Hi [[ session.user.profile.firstName ]]

Risk-Ranking Open Source Vulnerabilities

Increase security effectiveness and maintain dev agility

Three certainties in 2017: organizations worldwide will continue to increase their use of open source software; new open source security vulnerabilities will be discovered; exploits of open source vulnerabilities will occur.

With dev teams under constant pressure to accelerate application delivery and with security resources often scarce, organizations need more effective ways to determine which open source vulnerabilities to fix first and the options available to reduce risk during remediation.

Join Black Duck VP of Security Strategy Mike Pittenger as he discusses strategies and emerging best practices for risk-ranking open source vulnerabilities. He will cover:
- the most important considerations in prioritizing open source security issues
- ways to determine the risk associated with a discovered open source vulnerability
- options for dealing with open source security vulnerabilities beyond simply replacing the component
Recorded Jan 19 2017 43 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Mike Pittenger, VP Security Strategy, Black Duck
Presentation preview: Risk-Ranking Open Source Vulnerabilities
  • Channel
  • Channel profile
  • Why SAST and SCA Together Are Better, Faster, Stronger Jan 28 2021 2:00 pm UTC 42 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys
    Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.

    Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
  • Managed Penetration Testing - An integral part of your risk management approach​ Jan 26 2021 9:00 am UTC 46 mins
    Aravind Venkataraman, Senior Principal Consultant and David Johansson, Principal Consultant, Synopsys
    Managed penetration testing is an integral part of an organization’s risk management strategy. It serves as a complementary security testing approach to identify and validate findings alongside existing security testing tools. It also fills testing gaps that can appear as organizations determine which testing tools to integrate into their development workflows. In this webinar, we’ll discuss how managed penetration testing can help you optimize your risk management strategy.
  • The 2020 Open Source Year in Review Jan 21 2021 5:00 pm UTC 75 mins
    Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
    Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates.

    This annual review will highlight the most significant legal developments related to open source software in 2020.
  • Under Pressure – Building Security into Application Development Jan 19 2021 9:00 am UTC 61 mins
    Patrick Carey, Director Product Marketing, Synopsys and Dave Gruber, Senior Analyst, Enterprise Strategy Group
    A recent study by Enterprise Strategy Group, commissioned by Synopsys, revealed that nearly half of the cybersecurity and development professionals surveyed indicate that their organization knowingly pushes vulnerable code into production due to time pressures. In every sector, development and security teams grapple with the competing demands of development velocity and application security.

    In this webinar, we speak with the study’s author, ESG Senior Analyst, Dave Gruber, about how organizations are working to build security into their development toolchains and processes. Highlights include:

    - Why many organizations’ AppSec programs aren’t as effective as they think.

    - Key attributes of the most successful AppSec programs.

    - Trends and challenges organizations are facing in implementing their AppSec programs.

    - How organizations are working to improve AppSec ROI while simplifying deployments.
  • See the Larger Security Picture - Enhancing the Tools You Already Have Jan 14 2021 2:00 pm UTC 43 mins
    Simon King, VP Solutions, Synopsys Software Integrity Group
    DevOps and Agile development teams work iteratively to deliver customer value faster. They accelerate productivity with external software such as open-source, and external infrastructure such as cloud and containers. But this increases the threat surface and potential security risk. This leads to using more security tools, and complexity associated with managing test results and governance.

    Join Simon King from Synopsys on this journey enabling teams to see the larger security picture – transparently – enhancing the tools you already use.

    In this session you’ll learn about:
    - The challenges associated with managing test execution with multiple tools.
    - The opportunities to streamline communication between teams when coordinating triage and issue remediation.
    - How to make app sec “invisible” to the development team inside your existing CI/CD toolchain.
    - How to manage continuous improvement in risk posture
  • That's Not How This Works - All Development Should Be Secure Development Jan 7 2021 9:00 am UTC 51 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Register for this webinar to learn:
    - Why traditional approaches to software development usually end in tears and heartburn
    - How a structured approach to secure software development lowers risk for you and your customers
    - Why automation and security testing tools are key components in the implementation of a secure development life cycle
  • What the Open Source Security & Risk Report Means for Your Security Team Dec 17 2020 2:00 pm UTC 36 mins
    Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
    Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:

    · Why you need an accurate inventory of open source components

    · How to prioritize the vulnerabilities to fix

    · Where to integrate testing into your SDLC

    Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
  • Open Source During an M&A Process: Buyer and Sellers Tips on How to Manage Risk Dec 16 2020 5:00 pm UTC 60 mins
    Ben Landry, Assistant General Counsel, Health Catalyst, Inc.
    Whether you sit on the buy-side or sell-side of an M&A transaction, open source use in the software development process introduces legal and security risks into the deal. There are a number of key considerations to be aware of to minimize risk through the M&A due diligence process.

    Join this live Synopsys webinar to get a practical advice on preparing for tech due diligence from an in-house attorney with experience on both sides of the transaction. We’ll cover:

    •When and how to invest in open source diligence
    •How to manage open source and prepare for a sale
    •How Covid has impacted the due diligence process

    Don’t miss this informative webinar. Register today.
  • Maximizing the Impact of Static Analysis Dec 15 2020 5:00 pm UTC 60 mins
    Meera Rao, Senior Director – Product Management (DevOps Solutions)
    Static analysis, also known as white box testing, static application security testing (SAST), or secure code review, finds bugs in application code, back doors, and other code-based vulnerabilities so you can mitigate those risks. But no static analysis tool can effectively address threats to a development environment out of the box. And many users have the misconception that the cost of tool adoption depends primarily on getting the tool working in a build environment.

    Static analysis is the only way to enable developers to automatically identify vulnerabilities as they write code in their integrated development environment (IDE). With SAST, developers can:
    •Run scans in their IDE by using plugins that provide just-in-time security guidance.
    •Review source code before checking it into a version control repository.
    •Remediate identified vulnerabilities.
    •Adopt a preventative mindset.

    Automation is an important part of adopting a SAST tool, as it drives efficiency, consistency, and early detection, enabling organizations to shift left. For a static analysis implementation to be effective, several distinct activities must come together to establish and maximize its impact. This webinar covers some challenges of SAST implementation and provides real solutions to get the most value out of SAST tools.
  • BSIMM11: The Evolution of DevSecOps Dec 15 2020 2:00 pm UTC 58 mins
    Eli Erlikhman Managing Principal, Synopsys SIG and Chai Bhat Sr. Product Marketing Manager, Synopsys SIG
    With the emergence of COVID-19, the workforce is more dispersed and far from the secure enterprise environments that they were accustomed to working in. Malicious hackers are seizing the opportunity provided by a much larger and more vulnerable attack surface to launch even more sophisticated attacks. A solid foundation of software security initiatives (SSIs) derived from the best practices of best-of-breed organizations is more important now than ever before.

    The Building Security in Maturity Model (BSIMM) provides just that—it’s a study of existing SSIs. By quantifying the practices of many different organizations, the BSIMM describes the common ground shared by many, as well as the variations that make each unique.

    In this Synopsys webinar, you will learn:
    • Engineering-led vs. software security group-led SSIs
    • “Shift left” becoming “shift everywhere”
    • What leading organizations are doing to address application security
  • See the Larger Security Picture - Enhancing the Tools You Already Have Dec 10 2020 6:00 pm UTC 43 mins
    Simon King, VP Solutions, Synopsys Software Integrity Group
    DevOps and Agile development teams work iteratively to deliver customer value faster. They accelerate productivity with external software such as open-source, and external infrastructure such as cloud and containers. But this increases the threat surface and potential security risk. This leads to using more security tools, and complexity associated with managing test results and governance.

    Join Simon King from Synopsys on this journey enabling teams to see the larger security picture – transparently – enhancing the tools you already use.

    In this session you’ll learn about:
    - The challenges associated with managing test execution with multiple tools.
    - The opportunities to streamline communication between teams when coordinating triage and issue remediation.
    - How to make app sec “invisible” to the development team inside your existing CI/CD toolchain.
    - How to manage continuous improvement in risk posture
  • Why Open Source Compliance Matters for SaaS: Truths, Myths, and Considerations Dec 3 2020 5:00 pm UTC 60 mins
    Anthony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM Black Duck Audits, Synopsys
    If you offer a product via a software-as-a-service (SaaS) model, you may have heard that some of the most common open source licenses, while being potentially quite problematic for distributed software, may give a "free pass” to SaaS applications. Are you required to adhere to open source license obligations in a SaaS model? 


    Join us for this live Synopsys webinar to learn how to address open source software use in a SaaS model. We’ll cover:

    - The legal considerations around open source license compliance 
    - How security impacts open source software in a SaaS application
    - The operational and strategic pitfalls to avoid
    - The impact on financing, M&A and IPO due diligence

    Don’t miss the informative webinar. Register today.
  • What the Open Source Security & Risk Report Means for Your Security Team Recorded: Nov 18 2020 36 mins
    Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
    Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:

    · Why you need an accurate inventory of open source components

    · How to prioritize the vulnerabilities to fix

    · Where to integrate testing into your SDLC

    Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
  • Binary Scanning 101: Pulling back the covers on binaries Recorded: Nov 17 2020 61 mins
    Lisa Bryngelson, Senior Product Manager at Synopsys
    Organizations across every industry increasingly rely on open source software to form the foundation of the products and technologies they deliver to the market. So you can assume that the third-party commercial software you depend on from supply chain partners and outsourcers also uses open source as its backbone. The challenge is deciding whether to trust that your vendors are managing potential open source security vulnerabilities proactively or to verify for yourself that the open source embedded in the software you procure remains up to date and secure. The latter, what we refer to as “trust but verify,” requires tools that can look inside compiled binaries to ensure the whole of your application is secure.

    Join Lisa Bryngelson, senior product manager at Synopsys, as she pulls back the covers on how Black Duck tackles binary scanning. In this webinar, she’ll discuss:

    · Binary scanning basics and best practices

    · How binary scanning works

    · The different types of binary scanning and identification techniques

    · The challenges in detecting specific components or versions

    · How developers can make it easier for scanners to produce accurate and precise results
  • Getting Developers to Upgrade Vulnerable Components With Black Duck & ThreadFix Recorded: Nov 12 2020 60 mins
    Gautam Baghel, Synopsys & Dan Cornell, ThreadFix
    ThreadFix is a leading solution for managing your application vulnerability data across static, dynamic, interactive tests, and open source software. Black Duck®, a premiere software composition analysis tool, provides insight into the vulnerabilities in your open source application portfolio. Together, Black Duck and ThreadFix create a unified view of your application security program.

    In this webinar, learn how ThreadFix can provide valuable remediation guidance for the open source vulnerabilities uncovered by Black Duck—and from static and dynamic tests as well. ThreadFix sends all that information automatically to your developers, so they can spend their time resolving issues, not trying to research how.
  • Implementing SAST into your SDLC: What to look for & what to consider Recorded: Nov 5 2020 50 mins
    Rob Haines, Senior Sales Engineer, Synopsys
    So you’ve decided (or been told) that you need to implement SAST in your software development process. But SAST is not a one-size-fits-all solution, and implementation often requires a compromise between technology, time, process, and people—especially people. In this webinar, we’ll look at common objections and pitfalls that you might encounter along the way.

    We'll cover:
    • What you should look for in a tool
    • Considerations for implementing SAST
    • Importance of the process (getting a good return on your investment)
    • High-quality and more secure software
  • Are You Acquiring the Next Big Breach? Security Vulnerabilities & M&A Recorded: Oct 22 2020 57 mins
    Hal Hearst, Synopsys
    Software contains vulnerabilities and if you’re acquiring a company where software is a big part of the deal, you should understand if there is anything in that software that can be exploited.

    Join this live webinar to learn why security is a key piece of tech due diligence and the way your audit vendor manages their security data matters. We’ll cover:

    •Why due diligence has moved beyond license compliance
    •How you (and your vendor) can get a more in-depth view of your vulnerabilities
    •Strategies for understanding your security risks

    Don’t miss this informative webinar. Register today.
  • BSIMM11: The Evolution of DevSecOps Recorded: Oct 15 2020 59 mins
    Eli Erlikhman Managing Principal, Synopsys SIG and Chai Bhat Sr. Product Marketing Manager, Synopsys SIG
    With the emergence of COVID-19, the workforce is more dispersed and far from the secure enterprise environments that they were accustomed to working in. Malicious hackers are seizing the opportunity provided by a much larger and more vulnerable attack surface to launch even more sophisticated attacks. A solid foundation of software security initiatives (SSIs) derived from the best practices of best-of-breed organizations is more important now than ever before.

    The Building Security in Maturity Model (BSIMM) provides just that—it’s a study of existing SSIs. By quantifying the practices of many different organizations, the BSIMM describes the common ground shared by many, as well as the variations that make each unique.

    In this Synopsys webinar, you will learn:
    • Engineering-led vs. software security group-led SSIs
    • “Shift left” becoming “shift everywhere”
    • What leading organizations are doing to address application security
  • Threat Modeling Program Maturity – Establish and Mature Threat Modeling Programs Recorded: Oct 14 2020 59 mins
    Chandu Ketkar, Director Security Architecture Practice at Synopsys and Himanshu Tiwari, Managing Consultant at Synopsys
    What differentiates a highly mature threat modeling program from a less mature program? How do companies get started with threat modeling? What does the journey to higher levels of maturity look like? What are the key anchors of building the threat modeling capability?

    Join our talk as we share what we've learned through the years working with clients. Find out how companies evolve their threat modeling programs and maturity.
  • The Importance of Fuzzing for Network Protocols Recorded: Oct 13 2020 57 mins
    Vishwas Sharma, Senior Sales Engineer, Synopsys
    Most security issues are triggered by misuse - and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy?

    Description (paragraph):

    Most security issues are triggered by misuse—and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy? After you’ve analyzed the source code, the next step is to test its dynamic behavior using invalid input testing (fuzzing) that closely imitates what a hacker would do. Fuzzing provides a final test-run before rolling out to avoid costly bug fixes and product recalls.

    Network devices must be able to handle malicious inputs on their interfaces and protocols. Defensics is a model-based stateful protocol fuzzer that is based on popular specifications and has millions of malformed inputs to cover misuse cases that can trigger critical unknown vulnerabilities.

    Join us as we discuss the importance of fuzzing for network protocols and address its use cases:

    Development. Complement SAST methods by integrating fuzzing into CI/CD
    Quality assurance. Perform QA with enhanced test coverage in a manageable time
    Security. Uncover zero day and unknown vulnerabilities before they turn costly Procurement. Ensure robustness, quality, and security of software and devices before introducing them into IT/lab environment
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Risk-Ranking Open Source Vulnerabilities
  • Live at: Jan 19 2017 4:00 pm
  • Presented by: Mike Pittenger, VP Security Strategy, Black Duck
  • From:
Your email has been sent.
or close