Hi [[ session.user.profile.firstName ]]

Container Security – Best Practices for Government Agencies

Local and Federal government agencies are increasingly turning to container environments to meet the demand for faster, more agile software development. However, containers present a new array of security challenges, including how to properly manage open source security risk.

Join experts from Red Hat and Black Duck for an educational webinar on securing open source in your containers.

· Why container environments present new application security challenges, including those posed by open source
· How to scan applications running in containers to identify open source and map against known vulnerabilities
· Best practices and methodologies for deploying secure containers
Recorded Jul 13 2017 64 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Jamie Duncan, Cloud Solutions Architect, Red Hat; Tim Mackey, Sr. Technology Evangelist, Black Duck
Presentation preview: Container Security – Best Practices for Government Agencies
  • Channel
  • Channel profile
  • Why All Open Source Scans Aren’t Created Equal Jul 24 2019 4:00 pm UTC 60 mins
    Phil Odence & Emmanuel Tournier at Synopsys
    Understanding the risks associated with open source software has become the norm in tech due diligence but not all approaches are created equal. Are you approaching open source diligence in the most efficient and effective way possible? Do you understand the difference between a point in time open source analysis for M&A and ongoing open source management?

    Join us for this live webinar and learn how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We’ll cover:

    •The types of risk around open source software
    •Why depth of analysis matters, and what it results in during M&A diligence
    •Why accuracy, reporting and expert human analysis are keys to thorough diligence

    Don’t miss this informative webinar. Register today.
  • Static Analysis Security Testing (SAST) in CI/CD – why and how Jul 4 2019 5:30 am UTC 75 mins
    Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group
    Traditionally, and often unfortunately, security has been treated as a secondary and isolated process considered only at the end of the software development lifecycle (SDLC). Noble as their intentions are, it can be frustrating to discover security vulnerabilities at such a late stage.

    With the proliferation of agile development methodology and CI/CD, is it possible to leverage on Static Application Security Testing (SAST) tool to constantly verify the code changes and improve application integrity throughout the SDLC? In our 4th July 2019 webinar, Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group, will provide insights into the following:
    •What is SAST? Are SAST Tools Glorified Grep?
    •What can SAST help?
    •Touch points – where and how do we apply SAST in CI/CD pipeline?
    •Considerations in choosing a SAST tool
  • Streamlining Your Tech Due Diligence Process for Software Assets Jun 27 2019 4:00 pm UTC 60 mins
    Tim Mackey, Principle Security Strategist, Synopsys Cybersecurity Research Center
    Open source, legal, compliance, security, and code quality risks all come into play when you’re acquiring a company where the technology is a large part of the deal valuation. And if you’re making multiple acquisitions a year, how do you ensure that your tech due diligence process addresses each of these potential risks, all while moving at the speed of the deal?

    Join us for this webinar to learn how you can streamline your tech due diligence process without sacrificing quality assessments. We’ll cover:

    • Understanding open source, its license obligations, and its security vulnerabilities
    • Testing the overall security of code assets, including proprietary code
    • Understanding potential points of data leakage via third-party web API integrations
    • Steps for creating a repeatable software asset audit process

    Don’t miss this informative webinar. Register today.
  • Developers are your greatest AppSec Resource – Here’s How to Activate Them Jun 25 2019 6:00 pm UTC 50 mins
    Amy DeMartine, Forrester Principal Analyst and Utsav Sanghani, Senior Product Manager, Synopsys
    Application vulnerabilities are a prime target for attackers, and the critical task of identifying and remediating these flaws before they’re exploited can be daunting, especially for organizations adopting DevOps and CI/CD practices. Security teams don’t have the time or resources to find and fix every vulnerability, and developers prefer to do what they do best – build and deploy features quickly. Fortunately, developers can be good at their jobs and be your most effective application security resources if you enable them with the low-friction tools and training at the precise time they need them.

    Join guest speaker Amy DeMartine, principal analyst at Forrester Research, and Utsav Sanghani, senior product manager at Synopsys, as they explore tools and techniques that can transform your developers into AppSec rock stars:
    - Rapid and continuous in-IDE security testing can help your developers find and fix issues before they ever get committed to your codebase.
    - Delivering short, contextualized AppSec training modules to developers in real time when they introduce vulnerabilities.
    - Most modern applications contain more open source code than proprietary code. Help your developers identify and avoid risky OSS components.
  • The State of Open Source and Security: What It Means for You Jun 19 2019 4:00 pm UTC 60 mins
    Gordon Haff, Red Hat & Dave Meurer, Synopsys
    Development organizations view open source software as not just important but also strategic. That’s just one of the topics we’ll investigate in this joint webinar from Red Hat and Synopsys. Drawing from Red Hat’s “The State of Enterprise Open Source” report, technology evangelist Gordon Haff will explain why IT decision makers value open source so highly.

    At the same time, changing development practices and escalating threats mean that security remains a concern with respect to open source software, as it is for IT more broadly. Dave Meurer of the Synopsys Software Integrity Group will explain findings from the Synopsys “2019 Open Source Security and Risk Analysis” report to offer an in-depth look at the state of open source security, compliance, and code quality risk in commercial software.

    We’ll close with some practical advice about getting the most value from open source software while keeping your organization safe.
  • Using Metrics to Drive Your Software Security Initiative Recorded: Jun 18 2019 48 mins
    Kevin Nassery, Senior Principal Consultant, Synopsys
    Intuition can take you quite far at the beginning of your application security journey. But even the most experienced leaders will eventually need data to guide them through a decision or justify their investments. Well-designed software security metrics provide that compass.

    This webinar will arm software security group leadership with the knowledge necessary to design key metrics that drive thoughtful investment and enhancement of their software security initiative (SSI).

    We’ll pay special attention to must-have application security metrics, common missteps, and executive visibility across the Software Security Development Lifecycle (SSDL) and SSI.
  • Risk-Based Adaptive DevSecOps Recorded: Jun 13 2019 60 mins
    Meera Rao, Secure Development Practice Director, Synopsys Software Integrity Group
    Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.

    A risk-based adaptive pipeline can close the gap between DevOps and security teams, helping DevOps teams accelerate deployment to production without compromising security.

    In this webinar, you’ll learn:

    - How the adaptive pipeline can help you rank risks, identify changes, and improve responsiveness.
    - How to accelerate deployment to production without compromising security.
    - Four models you can implement to help align your people, process, and technology.
  • Vulnerabilities in Containerised Production Environments Recorded: Jun 6 2019 59 mins
    Tim Mackey, Senior Technical Evangelist, Synopsys
    With each new technology cycle, we seek to improve both business efficiency and security. Unfortunately, our legacy practices can severely hold us back from achieving the full potential of our new technology stack. When this occurs, organisations with the most valuable data come under attack first.
  • Growth of Web Services & APIs and the Risks in M&A Recorded: May 22 2019 61 mins
    Tony Decicco, GTC Law Group & Phil Odence, Synopsys
    Just like most software assets contain open source, modern software applications commonly link to external web services via APIs. By using web services, developers may be inadvertently signing their companies up to terms of service or using a web service without a suitable agreement. And using these services can expose a company to security, data privacy, and operational risks that could disrupt or severely affect the business. As part of the tech M&A due diligence process, you should be aware of these web services-related risks so that you can make informed decisions about deal valuation and remediation.

    Join Tony Decicco, shareholder at GTC Law Group and Affiliates, and Phil Odence, GM of Black Duck Audits, as they discuss the types of risk associated with web services and how they can affect an M&A transaction. They’ll cover:

    • Typical terms of service and common pitfalls
    • The legal compliance, data privacy, security, and business risks that come with web services
    • Real-world examples of these risks
    • How a buyer can get a better understanding of these risks in a target’s codebase or a seller can prepare for diligence to avoid risks in this area

    Don’t miss this informative webinar. Register today.
  • AppSec Hype or Reality? Demystifying IAST Recorded: May 22 2019 61 mins
    Asma Zubair, Product Mgmt Mgr, Sr Staff, Synopsys and Kimm Yeo, Product Marketing Mgr, Staff, Synopsys
    Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation AppSec tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
    - Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
    - Prioritize and triage vulnerability findings in real time with 100% confidence.
    - Fully automate secure code delivery and deployment, without the need for extra security scans or processes.
    - Free up development and security resources to focus on strategic or mission-critical tasks and contributions.
  • Mitigating Software Risks for DoD and Government Agencies Recorded: May 21 2019 49 mins
    Joe Jarzombek, Director for Government, Aerospace & Defense Programs, Synopsys
    As the cyber threat landscape evolves and external dependencies grow more complex, managing risks to enterprise and connected embedded systems requires more than reactive measures. Many organizations proactively reduce attack surfaces in their cyber supply chain and assets targeted for exploitation. IT asset management should leverage automated means to detect weaknesses and vulnerabilities in software. Addressing cyber supply chain dependencies enables the hardening of attack surfaces by comprehensively identifying exploit targets, understanding how assets are attacked, and providing responsive mitigation. Automation tools and services, testing and certification programs now provide means to reduce risk attributable to exploitable software. This presentation addresses means of using information to prioritize mitigation efforts focused on reducing exploitable attack vectors; enabling organizations to proactively harden their attack surface and become more resilient in the face of growing threats and asymmetric attacks.

    Lt. Col. Joe Jarzombek (USAF, ret.) is Director, Government, Aerospace & Defense Programs at Synopsys. He previously served as Deputy Director, Information Assurance in the Office of the CIO Dept. of Defense. He later served as Director, Software and Supply Chain Assurance in the Dept. of Homeland Security. Today, Joe guides Synopsys’ global leadership to address needs of public sector, aerospace and defense communities. He participates in consortia, public-private collaboration and standards groups, and R&D projects to accelerate technology adoption. Joe has 30+ years in software security, safety and quality in embedded and networked systems and enterprise IT. Joe is a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional with an MS in Computer Information Systems, a BA in Computer Science and a BBA in Data Processing and Analysis.
  • Deploy Containers Confidently With Synopsys and Google Cloud Recorded: May 16 2019 54 mins
    Sandra Guo, Google & Tomas Gonzalez, Synopsys
    Containers and Kubernetes have changed the way organizations develop and deploy applications. But with increased agility comes increased risk. The last thing any company wants is to deploy software from unknown sources or with known vulnerabilities. Binary Authorization together with GKE allows you to “sign” software as it moves through the software supply chain. This way, you can ensure that no software goes to production till you approve it. In this webinar, we’ll discuss the role Black Duck plays in this signing process. We’ll also demonstrate how Black Duck, as part of a Cloud Build workflow, can attest to the security and license compliance of a software offering, so you can deploy with confidence.
  • Differentiating open source from commercial SAST capabilities Recorded: May 15 2019 53 mins
    Stephen Giguere, Solution Architect, Synopsys
    We need to learn from industries where we see parallels forming and see how they have leveraged and understood their testing capabilities and placed them correctly within their pipeline. Based on life time experience Stephen Giguere, Solution Architect at Synopsys, explores and differentiates open source and commercial SAST in combination with cross-industry learning applicable to software development. See how Synopsys tools and services can allow you to build secure, reliable and quality software.
  • 2019 Open Source Security Report: Persistent Challenges and Forward Progress Recorded: May 9 2019 49 mins
    Tim Mackey, Senior Technical Evangelist, Synopsys
    Open source components form the foundation of modern applications, but ineffective open source risk management can lead to security breaches that negatively affect your business and damage your brand. The Open Source Security and Risk Analysis (OSSRA) report examines trends in open source usage and risk management practices based on the audits of more than 1,200 codebases.
    Listen in as we explore how the open source landscape has changed—and improved, in some cases—but more importantly, how development, security, and legal teams can improve their open source risk posture.
    - 96% of codebases scanned in 2018 contain open source
    - The average code base contains 298 open source components, up from 257 in 2017
    - 60% of codebases contained at least one open source vulnerability—still significant, but much better than 78% in 2017
  • Open Source Risk in M&A by the Numbers Recorded: May 2 2019 51 mins
    Phil Odence, General Manager, Black Duck On-Demand
    In over 1,000 codebases audited in 2018, Black Duck Audits found that nearly every one contained open source components. Not only that, but a significant percentage of “proprietary code” overall was open source. Virtually every company building software now depends on open source, and with great reason. However, left unmanaged, open source can lead to license compliance issues plus security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.

    Many acquirers have come to understand all this in concept; the Black Duck audit services group has the data. Join us for this webinar as we answer questions about the code of tech companies being acquired today. We’ll cover:

    • Open source license and security risks by the numbers
    • Why audits have become the norm in M&A tech due diligence
    • How you can get a complete picture of open source risks

    Don’t miss this informational webinar – register today.
  • Reviewing Moden JavaScript Application Recorded: Apr 30 2019 61 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
  • Reviewing Modern JavaScript Applications Recorded: Apr 29 2019
    Lewis Ardern, Senior Security Consultant, Synopsys
    When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
  • How to Automate Container Security Into your CI/CD Pipeline Recorded: Apr 18 2019 60 mins
    Glen Kosaka, VP of Product Management, NeuVector and Tim Mackey, Senior Technical Evangelist, Synopsys
    The promise of containers and cloud-based microservices is fast time to market for applications. But there are security requirements that, if not handled properly, can slow down the pipeline and lengthen time to market. Automation is critical to a CI/CD pipeline, and it is also critical to secure deployment of containers. Join Synopsys and NeuVector to explore the key automation integration points in the pipeline and learn how to build security into your process, culture, and toolchain, from build to ship to run.

    Who should attend?
    •Security architects
    •Application architects
    •DevSecOps and DevOps practitioners
    •Network and application security engineers
  • Understanding Open Source – Strengths and Challenges for Enterprise users Recorded: Apr 11 2019 53 mins
    Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group
    Open source usage has had a steady increase over the years and so has the Open Source content, which has seen exponential release. The strength of open source is attributed to the fact that there has been a growing adoption of Open source in enterprise application.

    In our 11th April 2019 webinar, Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group, will provide insights into the following:
    •Usage trends of Open Source
    •How large enterprise users understands risks associated with using Open Source
    •Methodologies derived to mitigate Open Source risks and issues
    •Is Open Source an enabler or a liability
  • Introducing the Polaris Software Integrity Platform Recorded: Apr 3 2019 37 mins
    Utsav Sanghani, Senior Product Manager, Synopsys; Neal Goldman, Senior Product Manager, Synopsys
    The Product Team at Synopsys is excited to introduce the Polaris Software Integrity Platform™, which brings the power of Synopsys Software Integrity products and services together into an integrated solution that enables security and development teams to build secure, high-quality software faster. Polaris uses a SaaS delivery model and provides a centralized web-based user interface for Synopsys products and services—ensuring quick deployment and a unified user experience across Synopsys solutions.

    Polaris includes Code Sight™, our new IDE plugin that automatically and continuously analyzes code as it’s being written—allowing developers to focus on their tasks at hand without needing to initiate scans or leave the IDE for security information.

    By unifying our market-leading solutions on a single platform, Polaris simplifies the deployment and operation of application security tools, so teams can quickly prioritize and remove exploitable software vulnerabilities across their application portfolio. In this webinar, you’ll learn:

    - How Polaris empowers DevOps managers with easy-to-use, automated CI/CD integrations
    - How Code Sight provides the real-time feedback developers need to fix their code quickly, as they write it
    - How Polaris’ extensible, cross-product reporting capabilities help security practitioners prioritize security issues and measure compliance across their application portfolio
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Container Security – Best Practices for Government Agencies
  • Live at: Jul 13 2017 3:00 pm
  • Presented by: Jamie Duncan, Cloud Solutions Architect, Red Hat; Tim Mackey, Sr. Technology Evangelist, Black Duck
  • From:
Your email has been sent.
or close