Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638
Equifax confirmed that their high profile, high impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts CVE-2017-5638. Apache Struts is a mainstream web framework, widely used by Fortune 100 companies in education, government, financial services, retail and media.
This breach highlights the need for visibility and control into the open source in use at organizations of all sizes. As the Equifax incident shows, open source security breaches can have devastating impacts for your users as well as your brand reputation, legal exposure, and revenue.
In this webinar, Black Duck open source security experts share their analysis of what happened at Equifax and provide you with guidance to help your company avoid being the next front page news story:
- Why should organizations prioritize open source vulnerability management?
- How could a known vulnerability like this go undetected for so long?
- What is CVE-2017-5638 in depth and how can hackers exploit it?
- How can you win the race against hackers and avoid risks from future vulnerabilities?
RecordedOct 5 201755 mins
Your place is confirmed, we'll send you email reminders
Daniel Kennedy, Research Director - Information Security, 451 Research; Phil Odence, GM – Black Duck On-Demand
Modern applications are constructed using open source components. Most organizations understand they’re using open source. What they likely underestimate is its prevalence in their homegrown applications and the potential security and license compliance risks they assume if they’re not continuously monitoring those libraries. When companies merge or are acquired, that unknown risk is transferred, potentially to organizations with greater regulatory exposure. Join Daniel Kennedy, Research Director, Information Security, and Phil Odence, GM, Black Duck On-Demand, for a discussion of these risks and how to address them.
Brendan Sheairs, Associate Managing Consultant, Synopsys Software Integrity Group (SIG)
The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.
Outside the software security group, Security Champions are the leaders of this cultural change. Embedding knowledgeable champions within development teams to assist with security activities and vulnerability remediation will help your organization see this cultural shift. As a result, you’ll build new features not only faster but also more securely. In this webinar, you’ll learn the foundations of a successful Security Champions program and the challenges you’ll face implementing such a program.
Organisations increasingly rely on open source software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace.
Whether you’re an automotive company or a medical device manufacturer, use of open source software accelerates development schedules, and reduces costs, but how do you minimise security risks?
One way some DevOps organisations are facing this challenge is by deploying their applications in containers.
In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.
Our webinar will arm you with the information to:
•Explain the importance of open source security to your organisation
•Why container environments present new application security challenges
•Best practices and methodologies for deploying secure containers with trust
If you’re a developer, there will come a time when you realize that you have the power not only to ship awesome features but also to protect them so that no one else can tamper with all your hard work. Every developer is responsible for coding securely, but a brave few among us will take this duty one step further by wearing the mantle of a Security Champion.
This webinar is your guide to becoming the Security Champion you always wanted to be, in just five easy steps. We’ll also talk about what benefits you’ll get out of it, besides saving the world, and what to do if your company doesn’t have a Security Champions program or even a product security program.
Dave Meurer, Alliances Technical Manager at Black Duck by Synopsys, Kamala Dasika, Pivotal
Almost every major company uses or builds software containing open-source components today—96% of them, according to a report from Black Duck by Synopsis. The same report revealed that 78% of the apps that were audited had at least one vulnerability, including several that were reported nearly six years ago! Needless to say, not having solid open-source use policies and procedures in place for your developers poses a significant risk to any enterprise.
Black Duck and Pivotal collaborated to deliver a secure and simple user experience for rapidly building and deploying applications so that developers can benefit from the many advantages of using open source in their apps with confidence.
Join Dave Meurer from Black Duck and Kamala Dasika from Pivotal as they discuss:
- Key security concepts you need to know pertaining to cloud-native application development
- How to simplify and automate open-source security management for your applications and reduce license, operational risk, or policy violations
Dave Meurer, Alliances Technical Manager at Black Duck by Synopsys, leads solution development, enablement, and evangelism for Synopsys Software Integrity Group.
Kamala leads GTM with Pivotal Cloud Foundry Technology partners. She has been working at Pivotal since 2013 and has previously held various product or engineering positions at VMware, Tibco, SAP, and Applied Biosystems.
Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.
What’s needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.
This webinar includes guidance on the characteristics of security tools compatible with DevOps, but it focuses primarily on the harder part: the people. This talk introduces the DevSecOps manifesto and provides you with a process model, based on agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture transformation. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Taylor Armerding, Senior Security Strategist for Synopsys
It’s been more than six months since the major design flaw in computer chips labeled Spectre became public. And, as predicted, it is still haunting the world of information technology. The CPU (central processing unit) is, after all, the “brain” of any computer, phone, tablet, modern TV, or other “smart” device.
Since then, we’ve all learned a bit about terms some of us had never heard before—“speculative execution,” anyone? We’ve also been told that you can’t just patch a chip the way you can patch bugs in software. But you can create work-arounds with software patches.
In this webinar, Taylor Armerding, senior security strategist for Synopsys Software Integrity Group, will address some of the questions that “regular”—i.e., nontechnical—users may have about Spectre:
- What is it?
- How does it work?
- Why does it work?
- Why didn’t chip makers catch a flaw of this magnitude during the design phase?
- Why is a tool called static analysis the best way to work around Spectre without causing intolerable performance slowdowns?
Mark Radcliffe, Partner, DLA Piper/General Counsel OSI; Anthony Decicco, Shareholder, GTC Law Group & Affiliates
The use of open source has surpassed the occasional and solidified itself as the standard. In fact, the Black Duck by Synopsys 2018 Open Source Security and Risk Analysis found that 96% of the applications we scanned last year contained open source components.
It’s increasingly difficult to properly manage open source in an organization to ensure compliance with the over 2,000 different licenses in use today and defend against new vulnerabilities, which surface frequently.
Join this webinar with top open source legal experts Mark Radcliffe (partner at DLA Piper and general counsel for the Open Source Initiative) and Tony Decicco (shareholder, GTC Law Group & Affiliates) as they discuss best practices for managing open source in an organization and throughout an M&A transaction:
- How do you conduct an open source / third-party software audit?
- How do you get the most out of your Black Duck code scan?
i.e. Handling license compliance issues and managing security vulnerabilities
- What are key aspects of an effective open source / third-party software policy for both inbound use and outbound contributions?
- What are key success factors for effectively releasing code as open source?
Ofer Maor, Director, Solutions Management at Synopsys
SAST, IAST, DAST, MAST, *AST – There are plenty of technologies and ways to test your software, but how do we do that without slowing us down in a rapid development environment. In this session we will give practical advice on how to integrate software security testing into your CI/CD and your development process so it works. The session will review the pros and cons of each of the testing technologies, how to adapt it to rapid development, and how to make testing work as organizations are moving to A/B testing. Finally, this session will guide on how to manage the balance between risk and speed to build the right process, so that real threats will become blockers, but other issues will be handled in a parallel, slower cycle, without slowing down the main delivery.
Apoorva Phadke, Associate Principal Consultant, Synopsys
Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software—quickly. By automating manual processes and building tools into the continuous integration and continuous delivery (CI/CD) pipeline, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together. In this webinar, you’ll learn how to build a DevSecOps culture in your organization with automated and integrated application security tools and the right training for each team.
Open source management is a key part of any application security toolkit. But with so many different tools and techniques on the market, how can you decide what other tools you need to fully address the security risks of your applications? In this webinar, you’ll learn the benefits and limitations of several application security tools, including SAST, SCA, DAST, IAST, and fuzzing, as well as how they differ, so you can make informed decisions as you build your AppSec toolkit.
Jeff Michael, Senior Product Manager and Hal Hearst, Principle Product Manager for Black Duck by Synopsys
Once again, our newest Hub release is packed with features requested by you – our customer! Lead Product Managers for Hub, Hal Hearst and Jeff Michael, will share all the new features. We will dive into:
-Bulk snippet confirmation
-BoM hierarchy tree display
-BoM policy violation comments
-Cross-project BoM difference comparison
-Ability to map Hub projects to external application IDs
Chris Clark, Principal Security Engineer – Strategic Initiatives, Synopsys
Trying to keep pace in a highly connected world and increasingly hostile environment is a challenge for any developer, let alone an entire industry. To protect the software they write, developers turn to technologies and processes such as audits, reverse engineering, application firewalls, sandboxing, and many others to provide a level of protection. But these technologies also have the potential to become entry points for vulnerabilities. So do we really trust software?
See how Synopsys started the software security journey and is taking an active role in providing industry expertise to help organizations deliver robust software security solutions. We will focus on how the cyber supply chain can have a direct and meaningful impact on the overall design and deployment of software. See how known vulnerability management, mitigation, and training can affect the known risk profile of overall software design. Learn about what we are working on and how you can participate in improving standards and programs that reduce cyber risk.
Glen Kosaka, VP Marketing & Product Management, Neuvector; Dave Meurer, Alliances Technical Mgr, Black Duck by Synopsys
With the extensive use of open source software in containers, it’s critical to prevent vulnerable software from being deployed into production. But even with protections in place, unknown and new vulnerabilities can be exploited during runtime, compromising sensitive data, revealing secrets, and damaging infrastructure.
In this webinar, Black Duck by Synopsys and NeuVector will explain:
- How to protect containers starting from the build
- How to develop container security policies and procedures around threats
- Best practices for deploying secure container
Phil Odence, GM of Black Duck On-Demand; Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
Open source components are the foundation of modern applications, but ineffective management of open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
This webinar will detail the findings in the OSSRA report, showing that M&A target organizations are not always effective in securing and managing their open source. Not surprisingly, 96% of audited codebases contained open source components, and nearly 78% contained at least one vulnerability. We’ll discuss these findings and the risk associated with not understanding them before making investment decisions.
Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
Open source components are the foundation of modern applications, but ineffective management around open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
Not surprisingly, 96% of the audited codebases contained open source components, and nearly 78% of the codebases contained at least one vulnerability. As the percentage of open source in codebases continues to grow, it’s clear that open source management practices need to improve.
In this webinar, open source expert Evan Klein will walk through the report’s findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the benefits open source provides.
Patrick Carey, Director of Product Marketing, Synopsys
Can one tool do it all?
Applications are the #1 attack target of hackers, so application security should be an integral part of your software development tools and processes. At the same time, it's more difficult than ever before to pick an AppSec solution. It's easy to find yourself lost in sea of confusing 3 and four-letter acronyms. SAST, DAST, SCA, IAST, PEN, RASP - How do you know which one or ones to choose? In this webinar, we'll try to help simplify things to help you understand the strengths, weaknesses, and applicability of each of these approaches so you can build out your AppSec toolbox with confidence.
Jay Lyman, Principal Analyst, Cloud Management and Containers, 451 Research; Meera Rao, Senior Principal Consultant, Synopsys
To learn more about the realities of DevSecOps today and the real degree to which security is or is not being included in enterprise continuous integration/continuous delivery workflows, we surveyed 350 decision-makers at large enterprises across a variety of industries.
What we found is that only about half of enterprise CI/CD workflows include any security elements at all, highlighting ample room for improvement. Enterprises did seem to show an awareness of the importance of adding security elements into DevOps releases, but they are not necessarily injecting security early in the process -- ideally at code commit and in pre-implementation. This webinar will cover these and other results of our survey, and offer guidance on how enterprise organizations can effectively integrate security tools, thinking and people into their CI/CD workflows to reduce rework and risk without sacrificing velocity.
Mark Radcliffe, Partner, DLA Piper/Counsel OSI; Anthony Decicco, Shareholder, GTC Law Group & Affiliates
Open source software is an important part of mainstream software development organizations. Active open source use in development can drive down costs, speed time to market and increase software functionality, all without adding to the bottom line.
And yet, even as it has become mainstream, open source is often misunderstood by legal professionals. With over two thousand different licenses in use today, it can be difficult to properly manage open source and ensure compliance.
In this webinar, top open source legal experts Mark Radcliffe (Partner at DLA Piper and General Counsel for the Open Source Initiative) and Tony Decicco (Shareholder, GTC Law Group) will cover:
- Brief history and definition of open source
- The most popular open source licenses and their obligations
- Permissive licenses vs. Restrictive licenses
James Croall, Director of SAST Product Management at Synopsys
The recently discovered Spectre security vulnerability has taken the tech industry and security world by storm. By exploiting security vulnerabilities inherent in the design of many modern microprocessors, Spectre attacks can cause damaging leakage of personal information and data.
There are several proposed workarounds to protect applications affected by Spectre. However, they can adversely affect performance and be time consuming for developers.
A novel solution to mitigate Spectre is to use a static analysis tool that quickly identifies vulnerable code patterns that are likely to be exploited and reduces potential app performance degradation. In this webinar, James Croall, director of SAST product management at Synopsys, will detail how this works and cover the following:
-What is Spectre and how is the attack carried out?
-What are the various ways to mitigate the effects of this attack?
-What can software development organizations do to help secure their apps against Spectre?
-What are some best practices and examples of how to use Synopsys Static Analysis (Coverity) to better secure your apps against Spectre attacks?
Webcasts around application security and container security.
Black Duck by Synopsys provides automated solutions for securing and managing open source software. With the rapid, widespread adoption of open source software, Black Duck is a key component of Synopsys’ Software Integrity Platform, the most comprehensive solution for integrating security into the SDLC and software supply chain.
Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638Patrick Carey, VP Product Marketing; Chris Fearon, Research Director; Pat Durante, Sr. Director Education Services[[ webcastStartDate * 1000 | amDateFormat: 'MMM D YYYY h:mm a' ]]54 mins