Hi [[ session.user.profile.firstName ]]

Risk-Ranking Open Source Vulnerabilities

Increase security effectiveness and maintain dev agility

Three certainties in 2017: organizations worldwide will continue to increase their use of open source software; new open source security vulnerabilities will be discovered; exploits of open source vulnerabilities will occur.

With dev teams under constant pressure to accelerate application delivery and with security resources often scarce, organizations need more effective ways to determine which open source vulnerabilities to fix first and the options available to reduce risk during remediation.

Join Black Duck VP of Security Strategy Mike Pittenger as he discusses strategies and emerging best practices for risk-ranking open source vulnerabilities. He will cover:
- the most important considerations in prioritizing open source security issues
- ways to determine the risk associated with a discovered open source vulnerability
- options for dealing with open source security vulnerabilities beyond simply replacing the component
Recorded Jan 19 2017 43 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Mike Pittenger, VP Security Strategy, Black Duck
Presentation preview: Risk-Ranking Open Source Vulnerabilities
  • Channel
  • Channel profile
  • Lessons from Equifax: Open Source Security & Data Privacy Compliance Nov 16 2017 4:00 pm UTC 60 mins
    Patrick Carey, VP Product Marketing, Black Duck; Mike Pittenger, VP Security Strategy, Black Duck
    The Equifax breach provided a unique look into “how” many breaches occur. In Equifax’s case, hackers exploited an unpatched Apache Struts component, resulting in the exposure of over 140 million consumer records. The exploit of this vulnerability highlights the need for visibility to open source in custom applications and just how ineffective traditional security solutions are when it comes to open source vulnerabilities.
     
    Further, while class action lawsuits have already begun, Equifax faces other regulatory challenges as well. The US Federal Trade Commission started investigations into the company’s security policies and controls that will likely result in financial penalties. Since the exposed data included non-US citizens, foreign data protection and data privacy regulations also come into play.
     
    Join Mike Pittenger and Patrick Carey as they discuss how organizations can more effectively manage open source, the strengths and weaknesses of testing methodologies in identifying vulnerable open source components, and how data privacy standards such as PCI, Section 5 of the FTC Act, and GDPR necessitate a change in how organizations address vulnerabilities in their code.
  • The Basics of Open Source Security Oct 31 2017 3:00 pm UTC 60 mins
    Mike Pittenger, VP of Security Strategy, Black Duck
    Recent news stories have attributed a major security breach to an exploit of a vulnerability in an open source framework widely used by Fortune 100 companies in education, government, financial services, retail and media.

    The incident shines a light on the need for organizations to carefully manage the open source they use to protect themselves—and their customers—from the consequences of catastrophic security breaches.

    “The Basics of Open Source Security” will arm you with the information and statistics needed to:

    -Explain the importance of open source security to your organization
    -Define a clear roadmap for identifying, managing, and securing the open source you have in use
    -Take the steps to help your company avoid becoming the next security breach media story
  • Successfully Navigating Open Source Software Issues in M&A Oct 26 2017 3:00 pm UTC 60 mins
    Anthony Decicco, Member of GTC Law Group PC & Affiliates
    Cybersecurity has become one of the areas where substantive diligence should be conducted not as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. The continued growth in the use of open source software underscores the importance of thorough software due diligence. This webinar examines key open source software-related issues and deal points in M&A, licensing and other transactions. Understanding these key legal and technical risks, as well as strategies for mitigating them, will help you speed and smooth negotiations, avoid protracted due diligence and get better deal terms.
  • Micro Focus Fortify & Black Duck Present: End to End Security in a DevOps World Recorded: Oct 19 2017 49 mins
    Erdem Menges, Sr. Product Marketing Manager, Micro Focus Fortify and Dave Meurer, Technical Director, Black Duck
    DevOps teams are building applications faster than ever before, and utilizing large amounts of open-source software to increase agility. However, that introduces the possibility of open-source security risk. The landscape of attacks has changed in recent years, with cyber-attacks increasingly happening on the application layer. This means DevOps teams need to be involved in the security process.

    This task is made more daunting as modern applications are a mix of custom code and open source in their applications. How do you protect your DevOps? Register for this webinar where security experts from Micro Focus Fortify and Black Duck discuss:
    - Understanding the mindset of an attacker
    - Ways to automate the process of risk identification
    - The ability to gate builds when finding risk elements
  • Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638 Recorded: Oct 5 2017 55 mins
    Patrick Carey, VP Product Marketing; Chris Fearon, Research Director; Pat Durante, Sr. Director Education Services
    Equifax confirmed that their high profile, high impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail and media.

    This breach highlights the need for visibility and control into the open source in use at organizations of all sizes. As the Equifax incident shows, open source security breaches can have devastating impacts for your users as well as your brand reputation, legal exposure, and revenue.

    In this webinar, Black Duck open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front page news story:

    - Why should organizations prioritize open source vulnerability management?
    - How could a known vulnerability like this go undetected for so long?
    - What is CVE-2017-5638 in depth and how can hackers exploit it?
    - How can you win the race against hackers and avoid risks from future vulnerabilities?
  • Blockchain & Open Source: Hype or Potential Game Changer? Recorded: Sep 28 2017 58 mins
    Karen Copenhaver, Partner, Choate Hall & Stewart/Counsel, Linux Foundation; Mark Radcliffe Partner, DLA Piper/Counsel OSI
    There’s a lot of buzz about blockchain technology, with the revolutionary possibilities of blockchain being compared to the early days of the Internet, promising to transform the ways in which people and businesses cooperate. The second generation of open source blockchain projects such as Openchain, Ethereum and the Hyperledger Project illustrate how open source platforms are evolving in different directions to support distributed transactions and contracts of all types.

    With an eye to keeping the hype factor to a minimum, this webinar will explore the promise and potential of blockchain and look at some of the many exciting open source blockchain projects being implemented today.
  • Black Duck MasterClass - Open Source Security for Containers and Applications Recorded: Sep 19 2017 56 mins
    Tim Mackey, Senior Technology Evangelist, Black Duck
    Managing container infrastructure in a production environment is challenged by problems of scale. One of the biggest problems is trust—specifically trust of the application. To put it another way, can you trust that all containers in your Kubernetes or OpenShift cluster are performing the tasks you expect of them? We know that containerization has increased the pace of deployment, but has trust kept pace? If a container becomes compromised in some fashion, how many other containers are at risk and how far has trust been broken?

    Tim Mackey explores the nature of data center threats, why threat models fail, how malicious attackers design their attacks, when the threat risk increases prior to attack and why information flow matters, and how traditional defenses are inadequate for container workloads. Tim then shares measures you can take to proactively identify risks, including OpenShift integrated tooling to identify container images with increased risk.
  • Black Duck Hub 4.0: Ready for the Enterprise Recorded: Aug 10 2017 58 mins
    Pat Durante, Senior Director Education Services; John Beaudoin, Senior Instructional Designer
    Join our upcoming Black Duck Customer Webinar exploring the new functionalities in Hub 4.0. Learn how the Hub is delivering additional value to enterprise customers who want to run the Hub at scale and within their existing IT infrastructure. We’ll demo new features including an improved user experience, more comprehensive reporting, security and license risk management and recent updates to our Hub integrations.

    Explore These Hub 4.0 UX Advancements:
    Executive Dashboard
    Report Database
    Enterprise Improvements
    Security Risk Management
    License Compliance Management
    Cloud Platform and Docker Inspector Integrations
  • Healthcare and Open Source – Balancing Innovation Against Risk Recorded: Aug 8 2017 59 mins
    Jim DeGraw, Partner, Ropes & Gray; Mike Pittenger, VP Security Strategy, Black Duck
    More and more innovation in the healthcare industry is powered by open source software, whether it’s for a new pacemaker or the latest Electronic Medical Records (EMR) platform.

    A recent study of more than 1,000 commercial software applications found that open source components comprised 46% of the code in commercial applications for healthcare-related industries. But with innovation comes risk. The same research uncovered high-risk open source security vulnerabilities in 47% of the healthcare applications studied.

    A focused approach to managing open source risk is essential as HIPAA and the European Union’s General Data Protection Regulation (GDPR) put new pressures on healthcare providers and technology companies to protect patient data privacy and security.

    If you're concerned with healthcare application security, learn why open source management is essential for your overall security strategy.
  • GDPR and Open Source: Best Practices for Security and Data Protection Recorded: Jul 25 2017 60 mins
    Daniel Hedley, Partner, Irwin Mitchell; Matt Jacobs, VP and General Counsel, Black Duck Software
    Legislators in Europe continue to expand the scope of the laws governing information security and personal data protection. As a result, organizations serving consumers and businesses in the region need to understand the implications these laws will have on their use of open source to build software applications.

    During this educational webinar led by Dan Hedley, Partner, IT and Commercial from Irwin Mitchell, we’ll provide guidance on the General Data Protection Regulation (GDPR) and why a comprehensive approach to open source security management is essential for GDPR observance. In addition, we’ll review open source management best practices in context of other industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation.
  • Container Security – Best Practices for Government Agencies Recorded: Jul 13 2017 64 mins
    Jamie Duncan, Cloud Solutions Architect, Red Hat; Tim Mackey, Sr. Technology Evangelist, Black Duck
    Local and Federal government agencies are increasingly turning to container environments to meet the demand for faster, more agile software development. However, containers present a new array of security challenges, including how to properly manage open source security risk.

    Join experts from Red Hat and Black Duck for an educational webinar on securing open source in your containers.

    · Why container environments present new application security challenges, including those posed by open source
    · How to scan applications running in containers to identify open source and map against known vulnerabilities
    · Best practices and methodologies for deploying secure containers
  • 3 Pro Tips for Black Duck Hub & Ask the Experts Recorded: Jun 27 2017 46 mins
    Black Duck Product and Implementation Team
    Join our next customer webinar where YOU are the star of the show! Our Ask the Experts panel features Hal Hearst, Principal Product Manager; Utsav Sanghani, Product Manager; and Don Mulrenan, Manager Implementation Services. They’ll present their top three tips for scanning your code, helping you use Black Duck Hub’s features most effectively. We’ll leave plenty of time for Q&A with the panel. Submit your questions now by emailing jenny@blackducksoftware.com, or ask them during the webinar. We’re excited to have this opportunity to answer your questions and hear your feedback about Black Duck Hub. Register today.
  • The Results Are In: Open Source 360 Survey Recorded: Jun 22 2017 60 mins
    Tim Mackey, Sr. Technology Evangelist, Black Duck; Bob Canaway, CMO, Black Duck
    Today, open source drives technology and development, and its worldwide adoption ranges from companies with a single employee to large corporations like Microsoft and Apple. All of these organizations rely on open source to innovate, reduce development costs, and speed time to market. Recent research reports point out that open source comprises 80% to 90% of the code in a typical application. Our Open Source 360° survey provides an update on the rapid evolution of open source development, use and management.

    The 2017 Open Source 360° survey was conducted through Black Duck’s Center for Open Source Research & Innovation (COSRI), focusing on four important areas of open source – usage, risk, contributions and governance/policies. Our respondents include input from new players, established leaders, and influencers across vertical markets and communities. This range of respondents drives broad industry awareness and discussions of these key issues.

    Please join Technology Evangelist Tim Mackey (@timintech) and CMO Bob Canaway (@bobcanaway) to review the results from the Open Source 360 Survey. Please bring your questions! 

    Follow the conversation on Twitter, using the hashtag #OSS360.
  • Prepping for Tech M&A – What Buyers and Sellers Need to Know Recorded: Jun 13 2017 58 mins
    Steven S. Fang Sr. Counsel Kastner Huggins Reddien Gravelle LLP; Phil Odence VP & General Manager Black Duck Software
    In potential tech M&A transactions, both buyers and sellers are focused on the IP quality and security of the most valuable asset – software. Both are extremely important to the sellers, who are looking for the best price, and to acquirers, who want to ensure a future return on their investment.

    During this webinar, open source experts from Black Duck and the Austin legal firm KHRG will discuss best practices as well as pitfalls to avoid to protect IP quality and security. The session will include:

    - Security and license compliance issues to consider when using open source
    - Best practices for ensuring ongoing management of open source licenses and security
    - Latest trends in open source software use by developers
    - Examples of how improper code management has impacted software acquisitions
    - Anatomy of the M&A technical due diligence process and how best to prepare
  • Why Software Composition Analysis is Critical to Secure DevOps Recorded: May 16 2017 37 mins
    Amy DeMartine, Forrester Principal Analyst; Patrick Carey, Black Duck
    Open source software is the lifeblood of today’s enterprise applications, comprising 80%-90% of the code. However, open source use comes with significant security and IP risks that both enterprise and smaller organizations are ill-prepared to address.

    As development teams increasingly automate the software development lifecycle (SDLC) through the use of agile DevOps tools and practices, the need to mitigate these risks through integration of Software Composition Analysis (SCA) into the DevOps tool chain has become critical.

    In this 60-minute webinar, guest speaker, Forrester Principal Analyst Amy DeMartine, and Black Duck Director of Product Marketing Patrick Carey, will discuss findings from the recent report: The Forrester Wave™: Software Composition Analysis, Q1 2017 and why SCA should be a key part of your Secure DevOps strategy.

    The discussion topics will include:
    - Why you need a software composition analysis (SCA) solution
    - How SCA solutions help you manage open source vulnerability, compliance, and component quality risks
    - Criteria to consider when selecting an SCA solution
    - Why it's important to integrate SCA into your automated DevOps environment
  • Leveraging Reporting Improvements and Docker Scanning using Hub 3.6 Recorded: May 11 2017 54 mins
    Pat Durante, Senior Director Education Services; John Beaudoin, Senior Instructional Designer
    Please join us for the next Black Duck Customer Success Webinar and learn about the features and enhancements in the latest Hub release – version 3.6. It includes new usability and project management improvements as well as administration and integration enhancements.

    We’ll discuss:

    - Leveraging the new Hub Reporting Database to programmatically access project, project version, component version, and component license data for custom data reporting and analysis.
    - Taking advantage of the new Print View option which displays the Bill of Materials in a format suitable for easy printing or exporting.
    - Adding subprojects to your Bill of Materials. For example, if you have projects used by other applications, you can add them to a BOM so that the BOM accurately reflects the elements in your application.
    - Using the updated Hub 3.6 Scan Client to scan Docker Images. We’ve introduced a new script, bundled with the Hub Scanner, to scan your Docker images for open source.
  • Audits of 1000 Apps: The Good, the Bad and the Ugly of Open Source Use Recorded: May 4 2017 49 mins
    Mike Pittenger, VP Security Strategy, Black Duck Software
    Open source components are the foundation of today’s applications. Ineffective security and management of open source is pervasive.
    That stark contrast marks Black Duck’s recently released 2017 Open Source Security and Risk Analysis (OSSRA), which is based on code audits of more than 1000 applications. Not surprisingly, 97% of the audited applications contained open source. Disturbingly, 67% of the applications contained known open source vulnerabilities.
    In this webinar, Black Duck VP of Security Strategy Mike Pittenger will review the audit findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the economic and productivity value open source provides.
  • Assessing Open Source Risk: An Imperative for M&A Professionals Recorded: Apr 19 2017 59 mins
    Phil Odence, Vice President & General Manager On-Demand Audits; Mike Pittenger, VP Security Strategy
    Open source software use is ubiquitous worldwide, increasing the importance that M&A professionals understand the potential security, license compliance, and operational risks open source represents in today’s transactions.

    This webinar will detail findings in a recent report issued by Black Duck’s Center for Open Source Research and Innovation (COSRI) showing that most M&A target organizations are not effective in securing and managing their open source.

    Black Duck On-Demand audits hundreds of commercial code bases each year. The Open Source Security and Risk Analysis (OSSRA) will provide insight and results from over 1000 audits performed in 2016, including:

    - The number, age and severity of vulnerabilities in the open source components
    - The gap between the number of open source components used versus what the target company thought it was using
    - The prevalence of open source components using licenses that could put IP at risk
  • Before You Outsource, Protect Your IP & Mitigate Open Source Risks Recorded: Apr 18 2017 60 mins
    Jim Markwith, Managing Partner at Symons Markwith LLP
    Today’s rapidly changing technologies, including the proliferation of open source and the accelerating shift to the cloud, are increasing the use of outside experts for both application development and IT solutions. At the same time, IP security is top of mind worldwide. This presentation will look at ways organizations can outsource to meet their development needs and also address open source security and management risks before giving contractors access to their valuable technologies.


    Jim's bio:

    Jim Markwith is an experienced technology and corporate transactions attorney with over 20 years of experience. His clients range from start-ups to fortune 50 technology leaders, including computer software, on-line retail, and Healthcare IT product and service developers. Prior to private practice, Jim held Executive and Senior in-house legal positions with Microsoft, Adobe Systems, and Allscripts Healthcare. Jim received his J.D. degree from Santa Clara University School of Law, and is a member of the California, Washington, DC, and Washington State Bar Associations.

    For more information on Jim, please click http://symonsmarkwith.com/jim-markwith. For questions about this presentation, or for more information on available legal support, please contact Jim at jim@symonsmarkwith.com.
  • Comprehensive Toolkit Required for Application Security Recorded: Apr 13 2017 47 mins
    Mike Pittenger, VP Security Strategy, Black Duck
    Applications are the primary target for hackers with a staggering 84% of cybersecurity attacks focused on the application layer. Without effective tools to find and fix application security vulnerabilities, your organization is at risk. However, with lots of available tools – from Dynamic Analysis Security Testing (DAST) and Static Analysis Security Testing (SAST) to Open Source Security Vulnerability Management – selecting the right ones to ensure effective application security is a challenge.

    This webinar will provide an overview of application security risks, the types of solutions available, and where each excels or falls short. You will learn how to assemble a comprehensive application security toolkit to help you stay secure throughout the software application development and management lifecycle.
Webcasts around application security and open source.
Organizations worldwide use Black Duck products to secure and manage open source software, eliminating pain related to open source security vulnerabilities and open source license compliance.You’ll learn:

• New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices.
• Best practices for designing and incorporating an automated approach to application security into your existing development environment.
• Future development and application security challenges organizations will face and what they can do to prepare.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Risk-Ranking Open Source Vulnerabilities
  • Live at: Jan 19 2017 4:00 pm
  • Presented by: Mike Pittenger, VP Security Strategy, Black Duck
  • From:
Your email has been sent.
or close