Hi [[ session.user.profile.firstName ]]

What Our Data Tells Us About Open Source Risk: And How to Address It

Our research for this year’s State of Software Security v11 report found that almost a third of applications have more security findings in their third-party libraries than in their first-party code. Bottom line: If you are only assessing the security of your first-party code, your attack surface is much bigger than you think. But how can you realistically address the security of so much code you didn’t write in-house? Attend this session with Brittany O’Shea, Veracode senior product marketing manager, to hear more about our data on open source risk, and how to address it.

You’ll learn:
• What our new data reveals about the extent and the security third-party code in modern applications
• Best practices surrounding identifying security vulnerabilities in open source libraries
• Realistic and practical ways to address the problem of open source risk

Interested in learning more about the findings from this year's SOSS report?
Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
Recorded Jan 12 2021 20 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Brittany O’Shea, Veracode Senior Product Marketing Manager
Presentation preview: What Our Data Tells Us About Open Source Risk: And How to Address It

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • German Webinar - State of Software Security v11: The Nature vs Nurture of AppSec Mar 10 2021 9:00 am UTC 60 mins
    Julian Totzek - Hallhuber, Solution Architect at Veracode
    Die meisten Applikationen haben Schwachstellen. Unsere Analyse für unseren jährlichen Bericht zum Stand der Software-Sicherheit ergab in diesem Jahr, dass 76 Prozent der 130.000 Apps mindestens eine Sicherheitslücke aufwiesen. Darüber hinaus ist die Hälfte der Sicherheitsergebnisse 6 Monate nach ihrer Entdeckung noch offen. Unsere Studien haben einige überraschende - und vielversprechende - Daten über Möglichkeiten zur „Förderung“ der Sicherheit Ihrer Anwendungen gefunden, auch wenn die „Natur“ nicht ideal ist. Letztendlich haben wir festgestellt, dass Entwickler selbst in den schwierigsten Umgebungen bestimmte Maßnahmen ergreifen können, um die Gesamtsicherheit der Anwendung zu verbessern.

    Während dieses Webinars werden folgende wichtige Fragen beantwortet:

    Was führt zu diesem Zustand der Software-Sicherheit? Ist es Natur oder Pflege?

    Sind es die Attribute der App, die der Entwickler erbt - die Sicherheitsschuld, die Größe - oder die Aktionen der Entwickler - wie häufig suchen sie nach

    Sicherheitsschwachstellen oder wie wird Sicherheit in ihre Prozesse integriert?
    Und wenn es „Natur“ ist, können Entwickler oder Sicherheitsprofis etwas tun, um die Sicherheitsergebnisse zu verbessern?

    Nicht verpassen – heute noch anmelden!
  • So Many AppSec Testing Types, So Little Time Mar 9 2021 11:00 am UTC 60 mins
    Chris Campbell, Solution Architect at Veracode
    There is no AppSec silver bullet; effective AppSec requires leveraging the strengths of multiple testing types across the software lifecycle. Depending on one testing type would be like only checking your blood pressure and declaring yourself completely healthy. Each testing type –DAST, SAST, SCA, pen testing –has a role to play and detects different vulnerabilities. For instance, we recently reported that almost one-third of all our customers’ applications have more security findings in third-party libraries than in the native code base. Bottom line: relying only on static analysis and neglecting software composition analysis leaves you exposed. At the same time, juggling multiple vendors is a challenge. A recent ESG survey found that 72 percent of respondents are using more than 10 AppSec tools, leading to excessive time spent managing tools and a reduction in the effectiveness of the program.
    How can you most effectively manage a variety of AppSec testing types?

    Join this session to find out:

    •Why you need multiple AppSec testing types
    •The strengths of each testing type
    •The benefits of seeing results from all testing types in one place
  • How Are You Fixing the Security Flaws You Find? Mar 4 2021 2:00 pm UTC 60 mins
    Jason Lane, Product Marketing Manager at Veracode
    When it comes to software, developers are really the only ones in an organization who can fix the vulnerabilities in their code. Yet developers often don’t have the training they need to identify or remediate vulnerabilities and to code securely to reduce the number of vulnerabilities found in production. In addition, security teams often don't have the bandwidth or expertise to teach them. The result is an ever-growing mountain of security debt. Efforts to train developers to help solve this problem are often thwarted because content is too long, irrelevant to an organization's tech stack, or the learning approach is not engaging
    Join this session to find out:
    •Why developers need training on secure coding
    •Best practices in secure coding training
    •How Veracode Security Labs works
  • Estado de la Seguridad del Software v11: Naturaleza vs Educación en AppSec Feb 24 2021 10:00 am UTC 45 mins
    Antonio Reche, Solution Architect at Veracode
    La mayoría de las aplicaciones tienen vulnerabilidades. Nuestro informe anual sobre el estado de la seguridad del software de este año encontró que entre 130.000 aplicaciones, el 76 por ciento tenía al menos un fallo de seguridad. Además, la mitad de las vulnerabilidades de seguridad siguen abiertas 6 meses después de la detección. Nuestra investigación descubrió algunos datos sorprendentes y prometedores acerca de la seguridad de sus aplicaciones, incluso si la "naturaleza" es menos que ideal. En última instancia, descubrimos que incluso en los entornos más desafiantes, existen acciones específicas que los desarrolladores pueden tomar para ayudar a mejorar la seguridad general de la aplicación.

    Durante esta sesión, las preguntas clave que pretendemos responder incluirán:

    ¿Qué conduce a este estado de seguridad del software? ¿Es la naturaleza o la educación?

    ¿Son los atributos de la aplicación los que hereda el desarrollador (la deuda de seguridad, su tamaño) o las acciones de los desarrolladores (la frecuencia con la que escanean en busca de seguridad o cómo la seguridad se integra en sus procesos?).

    Y si se trata de la "naturaleza", ¿hay algo que los desarrolladores o los profesionales de la seguridad puedan hacer para mejorar los resultados de seguridad?

    No pierda la oportunidad – Registrese hoy!
  • How Much Open Source Code Is in Your Software? It’s More Than You Think Feb 4 2021 2:00 pm UTC 60 mins
    Brittany O'Shea, Product Marketing Manager at Veracode
    Developers are being asked to push out more software —and in shorter periods of time —than ever before. In turn, they are increasingly relying on open source libraries, which allow them to add functionality to their code without having to build it from scratch. As a result, software today is rarely completely made of first-party code, and is more often “assembled” from other sources. In fact, our most recent State of Software Security report found that a typical Java application is made up of 97 percent open source code. And that open source code is leaving organizations vulnerable to cyberattacks. Our State of Software Security: Open Source Edition report found that 70 percent of applications have a security flaw in an open source library. However, simply using open source libraries isn’t a security threat to the business. The real problem is not knowing that what you’re using contains vulnerabilities and that they’re exploitable in your application. Software composition analysis solutions can help, but many are coming up short. The main challenges with current solutions are that they are based on the NVD database, which is frequently not up to date, they are hard to manage and scale, and developers are not empowered to fix security issues.

    Join this session to find out:

    •Trends in open source library use
    •Best practices in software composition analysis
    •How to continue using open source libraries without getting bogged down with security tests
  • Soluciones SaaS Para Mejorar la Seguridad de las Aplicaciones Jan 28 2021 10:00 am UTC 60 mins
    Antonio Reche, Solution Architect at Veracode
    Las empresas se han visto obligadas a transformar digitalmente sus procesos comerciales. Para muchos, es la única forma de interactuar con sus empleados y clientes. A medida que aceleran su transformación, muchos están trasladando aplicaciones a la nube y redefiniendo el conjunto de herramientas de desarrollo. Como sabemos, esta rápida transformación crea una gran oportunidad para que los ciberdelincuentes ataquen.

    Entonces, ¿cuál es la mejor manera de proteger sus fuentes de ingresos online sin comprometer la seguridad?

    Las soluciones AppSec SaaS se crearon específicamente para esta rápida transformación: ayudar a reducir costes, proporcionar un TCO (coste total de propiedad) más bajo que la infraestructura on-premise y ayudar a los desarrolladores a corregir vulnerabilidades.

    Atienda a esta sesión para conocer más detalles acerca:

    • Aprovechar la nube para que pueda empezar a proteger sus aplicaciones de inmediato
    • Cómo las soluciones basadas en la nube pueden impulsar la colaboración y la productividad para equipos remotos
    • Hacer que su programa AppSec sea eficaz con los desafíos del trabajo desde casa
    • Ampliación, reducción y ahorro de dinero con una fácil integración en su SDLC
    • Los beneficios de los productos SaaS de Veracode, incluyendo instalación mínima o nula
  • How Can the Gov. & Education Sector Improve Its Grades in Software Sec. Health? Recorded: Jan 13 2021 23 mins
    Eric Wassenaar, Veracode Sr. Account Executive, SLED / Jason Phillips, Veracode Sr. Solution Architect
    It’s been a challenging year for several industries, including the government and education sector. Government organizations had to pivot their operations to a digital model and schools were forced to decide between hybrid or remote learning programs for their students.
    These digital transformations have made application security (AppSec) more important than ever. But, in our recent State of Software Security v11 (SOSS) report, we found that compared to other industries, the government and education sector has the highest percentage of applications with security flaws, the second-slowest fix rate, and the second-longest median time to fix flaws.

    Join us as we further examine SOSS findings pertaining to the government and education sector. We will discuss:
    • Current AppSec trends that are impacting the government and education sector.
    • Common flaw types found in the sectors’ applications.
    • Steps that organizations can take to nurture their applications and improve their security health.
  • Closing Keynote: Putting SOSS Data to Work for You Recorded: Jan 13 2021 26 mins
    Chris Eng, Veracode Chief Research Officer
    We don’t want you to just read our State of Software Security report, we want you to use it. There are a lot of powerful data points in the report that you can and should use to guide the direction of and decision-making around your application security program. Tune in to Veracode Chief Research Officer Chris Eng’s keynote at the conclusion of our two-day Virtual Summit to get a recap of the summit’s sessions and highlights of the actionable advice shared. He will cover what SOSS v11 tells us about:
    • Open source risk
    • Language’s affect on security
    • “Nurturing” the security of code with a less than idea “nature”
    • How the choice of testing type affects security outcomes

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • How Does Your Industry Compare to Others When it Comes to Software Security? Recorded: Jan 13 2021 23 mins
    Brittany O’Shea, Veracode Senior Product Marketing Manager
    Whether you’re in healthcare, retail and hospitality, financial services, manufacturing, technology, or government and education, our recent analysis for the State of Software Security (SOSS) report uncovered key differences in software security between industries and found that these differences affect how quickly flaws are addressed. For example, we found that industries with a higher scan frequency remediate flaws faster.

    Join us as we explore the software security of various industries and discuss:
    • Key factors that impact software security health.
    • Common flaw types affecting industries.
    • Proven methods to improve software security.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Vulnerabilities Hall of Fame Recorded: Jan 13 2021 32 mins
    Tim Jarrett, Veracode Director of Product Management
    99 problems – and a bug is always one. Each year for our State of Software Security (SOSS) report we take a look at the most prominent (and problematic) flaws to see which ones are topping the charts. But we don’t just do it for the thrill; we rely on that data to understand the trends in application security, including which exploits developers like you should keep an eye on, such as:
    • Cross-Site Scripting: 75% of PHP applications have a Cross-Site Scripting flaw
    • CRLF Injections: 65% of applications are vulnerable to CRLF injection exploits
    • Code Quality: 54% of apps written in Java and .Net have code quality flaws
    In order to write more secure code and safeguard your applications against problematic threats, it’s critical that you keep a pulse on trends like these. Join this session to see the flaws that made it into our Vulnerability Hall of Fame and learn which languages they tend to impact the most so you can stay one step ahead.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Keynote: 2020: The Year Software Took Center Stage Recorded: Jan 13 2021 26 mins
    John Smith, Director Solution Architects EMEA & APAC
    From communication and education, to commerce and healthcare — every organization, institution, agency, and corporation is transforming digitally — and the transformation has been kicked into high gear by Covid-19. With more than 50 percent of people worldwide now online, software has become the backbone of modern business and society — and one of its biggest sources of risk. This year’s version of our annual State of Software Security (SOSS) report found that the vast majority of applications have at least one security flaw. With software’s increased importance, how do you ensure it’s not increasing your risk of breach? What can we learn from our analysis of 130,000 applications for this year’s SOSS report to inform the direction of application security programs? Tune in to Veracode’s Director of Solution Architects John Smith’s keynote address to hear more about how to apply the lessons of 2020 to keep your organization secure.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • SAST, DAST, SCA … is this really necessary? Recorded: Jan 12 2021 29 mins
    Julian Totzek-Hallhuber, Senior Principal Solution Architect
    In a word, yes. Would you consider yourself 100 percent healthy after one blood pressure check? No, you’d need to see more test results! Similarly, you can’t call your software secure after one static analysis test, or one pen test. Each testing type looks for different vulnerabilities, meaning multiple testing types are required for effective application security. And we now have some new data to back up that claim.

    Join this session to find out:
    • Our data on the fix rates of organizations that employ multiple testing types vs. those that use just one
    • Why you need multiple testing types
    • How and when the different testing types work together throughout the software lifecycle.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Raising Good Software: Is It Nature or Nurture? Recorded: Jan 12 2021 30 mins
    Anne Nielsen, Veracode Product Management
    We know most software is insecure. We also know that organizations are struggling to remediate these flaws in a timely fashion.

    How did we get to this state of software security, and what’s the best way to address it? Are some apps by their very nature simply less secure? Or are we just not nurturing the security of apps correctly? We investigated this question when analyzing our scanning data from 130,000 apps for our annual State of Software Security report.

    During this breakout session, we will highlight the findings and examine:
    •What’s more important in application security – nature or nurture?
    •Is software security related to the attributes of the app that the developer inherits – its security debt, its size?
    •Or is software security dependent on the actions of developers – how frequently they are scanning for security or how security is integrated into their processes?
    •And if it is indeed the “nature” of apps that affects security more, is there anything developers or security pros can do to improve security outcomes?

    Join us for an insightful talk on software security today, and practical steps you can take to reduce your risk of breach.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Fireside Chat: Real-World Perspective: The Effect of Decentralized Security Recorded: Jan 12 2021 46 mins
    George Garza, Director of Security & Risk at Manhattan Assoc.& Emily Iarocci, Veracode Team Lead, Security Program Management
    As security increasingly becomes decentralized out to individual developers, what are the implications? Do developers have the right training and tools to own security testing and decision-making? Our research for State of Software Security v11 report revealed that organizations scanning for security via API fixed security flaws 17.5 days faster than those not scanning via API. Is automation the key to developer-first security? We sit down with Emily Iarocci, Veracode Security Program Management Team Lead and Veracode customer, George Garza, Director of Security and Risk at Manhattan Associates to discuss these trends, the implications on their organization, and their take on the keys to success.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • The Affect of Language Choice on Software Security Recorded: Jan 12 2021 18 mins
    Ryan O'Boyle, Veracode Strategic Research Manager
    All languages are not created equal. Some are higher-level and allow fewer flaws, while others like C++ and PHP are riddled with risky vulnerabilities that can cause expensive (and time consuming) roadblocks in your development process. And because developers have to work fast to hit tight deadlines, slowing down to figure out the why’s and the how’s isn’t always an option. It’s critical for developers to stay one step ahead of the riskiest languages and the flaws they carry by examining flaw frequency trends and understanding how they affect the security of an application.

    Join this session to learn:
    • Which languages carry the most risk to your code
    • Which flaws impact languages most frequently
    • The ways language choice can influence security

    Don’t miss out as we dig into data from 130,000 application scans and discuss the latest trends in software security, including which languages can affect the security of your code.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • What Our Data Tells Us About Open Source Risk: And How to Address It Recorded: Jan 12 2021 20 mins
    Brittany O’Shea, Veracode Senior Product Marketing Manager
    Our research for this year’s State of Software Security v11 report found that almost a third of applications have more security findings in their third-party libraries than in their first-party code. Bottom line: If you are only assessing the security of your first-party code, your attack surface is much bigger than you think. But how can you realistically address the security of so much code you didn’t write in-house? Attend this session with Brittany O’Shea, Veracode senior product marketing manager, to hear more about our data on open source risk, and how to address it.

    You’ll learn:
    • What our new data reveals about the extent and the security third-party code in modern applications
    • Best practices surrounding identifying security vulnerabilities in open source libraries
    • Realistic and practical ways to address the problem of open source risk

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Keynote: Software Security: The Stats and the Acts Recorded: Jan 12 2021 31 mins
    Chris Eng, Veracode Chief Research Officer
    Seventy-six percent of applications have at least one security flaw. And half of security findings are still open 6 months after discovery. Those are just two of the data highlights from the recently released 11th version of our annual State of Software Security (SOSS report). But it’s not all doom and gloom. This year, we also uncovered some compelling evidence about how to improve those slow fix rates. Turns out there are actions that developers and security professionals can take to shorten the time to fix security findings, even under less ideal circumstances. Tune in to Veracode Chief Research Officer Chris Eng’s keynote to get an overview of the state of software security this year, and how you can use the data to improve your own application security program.

    Interested in learning more about the findings from this year's SOSS report?
    Tune into sessions from this year's Hot SOSS virtual summit: https://www.veracode.com/hot-soss-virtual-summit
  • Comment Identifier Votre Surface D’attaque sur Internet et le Risque Associé Recorded: Dec 10 2020 54 mins
    Nabil Bousselham, Solution Architect at Veracode
    Les applications web continuent d’être le principal vecteur d’attaque pour les cyber-attaquants qui cherchent à s’introduire dans les systèmes IT des organisations. L’utilisation d’une technique de découverte et de tests dynamiques de sécurité des sites web (DAST) donne aux équipes du SOC l’assurance que les applications fonctionneront en toute sécurité dans le monde réel.

    L’analyse dynamique est une solution importante dans un programme de sécurité applicative mature, car cette forme de test permet de découvrir plus facilement différents types de vulnérabilités, notamment les fuites d’informations, les problèmes cryptographiques et les scripts intersites. Vous savez qu’il est important de sécuriser toutes les applications web de votre organisation - y compris celles dont vous ne savez même pas que vous êtes propriétaire - tout en garantissant une mise sur le marché rapide pour répondre aux demandes et aux attentes des clients. C’est là qu’intervient Veracode. Regardez ce webinaire pour savoir comment mettre en œuvre un programme d’analyse dynamique qui répond à ces quatre critères clés :

    - Découverte : Découvrez chaque application web associée à votre organisation, même si vous ne l’avez pas créée en interne, afin de dresser un inventaire exhaustif.
    - Évolutivité : La possibilité d’analyser plusieurs applications à la fois - qu’elles soient authentifiées ou non - pour éviter que la sécurité ne soit un goulot d’étranglement.
    - Rapidité : Fournir des résultats de haute qualité rapidement et de manière intelligente, ce qui permet de gagner du temps.
    - Automatisation et intégration : Les scans qui s’exécutent automatiquement et s’intègrent aux processus et outils existants permettent à vos équipes de sécurité et de développement d’avancer rapidement.
  • VeraTalks: Raising Good Software: Is It Nature or Nurture? Recorded: Dec 8 2020 31 mins
    Anne Nielsen, Veracode Product Management
    We know most software is insecure. We also know that organizations are struggling to remediate these flaws in a timely fashion.

    How did we get to this state of software security, and what’s the best way to address it? Are some apps by their very nature simply less secure? Or are we just not nurturing the security of apps correctly? We investigated this question when analyzing our scanning data from 130,000 apps for our annual State of Software Security report.

    During this month’s VeraTalk, we will highlight the findings and examine:
    •What’s more important in application security – nature or nurture?
    •Is software security related to the attributes of the app that the developer inherits – its security debt, its size?
    •Or is software security dependent on the actions of developers – how frequently they are scanning for security or how security is integrated into their processes?
    •And if it is indeed the “nature” of apps that affects security more, is there anything developers or security pros can do to improve security outcomes?

    Join us for an insightful talk on software security today, and practical steps you can take to reduce your risk of breach.
  • How to Keep Business Continuity and Control AppSec Costs in Turbulent Times Recorded: Dec 3 2020 55 mins
    Chris Kirsch, Director, Product Strategy, Veracode
    Companies have been forced into moving their business processes online. For many it’s the only way to interact with their employees and customers. As they are accelerating their digital transformation, many are moving applications to the cloud and redesigning the development toolchain – but keeping an eye on spend. As we know, this fast-moving transformation creates a ripe opportunity for cybercriminals to pounce.

    So, what’s the best way to protect your online revenue streams without compromising security?

    SaaS AppSec solutions were purpose-built for this rapid transformation: helping to reduce costs, providing a lower TCO than on-premise infrastructure and helping developers remediate vulnerabilities.

    Watch this webinar to learn how to:

    •Protect your online revenue streams by reducing application security risks
    •Make your AppSec program resilient to work-from-home challenges
    •Drastically reduce the cost of your AppSec program
Cloud-Based Application Security
Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-attackers can find and exploit them, Veracode helps enterprises deliver innovation to market faster — without sacrificing security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: What Our Data Tells Us About Open Source Risk: And How to Address It
  • Live at: Jan 12 2021 5:30 pm
  • Presented by: Brittany O’Shea, Veracode Senior Product Marketing Manager
  • From:
Your email has been sent.
or close