Hi [[ session.user.profile.firstName ]]

GDPR and Open Source: Best Practices for Security and Data Protection

Legislators in Europe continue to expand the scope of the laws governing information security and personal data protection. As a result, organizations serving consumers and businesses in the region need to understand the implications these laws will have on their use of open source to build software applications.

During this educational webinar led by Dan Hedley, Partner, IT and Commercial from Irwin Mitchell, we’ll provide guidance on the General Data Protection Regulation (GDPR) and why a comprehensive approach to open source security management is essential for GDPR observance. In addition, we’ll review open source management best practices in context of other industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation.
Recorded Jul 25 2017 60 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Daniel Hedley, Partner, Irwin Mitchell; Matt Jacobs, VP and General Counsel, Black Duck Software
Presentation preview: GDPR and Open Source: Best Practices for Security and Data Protection
  • Channel
  • Channel profile
  • The State of Open Source in M&A Transactions Dec 12 2019 5:00 pm UTC 60 mins
    Chris Stafford, Senior Manager, M&A Advisory West Monroe Partners, Paul Cotter, Senior Architect West Monroe Partners
    With extensive experience in M&A, West Monroe Partners is on the front line of tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and sellers alike need to understand these trends to get the most value out of any transaction.

    Join us for this live webinar to learn what buyers and sellers need to know and how they operate during a transaction. We’ll cover:

    •Why OSS management should fit into a broader security program
    •How (and when) sellers need to prepare for a transaction
    •How buyers are becoming more sophisticated in transactions

    Don’t miss this informative webinar. Register today.
  • Vulnerabilities in Containerized Production Environments Dec 10 2019 6:00 pm UTC 58 mins
    Tim Mackey, Principal Security Strategist, Synopsys
    With each new technology cycle, we seek to improve both business efficiency and security. Unfortunately, our legacy practices can severely hold us back from achieving the full potential of our new technology stack. When this occurs, organizations with the most valuable data come under attack first.
    In the webinar, Tim Mackey discusses how this paradigm is playing out within financial services organizations moving from a virtual world to a containerized world. He covers how modern applications differ from those of only a few years ago - and how containerization changes our security paradigms.
  • Static Analysis Security Testing (SAST) in CI/CD – why and how Dec 5 2019 6:00 pm UTC 37 mins
    Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group
    Traditionally, and often unfortunately, security has been treated as a secondary and isolated process considered only at the end of the software development lifecycle (SDLC). Noble as their intentions are, it can be frustrating to discover security vulnerabilities at such a late stage.

    With the proliferation of agile development methodology and CI/CD, is it possible to leverage on Static Application Security Testing (SAST) tool to constantly verify the code changes and improve application integrity throughout the SDLC?

    In our webinar, we will provide insights into the following:
    - What is SAST? Are SAST Tools Glorified Grep?
    - What can SAST help?
    - Touch points – where and how do we apply SAST in CI/CD pipeline?
    - Considerations in choosing a SAST tool
  • Implementing DevSecOps With Synopsys and CloudBees Nov 28 2019 9:00 am UTC 57 mins
    Meera Rao, Synopsys & Jeff Fry, CloudBees
    As many organizations have learned, sometimes the hard way, DevOps transformation is as much about creating a process and adopting a mindset as it is about acquiring the right tools. But organizations creating a DevOps process shouldn’t neglect to implement security into their pipelines. Synopsys and CloudBees aim to deliver the best of both worlds to customers adopting DevOps: CI/CD optimization and application security testing automation.

    Join experts from Synopsys and CloudBees as we discuss:

    •How CloudBees Core™, built on Jenkins®, helps organizations scale
    CI/CD to a multitude of teams without increasing the administrative burden

    •How to add Synopsys tools Coverity, Black Duck, and Seeker to your pipelines

    •How to leverage the power of Kubernetes with the management of CloudBees Core to orchestrate the use of these tools as part of your SDLC
  • OWASP Top 10 For JavaScript Developers Nov 27 2019 10:00 am UTC 66 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
  • You’ve Got Your Open Source Audit Report - Now What? Recorded: Nov 14 2019 61 mins
    Tony Decicco & Leon Schwartz, GTC Law, Phil Odence, Synopsys
    Companies’ use of open source software has surpassed the occasional and solidified itself as mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether you’re acquiring another company, preparing for acquisition or simply wanting to manage the use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?

    Join us for this live webinar to learn best practices before and after an open source audit. We’ll cover how to:

    •Select and prepare the code base
    •Get the most out of an audit
    •Implement a third-party software policy
    •And more

    Don’t miss this informative webinar. Register today.
  • Implementing DevSecOps With Synopsys and CloudBees Recorded: Nov 12 2019 62 mins
    Meera Rao, Synopsys & Jeff Fry, CloudBees
    As many organizations have learned, sometimes the hard way, DevOps transformation is as much about creating a process and adopting a mindset as it is about acquiring the right tools. But organizations creating a DevOps process shouldn’t neglect to implement security into their pipelines. Synopsys and CloudBees aim to deliver the best of both worlds to customers adopting DevOps: CI/CD optimization and application security testing automation.

    Join experts from Synopsys and CloudBees as we discuss:
    •How CloudBees Core™, built on Jenkins®, helps organizations scale
    CI/CD to a multitude of teams without increasing the administrative burden
    •How to add Synopsys tools Coverity, Black Duck, and Seeker to your pipelines
    •How to leverage the power of Kubernetes with the management of CloudBees Core to orchestrate the use of these tools as part of your SDLC
  • BSIMM10: A Decade of Software Security Science Recorded: Nov 7 2019 43 mins
    Drew Kilbourne, Managing Director, Synopsys
    The Building Security In Maturity Model (BSIMM) is a data-driven model developed through the analysis of software security initiatives (SSIs), also known as application/product security programs. Register for this webinar to learn what 122 organizations in eight industry verticals are doing to improve their software security efforts. We’ll discuss:
    - How organizations are building their software security initiatives
    - How DevOps is affecting the way organizations perform software security
    - How emerging engineering-driven security cultures are changing approaches to software security
  • 5 Ways to Risk Ranking Your Vulnerabilities Recorded: Nov 6 2019 26 mins
    Nivedita Murthy, Security Consultant, Synopsys Software Integrity Group
    Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
    Register for this webinar to learn best practices in vulnerability management. You’ll learn:
    - Methods for determining which applications are most attractive to attackers and which pose the greatest risk
    - Ways to assess the risk associated with a disclosed open source vulnerability
    - Strategies to minimize the impact of open source security vulnerabilities when you can’t fix them immediately
  • Do Design Quality and Code Quality Matter in M&A Tech Due Diligence? Recorded: Oct 24 2019 47 mins
    Phil Odence, GM, Synopsys & Daniel Sturtevant, CEO and Co-founder, Silverthread
    (Spoiler alert: Yes.)

    In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software before doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly, laborious, and risky. The cost of fixes can significantly affect the long-term technical and economic viability of the application, and maintaining the software can seriously degrade ROI. That’s why understanding a software system’s design and architectural health and the likely “cost of ownership” is key.

    Join us for this live webinar to learn how to paint a complete picture of the technical quality of software to avoid buyer’s remorse post-close. We’ll cover:

    •The dimensions of technical due diligence
    •The difference between design quality and code quality
    •How software architecture can have a long-term impact
    •What to look for in software design and code quality audits

    Don’t miss this informative webinar. Register today.
  • Using Evidence-Based Security in Your Secure Development Life Cycle Recorded: Oct 23 2019 60 mins
    Andrew van der Stock, Senior Principal Consultant, Managed Services SIG Consulting​, Synopsys
    All too often, security is stuck in the 1960s doing slow desk checks, the results of which are out of date before the PDF report lands on an auditor’s desk. If developers see this report, they’ll find it’s full of hot garbage. Security folks must become agile, thinking like developers and helping build secure applications, not criticizing and using recommendations from the last century. In this talk, you’ll learn how you can contribute data, offer better remediation advice, and use modern evidence-based standards such as the forthcoming OWASP Top 10 2020 and the OWASP Application Security Verification Standard 4.0 in your development pipeline. Security professionals have heard this all before, but we persist in doing the wrong things. Let’s not do security like it’s 1998; let’s build assurance in from the get-go, with each and every build.
  • Delivering Next Generation Vulnerability Feed Recorded: Oct 17 2019 46 mins
    Siobhan Hunter, Security Research Team Lead, Synopsys
    The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. The team delivers a customer-focused vulnerability feed comprising open source vulnerability reports called BDSAs (Black Duck Security Advisories). These reports are timely, accurate, and packed with relevant actionable information.

    In this webinar, Siobhan Hunter, security research lead, reveals why the high-quality content of the BDSA feed is best in class, with examples of how our BDSA feed compares with the NVD and insights into how we discover and deliver valuable vulnerability information for our customers every day.
  • Fuzzing Infotainment Systems and Telematics Units With Agent Instrumentation Recorded: Oct 8 2019 58 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys & Rikke Kuipers, Product Manager, Synopsys
    In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. Since these systems are typically based on operating systems providing more functionality such as Linux and Android, it is possible to use appropriate tools to collect additional information from the system under test (SUT) to determine whether there were any exceptions detected during the fuzz testing. Furthermore, it would be possible to gather more details about the detected exceptions on the SUT which helps developers to better understand and identify the root cause of the issues and fix the problems more efficiently. To this end, we introduce the Agent Instrumentation Framework and explain how it can be used to improve fuzz testing of IVIs and telematics units. We show how additional information can be collected from the target system and used to identify whether there are exceptions on the SUT and additionally help developers identify the underlying cause of any issues detected. Finally, to showcase the effectiveness of the agent instrumentation framework we built a test bench based on this approach and performed fuzz testing on multiple SUTs. Based on our findings we highlight several examples of issues that would have not been detected unless we used agent instrumentation.
  • Financial Services Study Shows Why Investing in AppSec Matters Recorded: Oct 8 2019 34 mins
    Drew Kilbourne and Larry Ponemon
    If you’re a provider of financial services, then client trust, privacy, and risk management are critical to your success. Therefore, you must protect your organization’s sensitive data from cyber attacks and data breaches. A recent survey of current software security practices in the financial services industry explores the industry’s software security posture and its ability to address security-related issues.

    In this webinar with Drew Kilbourne, managing director, Synopsys and Larry Ponemon, chairman, Ponemon Institute, will review findings from the report and discuss what they mean for the industry at large. Here’s a preview of some key findings:

    - 56% of organizations had experienced an attack resulting in system failure and downtime.
    - 74% were concerned about security vulnerabilities introduced by third-party suppliers, but less than 43% said they require third parties to adhere to cyber security requirements.
    - Only 34% of financial applications are tested for vulnerabilities, and only 25% of respondents were confident in their ability to detect vulnerabilities before going to market.
  • A Serial Seller’s Perspective on M&A Tech Due Diligence Recorded: Sep 26 2019 57 mins
    Irad Deutsch, CTO, Belong.Life and Phil Odence, GM, Synopsys
    On the buy side of a tech deal and want to better understand sellers? Selling a company and want to benefit from the experience of someone who’s been there (and been there and been there)?

    Building a successful software company takes a lot of blood, sweat, and tears. When a liquidity opportunity presents itself, sellers want to make sure they get the best deal they can, and quickly. During due diligence, the potential acquirer will delve into all facets of the technology. The more prepared the sell side is, the fewer issues will arise, and the smoother the transaction will be.

    What do buyers need, and what can prepared sellers do to streamline the process? Security, quality, and the intellectual property rights of the software are critical. Buyers, sellers, and their legal advisors need to be comfortable that no big technical issues will crop up post-close. Plus, they want to know that they have absolute and uncontested rights to the software assets—in particular, that there are no issues with open source licenses.

    Irad Deutsch, CTO of Belong.Life, has successfully made it through the process with two companies and has it down to a science for his third. Join Irad and Synopsys’ Phil Odence as they discuss the seller’s perspective, lessons learned on the seller’s side, and how to prepare for the M&A tech due diligence process.

    Don’t miss this informative webinar. Register today.
  • Financial Services Study Shows Why Investing in AppSec Matters Recorded: Sep 12 2019 35 mins
    Drew Kilbourne and Larry Ponemon
    If you’re a provider of financial services, then client trust, privacy, and risk management are critical to your success. Therefore, you must protect your organization’s sensitive data from cyber attacks and data breaches. A recent survey of current software security practices in the financial services industry explores the industry’s software security posture and its ability to address security-related issues.

    In this webinar with Drew Kilbourne, managing director, Synopsys and Larry Ponemon, chairman, Ponemon Institute, will review findings from the report and discuss what they mean for the industry at large. Here’s a preview of some key findings:

    - 56% of organizations had experienced an attack resulting in system failure and downtime.
    - 74% were concerned about security vulnerabilities introduced by third-party suppliers, but less than 43% said they require third parties to adhere to cyber security requirements.
    - Only 34% of financial applications are tested for vulnerabilities, and only 25% of respondents were confident in their ability to detect vulnerabilities before going to market.
  • Automating Pipeline Security with Synopsys and Azure DevOps Recorded: Sep 12 2019 59 mins
    Sasha Rosenbaum, Sr. Program Manager, Microsoft and Tomas Gonzalez, Alliance Technical Engineer, Synopsys
    Microsoft Azure DevOps is a collection of modern dev services designed to help development teams plan smarter, collaborate better, and ship faster. Azure CI/CD Pipelines, where applications are built, tested, and deployed, benefit from additional functionality provided by third-party extensions.
    Synopsys Detect, an extension for Azure DevOps, simplifies the addition of static code analysis and open source composition analysis to your pipelines. Tune in to learn how to plug Synopsys into your Azure Pipelines to fix potential leaks before they burst.

    In this webinar, Synopsys and Microsoft will explain how to:
    •Add static code analysis to your build pipelines with Coverity on Polaris
    •Integrate Black Duck open source compliance and security checks into your delivery pipelines
    •Perform Seeker interactive testing on apps deployed to Azure App Service

    This site is jointly operated by Microsoft and Synopsys, and both companies are committed to protecting your privacy. Any personal information we collect from you on this site may be shared between Microsoft and Synopsys. For complete information on the data collection and use practices of each company, please read the full privacy statements by clicking on the links in the attachments.
  • Improving Fuzz Testing of Infotainment Systems and Telematics Units using Agent Recorded: Sep 5 2019 59 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys & Rikke Kuipers, Product Manager, Synopsys
    In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. Since these systems are typically based on operating systems providing more functionality such as Linux and Android, it is possible to use appropriate tools to collect additional information from the system under test (SUT) to determine whether there were any exceptions detected during the fuzz testing. Furthermore, it would be possible to gather more details about the detected exceptions on the SUT which helps developers to better understand and identify the root cause of the issues and fix the problems more efficiently. To this end, we introduce the Agent Instrumentation Framework and explain how it can be used to improve fuzz testing of IVIs and telematics units. We show how additional information can be collected from the target system and used to identify whether there are exceptions on the SUT and additionally help developers identify the underlying cause of any issues detected. Finally, to showcase the effectiveness of the agent instrumentation framework we built a test bench based on this approach and performed fuzz testing on multiple SUTs. Based on our findings we highlight several examples of issues that would have not been detected unless we used agent instrumentation.
  • Security Tool Misconfiguration and Abuse Recorded: Aug 20 2019 40 mins
    Thomas Richards, Network and Red Team Practice Director
    As any security program matures, it will use tools and techniques to automate processes to improve the security posture of the organization. This includes asset management and discovery, patch management, deploying software, and vulnerability discovery. However, if these tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk we will go over a few case studies of abusing these tools while on penetration tests as well as remediation methods to prevent these attacks from occurring.
  • Shift Left, Shift Right, or Run Security Right Through The Middle? Recorded: Aug 20 2019 57 mins
    Meera Rao, Senior Principal Consultant, Synopsys, Brandon Dunlap, Moderator, (ISC)²
    Demands for more secure software and more rapid application development have led to the emergence of DevSecOps. DevSecOps maturity requires a risk-based approach to adding security activities, increasing depth, and improving testing governance. The best strategy is to shift from a reactive to a proactive security approach that injects security at the right time and place with automated continuous testing. This presentation covers these aspects of automated continuous testing:

    1. Practices to avoid
    2. Drawbacks
    3. Prerequisites
    4. When and where to use automated testing
    5. Best practices for implementing and improving continuous testing throughout the development life cycle
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: GDPR and Open Source: Best Practices for Security and Data Protection
  • Live at: Jul 25 2017 2:00 pm
  • Presented by: Daniel Hedley, Partner, Irwin Mitchell; Matt Jacobs, VP and General Counsel, Black Duck Software
  • From:
Your email has been sent.
or close