Hi [[ session.user.profile.firstName ]]

Managing Open Source in Application Security and Software Development Lifecycle

Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security.
Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code.
In this webinar by Cigital and Black Duck security experts, you’ll learn:
- The current state of application security management within the Software Development Lifecycle (SDLC)
- New security considerations organizations face in testing applications that combine open source and in-house written software.
- Steps you can take to automate and manage open source security as part of application development
Recorded Sep 15 2016 55 mins
Your place is confirmed,
we'll send you email reminders
Presented by
John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck
Presentation preview: Managing Open Source in Application Security and Software Development Lifecycle
  • Channel
  • Channel profile
  • Security Tool Misconfiguration and Abuse Aug 20 2019 5:00 pm UTC 40 mins
    Thomas Richards, Network and Red Team Practice Director
    As any security program matures, it will use tools and techniques to automate processes to improve the security posture of the organization. This includes asset management and discovery, patch management, deploying software, and vulnerability discovery. However, if these tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk we will go over a few case studies of abusing these tools while on penetration tests as well as remediation methods to prevent these attacks from occurring.
  • What You Need to Know About Open Source Licensing Aug 15 2019 4:00 pm UTC 60 mins
    Mark Radcliffe, DLA Piper, Tony Decicco, GTC Law Group, Phil Odence, Synopsys
    Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks.

    Join top open source legal experts Mark Radcliffe from DLA Piper and Tony Decicco from GTC Law Group for a webinar as they do a deep dive into the types of open source licenses that could present challenges. They’ll cover:

    •The history and risk of open source software
    •Intellectual property law for software licensing
    •The most popular licenses and their obligations
    •Practical advice for helping your organizations or clients

    Don’t miss this informative webinar. Register today.


    DLA Piper LLP (US) has been certified by the State Bar of California, the Board on Continuing Legal Education of the Supreme Court of New Jersey, the New York State Continuing Legal Education Board, and the Pennsylvania Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought:
    •California: 1.0 Credit (1.0 General, 0.0 Ethics)
    •New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
    •New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
    •Pennsylvania: 1.0 Credit (1.0 General, 0.0 Ethics)
    CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, and Puerto Rico.
  • Achieving Security Outcomes in a Cloud-Native World Aug 14 2019 4:00 pm UTC 60 mins
    Steve White, Field CISO, Pivotal Software & Dave Meurer, Senior Technical Alliances Manager, Synopsys
    Modern enterprises are moving to hybrid cloud solutions, containers, microservices, and functions for their core applications. At the same time, technology teams are implementing agile and DevOps models for software development, deployment, and operations. These changes provide the business with measurable benefits in terms of agility and execution, but they also create the need for a shift in traditional approaches to cyber security. To respond, security leaders need to adopt a cloud-native model for security. In this webinar, we’ll examine how solutions from Pivotal and Synopsys enable this move, allowing security teams to achieve their target outcomes while acting as a key enabler, helping the business with their application transformation efforts.
  • Reviewing Modern JavaScript Applications Jul 31 2019 6:00 pm UTC 60 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    Many penetration testers approach modern JavaScript applications from an “outside-in” perspective. But this approach often misses security issues in plain sight. In this webinar, we’ll demystify common JavaScript issues that should be better understood/identified during security reviews. We’ll discuss how to review applications in a code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
  • Defuse Your Release Anxiety by Fusing DevOps and Security Jul 30 2019 5:00 pm UTC 60 mins
    Vincent Lussenburg, XebiaLabs & Tomas Gonzalez, Synopsys
    In these times of DevSecOps, many companies claim that they’re “doing it.” But a false sense of security is worse than no security at all.
    In this webinar, Synopsys and XebiaLabs will explore how to embed multiple security perspectives on software vulnerability detection and
    prevention into your automated development release pipelines. The goal: To prevent your organization from being the next case study on how failure to cover an essential perspective resulted in an embarrassing data breach.

    By registering for this webinar you are agreeing to receive communications from both Synopsys and XebiaLabs.
  • Securing Vehicles after Production: Vulnerability Management & Security updates Jul 30 2019 9:00 am UTC 75 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys
    As the automotive software development life cycle puts greater focus on cyber security, we’ll see safer, more secure cars on the roads. OEMs and suppliers use static code analysis, software composition analysis, and fuzz testing to identify and remediate vulnerabilities in automotive components during development and testing. But even with the right tools and processes, it’s impossible to eliminate every software vulnerability in a vehicle’s 100 million lines of code before releasing it into the field.

    Therefore, it’s important to continue finding and fixing bugs in vehicles after production. During operations and maintenance, detecting and managing new vulnerabilities in automotive components is a high priority. Patching these vulnerabilities means performing secure over-the-air (OTA) updates—and ensuring those updates don’t introduce new vulnerabilities.

    This talk will present the current challenges and suggest solutions to securing vehicles during the operations phase.
  • Is Your Software Supply Chain a Security Blind Spot? Jul 25 2019 4:00 pm UTC 60 mins
    Lisa Bryngelson, Senior Product Manager at Synopsys
    One of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media.

    These incidents shine a light on the need for organizations to carefully manage the open source used in the third-party software they consume. The goal is to protect themselves—and their customers—from the consequences of catastrophic security breaches.

    This session will:

    • Cover the key differences between identifying open source in source code versus binaries
    • Outline key use cases for binary analysis as part of a comprehensive approach to open source
    • Explain the next step toward making sure you avoid potentially costly security breaches

    Don’t miss this informative webinar. Register today.
  • Why All Open Source Scans Aren’t Created Equal Jul 24 2019 3:00 pm UTC 60 mins
    Phil Odence & Emmanuel Tournier at Synopsys
    Understanding the risks associated with open source software has become the norm in tech due diligence but not all approaches are created equal. Are you approaching open source diligence in the most efficient and effective way possible? Do you understand the difference between a point in time open source analysis for M&A and ongoing open source management?

    Join us for this live webinar and learn how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We’ll cover:

    •The types of risk around open source software
    •Why depth of analysis matters, and what it results in during M&A diligence
    •Why accuracy, reporting and expert human analysis are keys to thorough diligence

    Don’t miss this informative webinar. Register today.
  • Building a Culture of Secure Programming in your Organisation Recorded: Jul 18 2019 69 mins
    Amanvir Sangha, Consultant, Synopsys
    We all know that fixing defects early in the SDLC is the right approach to building secure software. Security needs to be in every part of the pipeline but it’s often hard to get everybody onboard with software security initiatives.

    Come join us on this webinar to explore how to build a culture of proactive secure programming in your technical organization and how to implement security as an enabler without disrupting the velocity of projects in modern development teams. See how Synopsys tools and services can allow you to build secure, reliable and quality software.
  • Sécurité Applicative et DevSecOps dans un monde Agile Recorded: Jul 8 2019 50 mins
    Cem Nisanoglu, Managing Consultant, Synopsys
    Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
    Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
  • Static Analysis Security Testing (SAST) in CI/CD – why and how Recorded: Jul 4 2019 38 mins
    Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group
    Traditionally, and often unfortunately, security has been treated as a secondary and isolated process considered only at the end of the software development lifecycle (SDLC). Noble as their intentions are, it can be frustrating to discover security vulnerabilities at such a late stage.

    With the proliferation of agile development methodology and CI/CD, is it possible to leverage on Static Application Security Testing (SAST) tool to constantly verify the code changes and improve application integrity throughout the SDLC? In our 4th July 2019 webinar, Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group, will provide insights into the following:
    •What is SAST? Are SAST Tools Glorified Grep?
    •What can SAST help?
    •Touch points – where and how do we apply SAST in CI/CD pipeline?
    •Considerations in choosing a SAST tool
  • Streamlining Your Tech Due Diligence Process for Software Assets Recorded: Jun 27 2019 53 mins
    Tim Mackey, Principle Security Strategist, Synopsys Cybersecurity Research Center
    Open source, legal, compliance, security, and code quality risks all come into play when you’re acquiring a company where the technology is a large part of the deal valuation. And if you’re making multiple acquisitions a year, how do you ensure that your tech due diligence process addresses each of these potential risks, all while moving at the speed of the deal?

    Join us for this webinar to learn how you can streamline your tech due diligence process without sacrificing quality assessments. We’ll cover:

    • Understanding open source, its license obligations, and its security vulnerabilities
    • Testing the overall security of code assets, including proprietary code
    • Understanding potential points of data leakage via third-party web API integrations
    • Steps for creating a repeatable software asset audit process

    Don’t miss this informative webinar. Register today.
  • Developers are your greatest AppSec Resource – Here’s How to Activate Them Recorded: Jun 25 2019 50 mins
    Amy DeMartine, Forrester Principal Analyst and Utsav Sanghani, Senior Product Manager, Synopsys
    Application vulnerabilities are a prime target for attackers, and the critical task of identifying and remediating these flaws before they’re exploited can be daunting, especially for organizations adopting DevOps and CI/CD practices. Security teams don’t have the time or resources to find and fix every vulnerability, and developers prefer to do what they do best – build and deploy features quickly. Fortunately, developers can be good at their jobs and be your most effective application security resources if you enable them with the low-friction tools and training at the precise time they need them.

    Join guest speaker Amy DeMartine, principal analyst at Forrester Research, and Utsav Sanghani, senior product manager at Synopsys, as they explore tools and techniques that can transform your developers into AppSec rock stars:
    - Rapid and continuous in-IDE security testing can help your developers find and fix issues before they ever get committed to your codebase.
    - Delivering short, contextualized AppSec training modules to developers in real time when they introduce vulnerabilities.
    - Most modern applications contain more open source code than proprietary code. Help your developers identify and avoid risky OSS components.
  • The State of Open Source and Security: What It Means for You Recorded: Jun 19 2019 61 mins
    Gordon Haff, Red Hat & Dave Meurer, Synopsys
    Development organizations view open source software as not just important but also strategic. That’s just one of the topics we’ll investigate in this joint webinar from Red Hat and Synopsys. Drawing from Red Hat’s “The State of Enterprise Open Source” report, technology evangelist Gordon Haff will explain why IT decision makers value open source so highly.

    At the same time, changing development practices and escalating threats mean that security remains a concern with respect to open source software, as it is for IT more broadly. Dave Meurer of the Synopsys Software Integrity Group will explain findings from the Synopsys “2019 Open Source Security and Risk Analysis” report to offer an in-depth look at the state of open source security, compliance, and code quality risk in commercial software.

    We’ll close with some practical advice about getting the most value from open source software while keeping your organization safe.
  • Using Metrics to Drive Your Software Security Initiative Recorded: Jun 18 2019 48 mins
    Kevin Nassery, Senior Principal Consultant, Synopsys
    Intuition can take you quite far at the beginning of your application security journey. But even the most experienced leaders will eventually need data to guide them through a decision or justify their investments. Well-designed software security metrics provide that compass.

    This webinar will arm software security group leadership with the knowledge necessary to design key metrics that drive thoughtful investment and enhancement of their software security initiative (SSI).

    We’ll pay special attention to must-have application security metrics, common missteps, and executive visibility across the Software Security Development Lifecycle (SSDL) and SSI.
  • Risk-Based Adaptive DevSecOps Recorded: Jun 13 2019 60 mins
    Meera Rao, Secure Development Practice Director, Synopsys Software Integrity Group
    Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.

    A risk-based adaptive pipeline can close the gap between DevOps and security teams, helping DevOps teams accelerate deployment to production without compromising security.

    In this webinar, you’ll learn:

    - How the adaptive pipeline can help you rank risks, identify changes, and improve responsiveness.
    - How to accelerate deployment to production without compromising security.
    - Four models you can implement to help align your people, process, and technology.
  • Vulnerabilities in Containerised Production Environments Recorded: Jun 6 2019 59 mins
    Tim Mackey, Senior Technical Evangelist, Synopsys
    With each new technology cycle, we seek to improve both business efficiency and security. Unfortunately, our legacy practices can severely hold us back from achieving the full potential of our new technology stack. When this occurs, organisations with the most valuable data come under attack first.
  • Growth of Web Services & APIs and the Risks in M&A Recorded: May 22 2019 61 mins
    Tony Decicco, GTC Law Group & Phil Odence, Synopsys
    Just like most software assets contain open source, modern software applications commonly link to external web services via APIs. By using web services, developers may be inadvertently signing their companies up to terms of service or using a web service without a suitable agreement. And using these services can expose a company to security, data privacy, and operational risks that could disrupt or severely affect the business. As part of the tech M&A due diligence process, you should be aware of these web services-related risks so that you can make informed decisions about deal valuation and remediation.

    Join Tony Decicco, shareholder at GTC Law Group and Affiliates, and Phil Odence, GM of Black Duck Audits, as they discuss the types of risk associated with web services and how they can affect an M&A transaction. They’ll cover:

    • Typical terms of service and common pitfalls
    • The legal compliance, data privacy, security, and business risks that come with web services
    • Real-world examples of these risks
    • How a buyer can get a better understanding of these risks in a target’s codebase or a seller can prepare for diligence to avoid risks in this area

    Don’t miss this informative webinar. Register today.
  • AppSec Hype or Reality? Demystifying IAST Recorded: May 22 2019 61 mins
    Asma Zubair, Product Mgmt Mgr, Sr Staff, Synopsys and Kimm Yeo, Product Marketing Mgr, Staff, Synopsys
    Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation AppSec tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
    - Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
    - Prioritize and triage vulnerability findings in real time with 100% confidence.
    - Fully automate secure code delivery and deployment, without the need for extra security scans or processes.
    - Free up development and security resources to focus on strategic or mission-critical tasks and contributions.
  • Mitigating Software Risks for DoD and Government Agencies Recorded: May 21 2019 49 mins
    Joe Jarzombek, Director for Government, Aerospace & Defense Programs, Synopsys
    As the cyber threat landscape evolves and external dependencies grow more complex, managing risks to enterprise and connected embedded systems requires more than reactive measures. Many organizations proactively reduce attack surfaces in their cyber supply chain and assets targeted for exploitation. IT asset management should leverage automated means to detect weaknesses and vulnerabilities in software. Addressing cyber supply chain dependencies enables the hardening of attack surfaces by comprehensively identifying exploit targets, understanding how assets are attacked, and providing responsive mitigation. Automation tools and services, testing and certification programs now provide means to reduce risk attributable to exploitable software. This presentation addresses means of using information to prioritize mitigation efforts focused on reducing exploitable attack vectors; enabling organizations to proactively harden their attack surface and become more resilient in the face of growing threats and asymmetric attacks.

    Lt. Col. Joe Jarzombek (USAF, ret.) is Director, Government, Aerospace & Defense Programs at Synopsys. He previously served as Deputy Director, Information Assurance in the Office of the CIO Dept. of Defense. He later served as Director, Software and Supply Chain Assurance in the Dept. of Homeland Security. Today, Joe guides Synopsys’ global leadership to address needs of public sector, aerospace and defense communities. He participates in consortia, public-private collaboration and standards groups, and R&D projects to accelerate technology adoption. Joe has 30+ years in software security, safety and quality in embedded and networked systems and enterprise IT. Joe is a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional with an MS in Computer Information Systems, a BA in Computer Science and a BBA in Data Processing and Analysis.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Managing Open Source in Application Security and Software Development Lifecycle
  • Live at: Sep 15 2016 3:00 pm
  • Presented by: John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck
  • From:
Your email has been sent.
or close