Hi [[ session.user.profile.firstName ]]

Black Duck Container Security MasterClass - Security Response Process

Container usage in production environments is becoming commonplace, increasing the need to design for security and develop security response processes. Doing so starts with a clear understanding of what software is running in the datacenter.

This Container Security Master Class looks at how datacenter operations trends are combining to promote secure container deployments. Although these trends have the potential to abate risk, without a clear understanding of the applications and their dependencies, if a successful attack does occur, the scope of compromise can inadvertently increase.
Recorded Oct 27 2016 88 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Tim Mackey, Sr. Technology Evangelist; John Beaudoin, Sr. Instructional Design
Presentation preview: Black Duck Container Security MasterClass - Security Response Process
  • Channel
  • Channel profile
  • 5 Steps to Integrate SAST into the DevSecOps Pipeline Apr 23 2020 5:00 pm UTC 60 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.

    First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
    - What is a “baseline scan”?

    Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
  • Two Models of Application Security: The DMV and the Fishing Teacher Apr 21 2020 3:30 pm UTC 60 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    What if application security testing were like a trip to the DMV? The security and development teams wouldn’t really understand each other, security testing would create long waits for product releases, and the relationship would quickly become antagonistic. Unfortunately, many organizations’ first attempts follow this model.

    A better model is the fishing teacher. At too many organizations, the security team is trying to catch enough fish for everyone else in the organization. Instead, the security team should teach everyone how to fish for themselves by spreading the automation and integration of proactive security throughout the rest of the organization, unifying a security-first culture that drives down organizational risk.

    A recent report from 451 Research, Designing a Modern Application Security Program, emphasizes the importance of automating and integrating security in your application development processes. This webinar shares best practices from the report and teaches you how to lower your risk without losing your mind.
  • Modernizing Your SSI for DevOps and CI/CD Apr 21 2020 6:00 am UTC 60 mins
    Kevin Nassery, Senior Principal Consultant , Synopsys
    What’s the most pressing issue in software security from the last 20 years?

    We think it’s how to evolve your software security initiative (SSI) to support a modern DevOps practice and CI/CD pipeline while still meeting your security objectives.

    In this talk, Kevin will discuss the key challenges of DevOps and CI/CD and arm you with a simple but effective method to optimize software security efforts. He’ll also highlight the inherent benefits of DevOps and CI/CD for secure software development to ensure nothing is left on the table as your SSI transforms.

    Key learning points:

    • Defining core CI/CD and DevOps SSI capabilities for your organization
    • Dimensions of maturity for SSDL gates in modern lifecycles
    • Software security culture, DevSecOps, and your SSI
    • Key performance indicators and critical SSI telemetry
  • Are You Acquiring the Next Big Breach? Security Vulnerabilities & M&A Apr 16 2020 4:00 pm UTC 60 mins
    Hal Hearst, Synopsys. Phil Odence, Synopsys
    Software contains vulnerabilities and if you’re acquiring a company where software is a big part of the deal, you should understand if there is anything in that software that can be exploited.

    Join this live webinar to learn why security is a key piece of tech due diligence and the way your audit vendor manages their security data matters. We’ll cover:

    •Why due diligence has moved beyond license compliance
    •How you (and your vendor) can get a more in-depth view of your vulnerabilities
    •Strategies for understanding your security risks

    Don’t miss this informative webinar. Register today.
  • How Open Source Made Me a Better Manager Apr 7 2020 3:00 pm UTC 55 mins
    Allon Mureinik, Senior Manager, Synopsys
    Management seems like a simple job - you tell people what to do, they do it, rinse, repeat. For bad managers, it really is this simple.

    Good managers do things differently. They let team members affect, if not drive, the team's direction. They allow the best ideas to guide the team's activity, no matter who brings them up. They are not intimidated by non-managers displaying leadership qualities, they encourage them.

    While these sentiments aren't unique to open source, they are the core of open source communities - allowing individuals to exert influence without any official authority. That's why I think working in open source is the best way to learn how to be a good manager, and I'll try to share this concept in my talk.
  • Secure Automotive Software Development in the Age of ISO/SAE 21434 Apr 2 2020 7:00 am UTC 75 mins
    Per-Olof Persson, Security Advisor, Synpsys and Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys
    Modern vehicles are run on software containing more than 150 million lines of code. As a result of more advanced safety-relevant functionality such as ADAS and autonomous driving, and new communication interfaces, mobile apps and backend servers based on the connected car use cases are being introduced, the need for developing secure systems in the automotive industry is higher than ever. A draft of the new cybersecurity standard ISO/SAE 21434 was recently released to help automotive companies address cybersecurity for the entire vehicle lifecycle.

    This talk presents cybersecurity activities in the software development process based on ISO/SAE 21434 to help automotive companies develop more secure systems. We will discuss practical implementation examples for the cybersecurity steps added in the development process. Specifically, we will provide some examples on what is required from a resources and tools perspective to ensure an efficient and practical implementation of the various steps in the development process.
  • Managed Penetration Testing - An integral part of your risk management approach​ Recorded: Mar 25 2020 47 mins
    Aravind Venkataraman, Senior Principal Consultant and David Johansson, Principal Consultant, Synopsys
    Managed penetration testing is an integral part of an organization’s risk management strategy. It serves as a complementary security testing approach to identify and validate findings alongside existing security testing tools. It also fills testing gaps that can appear as organizations determine which testing tools to integrate into their development workflows. In this webinar, we’ll discuss how managed penetration testing can help you optimize your risk management strategy.
  • Why SAST and SCA Together Are Better, Faster, Stronger Recorded: Mar 25 2020 43 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys
    Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.

    Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
  • Landscape of Application Security for Cloud-Based Apps Recorded: Mar 19 2020 58 mins
    Ashwath Krishna Reddy, Managing Consultant & Sandesh Mysore Anand, Managing Consultant at Synopsys
    Large enterprises moving to the cloud do so in a phased manner. Consequently, at least for a while, they have a mix of on-premises and cloud environments (and very often, multiple cloud environments). These environments, combined with the many ways you can move an application to the cloud, create new considerations for application security:

    • Rehost (lift and shift): threat landscape increased because of network exposure

    • Replatform (lift and reshape): new attack vectors via buckets, databases, message queues

    • Repurchase (drop and shop): third-party data exposure, noisy neighbor attacks, data retention

    • Rearchitect (rewriting and decoupling apps): serverless, container based, container orchestration

    How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
  • Why Lawyers Should Care About Open Source Security in M&A Due Diligence Recorded: Mar 18 2020 48 mins
    Matt Jacobs, Synopsys, Jacob Ewers, Synopsys
    As part of the M&A due diligence process, lawyers seek to understand the license compliance risks that come with the use of open source. But what about open source security vulnerabilities that could be lurking in the code being acquired? Minimizing risk and exposure is the name of the game.

    Join this live webinar to learn why an open source security review should be part of every due diligence transaction. We’ll cover:

    •How the audit landscape has shifted to include security
    •The types of security vulnerabilities that can keep you up at night
    •How a security audit can minimize risk

    Don’t miss this informative webinar. Register today.
  • Effective Vulnerability Remediation Requires More than One Data Point Recorded: Mar 12 2020 41 mins
    Jeff Michael, Senior Product Manager, Synopsys and Chris Fearon, Director Research Engineering, Synopsys
    The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. Their vulnerability feed contains timely, accurate vulnerability reports (Black Duck Security Advisories, or BDSAs) with all the relevant, actionable information customers need to optimize remediation efforts.

    BDSAs provide multiple data points that are important to consider when triaging vulnerabilities. Now, Black Duck customers can use this data to automatically prioritize vulnerabilities for remediation. With Black Duck’s advanced policy management and best-in-class vulnerability reports, developers can focus on fixing the most critical vulnerabilities quickly and effectively.

    In this webinar, Chris Fearon, director of research engineering, and Jeff Michael, head of Black Duck product management, will take you through Black Duck’s approach to vulnerability prioritization and explain why informed, focused remediation is the preferred approach to open source security management.
  • Open Source - Fluch oder Segen? Recorded: Feb 27 2020 42 mins
    Boris Cipot, Senior Security Consultant, Synopsys
    Die Zeiten ändern sich und verlangen immer mehr Aufmerksamkeit. Dies trifft speziell im Bereich Open-Source-Software zu. Die Komplexität gerade in der Technologiebranche ist enorm, gerade wenn der Sicherheitsaspekt eine wichtige Rolle spielt.

    Boris Cipot, Senior Security Engineer von Synopsys stellt die Ergebnisse vom Open Source Monitor vor, eine unabhängige Studie durchgeführt vom Digitalverband Bitkom e.V. in der mehr als 800 Unternehmen mit 100 oder mehr Mitarbeitern zur Verwendung, Integration und Weiterentwicklung von OSS befragt wurden.
  • Why All Open Source Scans Aren’t Created Equal Recorded: Feb 20 2020 58 mins
    Phil Odence & Emmanuel Tournier at Synopsys
    Understanding the risks associated with open source software has become the norm in tech due diligence but not all approaches are created equal. Are you approaching open source diligence in the most efficient and effective way possible? Do you understand the difference between a point in time open source analysis for M&A and ongoing open source management?

    Join us for this live webinar and learn how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We’ll cover:

    •The types of risk around open source software
    •Why depth of analysis matters, and what it results in during M&A diligence
    •Why accuracy, reporting and expert human analysis are keys to thorough diligence

    Don’t miss this informative webinar. Register today.
  • Synopsys Black Duck is now on the VMware Cloud Marketplace Recorded: Feb 18 2020 52 mins
    Tomas Gonzalez, Alliances Engineer, Synopsys & Neeharika Palaka, Cloud Services Business Operations Manager, VMware
    The use of open source software is free, but that doesn’t mean it won’t cost you. Many customers have felt the pain of managing open source software due to security, license, and operational risk concerns. Luckily, Black Duck exists to help you automatically identify the open source software in your applications and easily manage these risks early in your development life cycle. Now the question becomes how and where to deploy Black Duck. If you want the world’s most trusted enterprise cloud, VMware is the place for you. We are proud to announce that Synopsys Black Duck is now published on VMware Cloud Marketplace.

    Join experts from Synopsys and VMware as we discuss:
    •The key capabilities of the VMware Cloud Marketplace
    •How Synopsys customers can leverage Black Duck on Marketplace
    •A Black Duck demo, showing the ability to identify and manage all
    open source software in your applications
  • That's Not How This Works Recorded: Feb 11 2020 52 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    All Development Should Be Secure Development
    Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Register for this webinar to learn:
    - Why traditional approaches to software development usually end in tears and heartburn
    - How a structured approach to secure software development lowers risk for you and your customers
    - Why automation and security testing tools are key components in the implementation of a secure development life cycle
  • How Open Source Made Me a Better Manager Recorded: Feb 11 2020 56 mins
    Allon Mureinik, Senior Manager
    Management seems like a simple job - you tell people what to do, they do it, rinse, repeat. For bad managers, it really is this simple.

    Good managers do things differently. They let team members affect, if not drive, the team's direction. They allow the best ideas to guide the team's activity, no matter who brings them up. They are not intimidated by non-managers displaying leadership qualities, they encourage them.

    While these sentiments aren't unique to open source, they are the core of open source communities - allowing individuals to exert influence without any official authority. That's why I think working in open source is the best way to learn how to be a good manager, and I'll try to share this concept in my talk.
  • The 2019 Open Source Year in Review Recorded: Jan 23 2020 61 mins
    Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
    Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates.

    This annual review will highlight the most significant legal developments related to open source software in 2019, including:

    •Evolution of open source: control, sustainability, and politics
    •Litigation update: Cambium and Artifex cases
    •Patents and the open source community
    •Impacts of government sanctions
    •The shift left for compliance and rise of bug bounty programs
    •And much, much more

    Live attendees will earn CLE credit for this webinar. Don’t miss out—register today.

    CLE:
    DLA Piper LLP (US) has been certified by the State Bar of California, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an accredited CLE provider.
    The following CLE credit is being sought:
    •California: 1.0 Credit (1.0 General, 0.0 Ethics)
    •New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
    •New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
    CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, Pennsylvania, and Puerto Rico.
  • Guide to Application Security: What to Look For and Why Recorded: Jan 22 2020 34 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys; Anna Chiang, Product Marketing Manager, Senior Staff, Synopsys
    If your organization does software development in-house, there are many development workflows and processes to choose from. With all the different AppSec tools available (e.g., SAST, DAST, IAST), how do developers stay productive while ensuring that their code is secure?
    Register for this webinar to learn more about application security and how to leverage it in enterprise application development. You’ll learn:
    - About development workflows and the tools developers need to stay productive
    - How to evaluate different AppSec tools
    - What features to look for in an AppSec tool
  • Best Practices for DevSecOps at Scale Recorded: Jan 21 2020 53 mins
    Andrew van der Stock, Senior Principal Consultant, Managed Services SIG Consulting​, Synopsys
    Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
    - The threat landscape continues to evolve.
    - Application portfolios and their risk profiles continue to shift.
    - Security tools are difficult to deploy, configure, and integrate into workflows.
    - Consumption models continue to change.
    How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
  • Mobile Application Hardening: Protecting Business Critical Apps Recorded: Jan 14 2020 63 mins
    Grant Douglas, Mobile Practice Director, Synopsys and Nikola Cucakovic, Senior Security Consultant, Synopsys
    Mobile application security isn’t always super exciting or challenging. But when it comes to application hardening, things get more interesting. These days, some types of applications go out of their way to defend themselves at runtime, including:

    • Financial apps
    • Multiplayer games
    • Apps that feature DRM-protected content
    • Apps with intellectual property

    Such applications often attempt to protect themselves via internally developed controls, as well as commercial products.
    During this talk, we’ll look at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Black Duck Container Security MasterClass - Security Response Process
  • Live at: Oct 27 2016 3:00 pm
  • Presented by: Tim Mackey, Sr. Technology Evangelist; John Beaudoin, Sr. Instructional Design
  • From:
Your email has been sent.
or close