Hi [[ session.user.profile.firstName ]]

What Our Data Tells Us About Open Source Risk: And How to Address It

Our research for this year’s State of Software Security v11 report found that almost a third of applications have more security findings in their third-party libraries than in their first-party code. Bottom line: If you are only assessing the security of your first-party code, your attack surface is much bigger than you think. But how can you realistically address the security of so much code you didn’t write in-house? Attend this session with Brittany O’Shea, Veracode senior product marketing manager, to hear more about our data on open source risk, and how to address it.

You’ll learn:
• What our new data reveals about the extent and the security third-party code in modern applications
• Best practices surrounding identifying security vulnerabilities in open source libraries
• Realistic and practical ways to address the problem of open source risk
Recorded Jun 16 2021 21 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Brittany O’Shea, Veracode Senior Product Marketing Manager
Presentation preview: What Our Data Tells Us About Open Source Risk: And How to Address It

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • VeraTalks: Raising Good Software: Is It Nature or Nurture? Nov 9 2021 11:00 am UTC 31 mins
    Anne Nielsen, Veracode Product Management
    We know most software is insecure. We also know that organizations are struggling to remediate these flaws in a timely fashion.

    How did we get to this state of software security, and what’s the best way to address it? Are some apps by their very nature simply less secure? Or are we just not nurturing the security of apps correctly? We investigated this question when analyzing our scanning data from 130,000 apps for our annual State of Software Security report.

    During this month’s VeraTalk, we will highlight the findings and examine:
    •What’s more important in application security – nature or nurture?
    •Is software security related to the attributes of the app that the developer inherits – its security debt, its size?
    •Or is software security dependent on the actions of developers – how frequently they are scanning for security or how security is integrated into their processes?
    •And if it is indeed the “nature” of apps that affects security more, is there anything developers or security pros can do to improve security outcomes?

    Join us for an insightful talk on software security today, and practical steps you can take to reduce your risk of breach.
  • Five Key Ingredients for Unified AppSec Oct 27 2021 3:00 pm UTC 45 mins
    Speaker to be Announced
    Join this keynote as we kick off our Virtual Summit and learn which ingredients are vital for that perfect slice of pie-in-the-sky AppSec. Get ready to dive into these key ingredents over the next 2-days.
    You will learn:
    • The all-in-one, integrated platform in the cloud with every scan type you need in the SDLC
    • Enablement programs to improve communication between sec and dev
    • Developer training that works through muscle memory
    • Clear top-down policies and transparency that helps with hitting business goals
    • An eye on industry trends, especially directives that come from the government
  • VeraTalks - Mitigating Open Source Risk in your Organization Oct 26 2021 10:00 am UTC 19 mins
    Chris Eng, Chief Research Officer at Veracode
    The data speaks for itself. In our analysis of over 85,000 applications, more than 500,000 open source libraries were in use. This trend is clearly here to stay and only growing, but what does it mean for your organization? In this discussion, Chris tells us what Open source is, the risks involved with some real-life examples and how you can keep your organization secure while also empowering your development teams.
  • Speed vs. Risk: Effective Software Security Doesn’t Choose Sep 30 2021 9:00 am UTC 39 mins
    Julian Totzek-Hallhuber: Principal Solutions Architect
    What makes software security effective? Do you have to sacrifice software security speed to truly reduce risk? What if you quickly find a lot of security flaws, but they aren't accurate, or you don't know how to fix them? Ultimately, effective software security needs to integrate and automate both accurate testing and remediation into developer workflows, and train developers to avoid security flaws in the first place – otherwise, you are choosing between speed and risk. Join Rey to get details on what good looks like in software security, including:

    • Automated, integrated, and accurate security testing
    • Prescriptive vs. descriptive security findings
    • Engaging and relevant security training
  • Die Lebenszeit und Nutzung von Open Source Libraries Sep 29 2021 9:00 am UTC 60 mins
    Julian Totzek-Hallhuber, Principal Solutions Architect
    Software besteht heute selten vollständig aus ausschließlich selbstgeschriebenem Code und wird häufig aus anderen Quellen „zusammengebaut“. Dieser wiederverwendbare Code und die Funktionalität, auf die Entwickler immer mehr angewiesen sind, bringt auch wiederverwendbare Schwachstellen mit sich. Diese Open-Source-Basis, auf der die meisten Apps jetzt aufbauen, verhält sich nicht wie ein solides Betonfundament, sondern eher wie ein sich bewegender Haufen aus Kies und Sand. Diese Bibliotheken unterliegen einem ständigen Wandel, einschließlich ihres Sicherheitsstatus. Hören Sie sich diesen Vortrag über, die Fakten und Analysen in unserem neuesten Bericht über den Zustand der Softwaresicherheit von frei verfügbaren Bibliotheken an. Wir haben für diesen Bericht über 301.000 Open-Source-Bibliotheken analysiert.

    Nehmen Sie an diesem Webinar teil und erfahren Sie mehr über:
    - Die beliebtesten Bibliotheken mit Sicherheitslücken
    - Wie Entwickler Bibliotheken für ihre Anwendungen auswählen
    - Wie oft Open-Source-Bibliotheken aktualisiert werden und warum das wichtig ist
    - Was hält Entwickler davon ab, Sicherheitslücken in Open-Source-Code zu beheben?
    - Umfang der Fixes, die erforderlich sind, um Schwachstellen in Open-Source-Code zu beheben
    - Best Practices für die Verwaltung von Open-Source-Bibliotheken
  • Innovations Driving the Future of Software Security Recorded: Sep 23 2021 59 mins
    Sandy Carielli, Forrester Research Principal Analyst and Chris Wysopal, Veracode CTO
    From communication and education to commerce and healthcare — every organization, institution, agency, and corporation is transforming digitally — and the transformation continues to accelerate. With more than 50 percent of people worldwide now online, software has become the backbone of modern business and society — and one of its biggest sources of risk. Our own data illustrates both the growth and the risk. In Veracode’s State of Software Security Volume 11 report, we analyzed 130,000 apps and found that 76 percent of applications have at least one vulnerability. As companies transform through software, the digital attack surface is growing exponentially, and fixing defects in software must keep pace with this reality.

    Watch Veracode founder and Chief Technology Officer, Chris Wysopal and guest speaker Forrester Research Principal Analyst, Sandy Carielli in a live webinar as they discuss the trends and innovations shaping software security, and how companies must strategize for this future and prepare their developers to integrate security into their workflows.
  • Le developement applicatif à l'ère des bibliothèques Open Source Recorded: Sep 21 2021 48 mins
    Nabil Bousselham, Sr. Principal Solution Architect chez Veracode
    Les logiciels d'aujourd'hui sont rarement entièrement composés de code propriétaire et sont plus souvent « assemblés » à partir d'autres sources y compris des frameworks et des Bibliothèques Open source.

    Nos recherches et le rapport State of Software Security v11 de cette année ont révélé que près d'un tiers des applications ont plus de vulnérabilités dans les bibliothèques open source tierces que dans leur code propriétaire. Conclusion: Si vous évaluez uniquement la sécurité de votre code propriétaire, votre surface d'attaque est bien plus grande que vous ne le pensez. Mais comment pouvez-vous aborder de manière réaliste la sécurité de tant de code que vous n'avez pas écrit en interne ? Assistez à cette session avec Nabil Bousselham, Sr. Principal Solution Architect chez Veracode, pour en savoir plus sur nos données sur les risques open source et sur les bonnes pratiques de les gérer.

    Rejoignez cette session pour apprendre:
    - Les bibliothèques vulnérables les plus populaires
    - Comment les développeurs choisissent les bibliothèques pour leurs applications
    - À quelle fréquence les bibliothèques open source sont mises à jour et pourquoi cela est important
    - Qu'est-ce qui empêche les développeurs de résoudre les failles de sécurité dans le code open source
    - La portée des correctifs requis pour corriger les vulnérabilités dans le code open source
    - Bonnes pratiques pour la gestion des bibliothèques open source
  • How OneLogin is Empowering Developers with Secure Code Training Recorded: Sep 16 2021 61 mins
    Jim Hebert, OneLogin AppSec Engineer; Jason Lane, Veracode Product Marketing; Rey Bango, Veracode Developer Relations
    35% of organizations say less than half of their development teams participate in formal security training. But if developers are the backbones of creating secure software, why aren’t they getting the secure coding education they need in school and throughout their careers?
    That’s precisely the reason why OneLogin, a cloud-based identity, and access management (IAM) provider, implemented a comprehensive developer security training program to proactively reduce code defects in development.
    Join us on September 16th at 12 PM EST as we sit down with Veracode customer Jim Hebert, Application Security Engineer, OneLogin to discuss how to craft a well-rounded security training program that ensures developers have the skills needed to write secure code and remediate vulnerabilities. OneLogin uses Veracode Security Labs, which offers hands-on training that enables developers to exploit and patch real apps in contained environments so that critical secure coding skills can be practically applied in the software development lifecycle.
    During this session, we’ll cover:
    • Common challenges with integrating security into the development cycle
    • How to build a comprehensive developer security program
    • Why effective security training is a keystone element of all application security
    • Bridging the gap between a theoretical understanding of secure software development to the actual practice with Veracode Security Labs
    • Evaluation process and other types of tools considered
  • Tuning the AppSec Engine, Part 3 Recorded: Sep 15 2021 53 mins
    John Smith, Director, Solution Architects, EMEA and APAC, Veracode and Amanda Lee, Sr Manager CSMs, Veracode
    Building your AppSec engine is only the beginning. You need to continue to improve and optimise the engine by leveraging metrics. Metrics can help you pinpoint where the engine is running smoothly and where it needs an adjustment.
    Metrics can also help you communicate the success of your AppSec programme to senior executives and stakeholders. For example, you can show reduced risk to the business by pointing out a reduction in flaws and vulnerabilities, improved time to remediation, or decreased security debt.
    Join Amanda Lee, EMEA and APJ Services Manager and John Smith, Manager, Solution Architects, who will discuss:
    • Different types of metrics your organisation can track
    • Using metrics to guide your programme
    • How our customers have optimised their approach
    • Communicating with senior executives with data that matters
  • Speed vs. Risk: Effective Software Security Doesn’t Choose Recorded: Sep 9 2021 39 mins
    Julian Totzek-Hallhuber: Principal Solutions Architect
    What makes software security effective? Do you have to sacrifice software security speed to truly reduce risk? What if you quickly find a lot of security flaws, but they aren't accurate, or you don't know how to fix them? Ultimately, effective software security needs to integrate and automate both accurate testing and remediation into developer workflows, and train developers to avoid security flaws in the first place – otherwise, you are choosing between speed and risk. Join Rey to get details on what good looks like in software security, including:

    • Automated, integrated, and accurate security testing
    • Prescriptive vs. descriptive security findings
    • Engaging and relevant security training
  • The Right AppSec Partner Today Keeps the Regulator Away Recorded: Sep 8 2021 27 mins
    Julian Totzek-Hallhuber, Principal Solutions Architect
    Transactions across Europe are progressively changing to digital. Figures show in 2020, the value of transactions reached £703.3 bn with the UK estimated to be responsible for at least 25 percent of this figure. Needless to say, the software supporting these payment systems must be reliable and secure. Without secure payment platforms, payment transactions and data could be compromised.

    Join this Session to learn:

    •How static analysis maps against PCI requirements
    •How to determine which software security controls and features best serveyour organisations specific business needs
    •The importance of automated AppSec as a means of keeping up with the faster and more iterative payment systems of today
    •Best practices in setting up an effective application security program with consideration for both traditional and modern payment platforms and evolving development practices
  • Building the AppSec Engine, Part 2 Recorded: Sep 2 2021 39 mins
    Tom Smith, Sr Solution Architect, Veracode
    The most successful AppSec Engines don’t operate independently; they are integrated into the existing tools and processes of developers and security teams. AppSec tooling and automation is important but is not the complete picture – security assurance, mindset, and culture are also key to the success of an effective AppSec programme. 

    The various AppSec analysis types have different strengths in finding security issues, and they lend themselves to different stages of the SDLC. Therefore, understanding these strengths and limitations and blending the approach with people, processes, and technology is critical to build a holistic approach to application security. 

    Join Tom Smith, Solution Architect (Veracode), who will discuss: 
    * Where each analysis type best fits in the SDLC 
    * Why pipeline integrations are critical 
    * How tooling is not the complete picture 
    * Advice on where to start when first testing your applications for security vulnerabilities
  • Security Labs - The Ultimate in Shift Left Recorded: Aug 26 2021 59 mins
    Tim Jarrett, Sr. Director of Product Management; Dave Ferguson, Solution Architect; Jason Lane, Product Marketing Manager
    One of the biggest challenges in producing secure software is helping developers become more skilled and confident at writing secure code. It's not something that is normally taught in Computer Science programs today. You can offer video-based training, but when it comes to learning there’s no substitute for hands-on practice – and making it fun! Come learn how organizations are using Veracode Security Labs to teach developers secure coding techniques using live applications - by exploiting real vulnerabilities then fixing the code and seeing the results. You’ll also hear stories of successful rollouts and learn what’s coming next in Security Labs.
  • Putting People Back at the Heart of Application Security Recorded: Aug 25 2021 20 mins
    John Smith, Director, Solution Architect, EMEA and APAC for Veracode
    In application security, there is no single set-it-and-forget-it solution that will ensure the health and fortitude of your code. John Smith, Director, Solution Architect, EMEA and APAC for Veracode, will discuss the critical role that humans play in the successes (or failures) of modern technology, and demonstrate that software can’t operate to its fullest potential without the right brainpower behind it.
    Key Learning Outcomes:
    - Learn what makes a successful collaboration between Security and Development teams, including eliminating waste, minimising bottlenecks and understanding both pain points and priorities
    - Understand how to operate security at scale while reducing costs and removing the need for expensive headcount
    - Come away with insight into augmenting security best practices with a human touch
    - Get to know the differences in vulnerabilities found by hackers versus automated tools
    - Learn when to choose between automation and human-powered security
  • How Much Open Source Code Is in Your Software? It’s More Than You Think Recorded: Aug 19 2021 42 mins
    Brittany O'Shea, Product Marketing Manager at Veracode
    Developers are being asked to push out more software —and in shorter periods of time —than ever before. In turn, they are increasingly relying on open source libraries, which allow them to add functionality to their code without having to build it from scratch. As a result, software today is rarely completely made of first-party code, and is more often “assembled” from other sources. In fact, our most recent State of Software Security report found that a typical Java application is made up of 97 percent open source code. And that open source code is leaving organizations vulnerable to cyberattacks. Our State of Software Security: Open Source Edition report found that 70 percent of applications have a security flaw in an open source library. However, simply using open source libraries isn’t a security threat to the business. The real problem is not knowing that what you’re using contains vulnerabilities and that they’re exploitable in your application. Software composition analysis solutions can help, but many are coming up short. The main challenges with current solutions are that they are based on the NVD database, which is frequently not up to date, they are hard to manage and scale, and developers are not empowered to fix security issues.

    Join this session to find out:

    •Trends in open source library use
    •Best practices in software composition analysis
    •How to continue using open source libraries without getting bogged down with security tests
  • Components of the AppSec Engine, Part 1 Recorded: Aug 19 2021 61 mins
    Fulya Sengil, Sr Solution Architect, Veracode
    If you're planning to build a car engine, you'd probably start by researching instructions, collecting the necessary parts, and establishing a process to ensure that the build goes smoothly. The same goes for building an application security (AppSec) program. You'd need to figure out what AppSec tests you want to include, how you're going to incorporate them into the software development lifecycle (SDLC), and what process you're going to use – waterfall, agile, or DevOps.

    But you don't have to figure out how to build a car engine, or AppSec program, by yourself. Join us for part one of our three-part webinar series for tips on building, maturing, and maintaining an AppSec program. We will examine the various AppSec testing types – static analysis, software composition analysis, dynamic analysis, interactive application security testing, and penetration testing – determine which tests you should start with, and where they should go in the SDLC. We will then explore the various methodology types and modern application architecture.
  • Secure Coding's Impact on an Organisation – Panel Discussion Recorded: Aug 10 2021 62 mins
    John Smith Veracode, Michael Man, Srimant Achayra TCS, Adam Casey i3Secure
    Software security is about more than avoiding costly breaches. It’s about giving your organization the confidence to create, innovate, and bring solutions to market … before the competition. And the key to software security today? Education.

    When it comes to software, developers are really the only ones in an organisation who can fix the vulnerabilities in their code. Yet most developers don’t have the training they need to identify or remediate vulnerabilities, and security teams don't have the bandwidth to train them. This leaves the development team with ineffective training content that is too long, irrelevant to an organization's tech stack, or not engaging.

    Join us for a panel discussion hosted by Director of Solution Architects at Veracode John Smith, joined by DevSecOps practitioner Michael Mann, Srimant Achayra, Global Head Enterprise Vulnerability Management CoE, TCS Cyber Security and Adam Casey, ex-CISO, now Director Cyber Security and Data Protection at consultancy i3Secure.
    We will be discussing:

    - Why developers need training on secure coding
    - Why the best approach in an AppSec strategy in addition to scanning includes avoiding creating flaws in the first place
    - How shifting left in the development process is a route to competitive advantage
    - Best practice in designing customized AppSec education based on organization’s unique tech stack and business objectives
  • The Value of Application Security - Getting AppSec Executive Buy In Recorded: Aug 3 2021 43 mins
    John Smith, Director, Solution Architects EMEA & APJ, Veracode
    How can you demonstrate the value of adopting or expanding your organisation’s AppSec program when there’s a growing need for all types of cybersecurity, as well as intense competition for your critical tech budget? Simply put, you must convince decision-makers that your program — and their money — will lead to better business outcomes, a higher level of efficiency, lower costs, and improved return on investment (ROI).

    Key takeaways:
    - Learn how to make the case for AppSec in a way that resonates with executives
    - Understand which AppSec metrics executives will care about
    - Find out how to tie AppSec to corporate goals and priorities

    Attend this session to get tips and best practices on making the case for AppSec to the board
  • The Life and Times of Open Source Libraries Recorded: Jul 29 2021 33 mins
    Tom Smith / Sr Solution Architect
    Software today is rarely completely made of first-party code, and is more often “assembled” from other sources. This reusable code and functionality that developers have become more reliant on also comes with reusable vulnerabilities, and this open-source foundation most apps are now built upon is not like a solid, cement house foundation, but more like a shifting pile of gravel and sand. These libraries are in a constant state of flux, including their security status. Join this talk to get the data and analysis of our latest State of Software Security report, we analysed over 301,000 open-source libraries.

    Join this session to learn:
    - The most popular vulnerable libraries
    - How developers choose libraries for their applications
    - How often open-source libraries are updated, and why that matters
    - What is holding developers back from addressing security vulnerabilities in open-source code
    - The scope of the fixes required to address vulnerabilities in open-source code
    - Best practices for managing open-source libraries
  • VeraTalks: The Future of Cybersecurity Regulations Recorded: Jul 29 2021 31 mins
    Chris Wysopal, Veracode Founder and CTO
    In 1998, Veracode founder Chris Wysopal testified before Congress on the dangers of vulnerable software, famously reporting that he and his hacker friends could “take down the entire Internet in 30 minutes.” And, it took 23 years, but the government is finally responding.

    The Biden administration just released an executive order on cybersecurity that includes new security requirements for software vendors selling software to the U.S. government. There are also indications that these practices will make their way into the private sector. The order requires the development of pilot programs to develop ratings and labeling for the security of consumer software, including IoT devices. It also mandates the development of a Cyber Safety Review Board that will operate like an NTSB for cyber, investigating attacks and sharing information on how and why they happened.

    Just as we originally built cars without thinking about safety, we started building software years ago without thinking about security. In both cases, the risk eventually became very evident, and the government got involved with regulations. Where do we go from here? This executive order is more far-reaching and prescriptive than any cybersecurity legislation we’ve seen – how will this affect cybersecurity regulations of the future? Join our new VeraTalk with Chris Wysopal as he explores the future of cybersecurity regulations.
Cloud-Based Application Security
Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-attackers can find and exploit them, Veracode helps enterprises deliver innovation to market faster — without sacrificing security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: What Our Data Tells Us About Open Source Risk: And How to Address It
  • Live at: Jun 16 2021 10:00 am
  • Presented by: Brittany O’Shea, Veracode Senior Product Marketing Manager
  • From:
Your email has been sent.
or close