan activity, flaw prevalence, and time to resolve.
We consistently come across organizations that think they can check the AppSec box if they’re scanning their code, or who are quantifying success by how many scans they can run a day, rather than by how many flaws they were able to fix. Unfortunately, you can’t scan your way to secure code.
At this session will walk you through three critical steps an organization must take beyond scanning to develop more secure code: educating your developers so they learn secure coding skills, fixing the vulnerable code that’s found, and scaling the AppSec program to cover your entire application landscape.
Tim Jarrett, Senior Director of Product Management, Veracode
Development teams’ biggest fear when they hear their organization will enact an application security assessment program is that their development efforts will be slowed down. This team can be the biggest barrier to the success of the program because if they don’t follow the protocol set forth by the program plan, the security team will be unable to demonstrate the value of the plan.
Join this session to get our tips on getting developer buy-in for your AppSec program, including implementing the right tools, establishing training on secure coding, and developing a security champions program.
Brad Smith, Senior Principal Security Program Manager, Veracode
A mature application security program might seem intimidating to some organizations. But it’s important to remember that there are an established series of steps most organizations take when developing an application security program. The keys are to start small, have clear goals, keep things simple, prove the value, and then mature the program over time.
We’ve worked with numerous companies on their path from zero AppSec to a mature, comprehensive program. To shed light on how to get started with application security, and on what good looks like, this session will outline the first steps most of our customers take to develop a mature application security program.
How can you demonstrate the value of adopting or expanding your organization’s AppSec program when there’s a growing need for all types of cybersecurity, as well as intense competition for your critical tech budget? Simply put, you must convince decision-makers that your program — and their money — will lead to better business outcomes, a higher level of efficiency, lower costs, and improved return on investment (ROI).
Attend this session to get tips and best practices on making the case for AppSec to your senior leadership team.
Julian Totzek-Hallhuber, Solution Architect at Veracode & Andy Powell, Partner Solution Architect at AWS
If you’re leveraging AWS, there’s a very good chance that you are considering how to embrace AWS’s breadth of services designed to enable developers and IT operations professionals practicing DevOps to rapidly and safely deliver software. We provide examples of how to accelerate your development in AWS, whilst offering insights into how you can make your code secure with Veracode. Automation all the way.
Julian Totzek-Hallhuber, Solution Architect at Veracode
Auch wenn es viele unterschiedliche AppSec Testing Methoden gibt, gibt es nicht die „Eine“ richtige. Vielmehr geht es darum die Stärken der verschiedenen Analysetechniken über den gesamten Applikationslebenzyklus zu kombinieren, von der Entwicklung bis hin zur Produktion, um das Risiko zu minimieren. Jede Methode ob Statisch Analyse, Dynamische Analyse, Software Composition Analyse oder Manuelle Penetrationstest habe alle ihre Stärken und Schwächen, finden sich in verschiedenen Szenarien wieder und sind am effektiefsten in einer Kombination aus allen Methoden.
Nehmen Sie an diesem Webinar teil um die Stärken und Schwächen der verschiedenen AppSec Testing Methoden kennenzulernen, wie sie am besten zusammenarbeiten und wie sie mit AppSec testing starten können.
Les applications Web restent le principal vecteur d’attaque des hackers. C’est pourquoi de nombreuses entreprises adoptent des solutions de tests de sécurité dynamiques (DAST) pour valider la sécurité de leurs applications qui sont en cours de développement ou déjà en production.
L’analyse dynamique est une solution importante dans un programme de sécurité d’application maturé, car cette technique permet de détecter plus facilement différents types de vulnérabilités, notamment les fuites d’informations, les problèmes de cryptographie et les vulnérabilités cross-site-Scripting.
Dans ce webinaire, nous allons vous présenter comment Veracode WAS (Web Application Security) va vous aider á répondre á quatre challenges majeurs dans ce domaine et vous sécuriser votre périmètres web á l’échelle :
Découverte : Découvrez toutes les applications Web associées à votre organisation, même si vous ne les avez pas créées en interne, pour créer un inventaire complet de votre périmètre web.
Scalabilité : Analysez plusieurs dizaines, centaines ou milliers sites web de votre organisation à la fois, qu'elles soient authentifiées ou non authentifiées.
Rapidité : Obtenez des résultats de haute qualité rapidement et de manière intelligente.
Automatisation et intégration : Les analyses qui s’effectuent automatiquement et s'intègrent aux processus et outils existants permettent à vos équipes de sécurité et de développement d’intégrer les tests DAST dans leurs SDLC.
Application security is more than breach avoidance - it can be your competitive differentiator. The sobering threat of data breaches has raised concern within organizations around the software running in their environments and touching their businesses. Software vendors who can prove that their applications will not leave their customers open to attack can claim a competitive advantage.
Attend this upcoming webinar, and hear Veracode experts share insights into how enterprises are using security to drive business growth from within. Specifically you will learn how security can drive revenue growth through:
Tom Eston, Manager, Penetration Testing at Veracode & Jamie Rougvie, Principal Penetration Tester, Veracode
DevOps can be challenging for many organizations when thinking about all the different areas of the DevOps process that require security testing. Organizations that begin to “shift left” often find significant gaps in the security of infrastructure and operational components that are now integrated into the development process. Many of the technologies being used in DevOps are also very new to most organizations and are more recently starting to become “mainstream”. Containers like Docker, orchestration technology like Kubernetes, cloud storage like Amazon S3 and MongoDB instances, not to mention existing cloud infrastructure which can all be misconfigured or have vulnerabilities that have led to countless data leaks and breaches in the news. But we also can’t forget about the developers either. What can be found being discussed on GitHub, Stack Overflow or other online sources about your applications through Open Source Intelligence (OSINT)? While there is no question that automating security testing in your DevOps process is a requirement, there still is a need for penetration testing, which provides more than just finding and exploiting vulnerabilities, but also a look into the attacker perspective.
In this webinar you’ll learn about:
•The challenges organizations face when “shifting left” from a security testing perspective
•How vulnerabilities in DevOps infrastructure, operations, and the developers themselves are leveraged by attackers to compromise applications
•How Veracode’s DevOps Penetration Testing offering can be part of your DevOps process for security testing and compliance
Fulya Sengil, Solution Architect & Adam Reyland, Regional Marketing Specialist at Veracode
Serverless code is dramatically changing how teams think about deploying software. The economics of Serverless has transformed how functionality can be leveraged to serve the customer. Of course, whilst code survives at run time, it needs to be secure - especially when dealing with user input from the outside world. We discuss how you can keep your Lambdas absolutely mint, free from vulnerabilities with Veracode.
Join this webinar to...
-Understand the security challenges in building and deploying of serverless architecture in production.
-Learn how to use and secure a python/nodejs based project
-See the impact of uncovering new previously unreported security issues in 1st and 3rd party components.
Javier Perez, Director, Product Management, Veracode
Open source code is everywhere, helping developers deliver code quickly and efficiently. All software innovations are happening in open source, from Artificial Intelligence to Augmented Reality and Cryptocurrencies. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using.
Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the new Veracode product? Register today!
Chris Wysopal, Chief Technology Officer and Co-Founder at Veracode
With the Financial Industry issuing regulations addressing cybersecurity and information security controls, companies are increasingly holding their software vendors accountable for meeting standard application security policies. However, many of these organizations are still dealing with manual processes and arduous penetration testing. This results in minimal documentation of these regulations- putting them and their suppliers at risk of noncompliance, and worse, of breach.
Hear Chris Wysopal, Chief Technology Officer and Co-Founder at Veracode provide tips on how to navigate key financial compliance requirements and regulations through application security and secure development. Some of his discussion points will include:
•The impact of recent major regulations – the EU General Data Protection Regulation (EU GDPR) and NY State Department of Financial Services (NY DFS) Cybersecurity Regulations - on application security standards and secure development practices
•How to get started with secure development practices in order to effectively navigate these requirements
•How to build a software development process that has continuous security, is measurable, and is transparent
Metrics are critical for measuring and expanding an application security program. However, executives don't always want to see a slew of complicated charts and graphs - they want one simple number that answers, in a nutshell, is this program working?
Join us for a webinar with Anne Nielsen, Sr. Product Manager, Reporting & Strategy at Veracode, as we discuss our metric recommendation and dive into reporting best practices and tips for success.
Brad Smith, Sr. Principal Security Program Manager, Veracode
The path to a secure software development environment may seem like an intimidating one, but there’s no reason to fret. There’s no shame in starting small and simple – after all, you need to prove value before you can mature your program over time. But, what are the concrete steps can you take to get to a mature state of software security?
Join Veracode Senior Principal Security Program expert Brad Smith to learn a 30 - 60 - 90 day approach to getting your secure development initiatives into shape.
Escuche a expertos en DevSecOps con conocimiento y experiencia de primera mano en la creación y expansión de programas de seguridad de aplicaciones para toda la empresa. Durante la sesión mostraremos cómo interactuar con los responsables y ejecutivos de su empresa para expandir su programa de seguridad de aplicaciones. Específicamente, compartiremos las mejores prácticas para obtener la aceptación de las partes interesadas, consejos para identificar indicadores/KPI medibles y ejemplos de cómo otras compañías han hecho la transición exitosa desde la seguridad de aplicaciones básica a un programa completamente maduro, integrado y automatizado.
Bipin Mistry, Director Product Management at Veracode & Adam Reyland, Regional Marketing Specialist at Veracode
Picture the scene - your CEO observes the latest headlines about a competitor being breached. A single text message comes into the inbox of the person most likely to be able to answer the question. ‘Tell me Joe this couldn’t happen to us, are all out sites secure?’ - Learn how any team could look an Exec in the eye, knowing that they’ve scanned multiple websites in parallel, without breaking their stride.
Join this live webinar to learn...
-How to discover your external facing inventory
-How to take that information and determine a risk assessment
-Why scale, speed and automation are key
Nabil Bousselham, Solution Architect at Veracode and Mauro Verderosa, Founder & CEO of PSYND
As organisations demand better, faster, and more efficient software, developers are scrambling to keep up and are often turning towards vulnerable open source code components – a practical solution, but one that can put your company at risk to cyber-attacks.
Open source software risks revolve around three key areas: visibility, security, and governance. In this session we will help you understand these factors and how to formulate a stronger cybersecurity strategy that protects you from open source risk.
Join us for this live webinar where we will be joined by Swiss Technology Partner, PSYND, to learn how Veracode can help you gain visibility of open source risk and formulate a stronger cybersecurity strategy that protects you from related cyber attacks.PSYND will present us with real life examples and use cases which illustrate just how important it is for organisations to secure their code.
Pejman Pourmousa, Vice President, Services, Veracode and Amy DeMartine, Research Director, Forrester Research
The most important function of an application security program is effectively fixing flaws once they’re discovered. But the speed of that fix rate matters — the time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, and sometimes hours. Yet our most recent State of Software Security report found that one in four high and very high severity flaws aren’t addressed within 290 days of discovery.
Improving your fix rate is critical, but the sheer volume of vulnerabilities present in most organizations’ application portfolios makes it necessary for them to make daily tradeoffs between security, practicality, and speed.
This might seem like an insurmountable problem, but our data also presents hopeful glimpses at potential prioritization and software development methods that could help organizations reduce risk more quickly. In this session, we’ll share some steps and best practices that will start lowering your fix rate.
This session is part of Veracode's "Your AppSec Game Plan" Summit.
Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-attackers can find and exploit them, Veracode helps enterprises deliver innovation to market faster — without sacrificing security.