Hi [[ session.user.profile.firstName ]]

Buyer and Seller Perspectives on Open Source in Tech Contracts

Join Black Duck and Tech Contracts Academy as they discuss the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.

David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and will aim to educate participants on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Recorded Nov 30 2017 59 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Phil Odence, Black Duck Software and David Tollen, Tech Contracts Academy
Presentation preview: Buyer and Seller Perspectives on Open Source in Tech Contracts
  • Channel
  • Channel profile
  • Building Security In Maturity Model (BSIMM9): Here’s What’s New! Jan 10 2019 5:30 am UTC 60 mins
    Olli Jarva, APAC Managing Consultant, Synopsys Software Integrity Group
    The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives (SSIs). and provide a way to assess the current state of your software security initiative, identify gaps, prioritize change, and determine how and where to apply resources for immediate improvement. In this webinar, Olli Jarva, Managing Consultant, Synopsys Software Integrity Group, will give an introduction to BSIMM and also how organizations can use it before diving into the changes observed in the latest version 9.
  • Beyond Open Source Compliance: Security in M&A Due Diligence Dec 12 2018 5:00 pm UTC 60 mins
    Nabil Hannan, Managing Principal, Synopsys
    The headline of Wall Street Journal article from March read “Due Diligence on Cybersecurity Becomes Bigger Factor in M&A.” In April, Gartner reported, “Cybersecurity is Critical to the M&A Due Diligence Process.” Companies that invest in open source license compliance as part of diligence are starting to dive more deeply into security issues.
     
    A first step in assigning the security of software assets is looking at known vulnerabilities in open source components. But, now as part of the Synopsys Software Integrity Group, Black Duck can bring much broader capabilities to bear to analyze the overall security of code assets, including proprietary code.
     
    This webinar will discuss application security issues at a high level and the security services that you can include with a due diligence audit.
  • Secure Your Containers With GitHub and Synopsys Recorded: Nov 6 2018 52 mins
    Bryan Cross, Sr. Solutions Engineer, GitHub; Dave Meurer, Partner Solution Architect, Black Duck by Synopsys
    In April, Synopsys and GitHub spoke about adding “Sec” to DevOps by using solutions that don’t sacrifice speed or agility. Most of the discussion focused on software composition analysis for applications. But DevOps organizations are increasingly adopting container technologies. Do our solutions have what it takes to properly secure the code found in every layer of a container image?

    The answer is yes. With GitHub and Synopsys solutions, you can ensure the code in your containers is secure—from the code you write, to the open source you depend on, and to the operating system components that come with the container. In this live webinar, experts from Synopsys and GitHub will demonstrate solutions that can help keep your container contents secure. Some highlights:

    - The application security tool landscape, and when and where to run these tools
    - Linux component vulnerabilities vs. application component vulnerabilities
    - Demo: GitHub repo to a running container
    - Black Duck CoPilot: It’s free!
  • BSIMM9: Here’s What’s New! Recorded: Oct 25 2018 47 mins
    Mike Ware, Managing Principal, Synopsys
    In early October, we released the latest version of the BSIMM report, BSIMM9. While many things about the report haven’t changed much, it’s the new things that make it really exciting. Mike Ware will give a quick recap of the BSIMM and how organizations can use it before diving into the changes observed in BSIMM9, including these:
    - The incorporation of three new cloud-related activities and what that says about AppSec
    - The addition of retail as a stand-alone vertical
    - The growth in the number of security and developer resources
  • Black Duck 5.0 - Newest Customer Driven Features Recorded: Oct 24 2018 54 mins
    Jeff Michael, Hal Hearst, and Lisa Bryngelson, Senior Product Managers for Black Duck by Synopsys
    Join us on to hear about our exciting new features and functionalities in 5.0. Features requested by you, our customers! Our senior project management team, Jeff Michael, Hal Hearst, and Lisa Bryngelson will cover the latest features and leave plenty of time to answer your questions. In this webinar, we will discuss:

    -Black Duck Binary Analysis
    -Enhanced component management
    -Operational risk policy rules
    -API improvements
    -Infrastructure improvements
  • Securing Enterprise-Level Cloud Deployments Recorded: Oct 23 2018 54 mins
    Kinnaird McQuade, Senior Consultant, Synopsys Software Integrity Group
    When you’re operating in a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases—significantly affecting all aspects of IT security. Security must keep up with these demands without compromising on auditability, least privilege, and secure development practices while receiving the benefits of automation. In cloud environments, security must be built in with configuration management and infrastructure as code. This talk aims to piece all of it together while providing practical guidance (and examples) that will help your organization operate safely in this age of cloud computing.

    Topics will include:
    - Building security in with infrastructure as code
    - Pipeline-friendly OS hardening
    - Vulnerability scanning considerations for building cloud applications
    - Migrating to the cloud with rapid deployments in mind
  • Cloud DevSecOps With Synopsys and AWS Recorded: Oct 18 2018 55 mins
    Binoy Das, Partner Solution Architect, Amazon Web Services; Dave Meurer, Partner Solution Architect, Black Duck by Synopsys
    Automation in the cloud can help you build faster and deliver continuously, but it can also make managing security a challenge. By integrating Black Duck by Synopsys with the development tools you use in Amazon Web Services, you can scan images in your container registry, automate build scans in your CI pipeline, and stay notified of any security vulnerabilities or policy violations found in your open source code.

    Join experts from Synopsys and AWS as we explore how to build applications and containers safely in the cloud without sacrificing agility, visibility, or control. In this hands-on webinar, we’ll demonstrate how to:

    - Get started with Black Duck and AWS
    - Build better solutions through open source intelligence
    - Use open source management automation and integration with AWS
  • Effective Policies for Managing and Releasing Open Source Software Recorded: Oct 17 2018 60 mins
    Mark Radcliffe, Partner, DLA Piper/General Counsel OSI; Anthony Decicco, Shareholder, GTC Law Group & Affiliates
    Once you get a handle on what open source your organization has in house and you're through remediating any issues that came up during your code scan, then what? How do you ensure you avoid surprises the next time around and fully leverage your investment?

    Join this webinar with top open source legal experts Mark Radcliffe (partner at DLA Piper and General Counsel for the Open Source Initiative) and Tony Decicco (shareholder, GTC Law Group & Affiliates) as they discuss effective policies for managing and releasing open source in your company:

    - What are key aspects of an effective open source / third-party software policy for both inbound use and outbound contributions?
    - What are key success factors for effectively releasing code as open source?
    - How does this play out in transaction due diligence and integration following an acquisition?
  • Static Analysis Helps DevOps Teams Maintain Velocity Securely Recorded: Oct 11 2018 61 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Static application security testing (SAST) is the process of examining source code for security defects. SAST is one of many checks in an application security assurance program designed to identify and mitigate security vulnerabilities early in the DevOps process. Integrating SAST tools into DevOps processes is critical to building a sustainable program. And automating these tools is also an important part of adoption, as it drives efficiency, consistency, and early detection.

    But DevOps practitioners looking to integrate SAST tools into the DevOps pipeline often have questions:

    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - How can I use a tool in my DevOps pipeline?

    If you have questions like these, and you’re concerned about integrating SAST tooling into your DevOps process, this session will offer actionable advice to automate security testing that supports DevOps velocity.
  • The Future of Application Security: Enable DevSecOps with IAST Recorded: Oct 4 2018 57 mins
    Amy DeMartine, Forrester Principal Analyst and Ofer Maor, Director, Solutions Management at Synopsys
    IAST, or Interactive Application Security Testing, is an emerging technology that is transforming the way organizations secure their web apps at the speed of DevOps. IAST automatically and continuously scans apps during QA testing to detect security vulnerabilities earlier in the SDLC than traditional DAST or pen testing solutions—when it’s easier, faster, and cheaper to fix them. Using a combination of static and dynamic testing techniques, IAST produces highly accurate and actionable results that can be interpreted directly by the developers responsible for fixing the code.

    Join guest speaker and Forrester Principal Analyst, Amy DeMartine and Ofer Maor, Director of Solutions Management at Synopsys, as they unpack the promise of IAST from the perspective of an analyst and a technology provider. Learn about the unique benefits and use cases for IAST, as well as the technology’s limitations and which types of organizations stand to gain the most from it.
  • Don't Acquire Open Source Risks You're Not Aware Of Recorded: Sep 19 2018 49 mins
    Daniel Kennedy, Research Director - Information Security, 451 Research; Phil Odence, GM – Black Duck On-Demand
    Modern applications are constructed using open source components. Most organizations understand they’re using open source. What they likely underestimate is its prevalence in their homegrown applications and the potential security and license compliance risks they assume if they’re not continuously monitoring those libraries. When companies merge or are acquired, that unknown risk is transferred, potentially to organizations with greater regulatory exposure. Join Daniel Kennedy, Research Director, Information Security, and Phil Odence, GM, Black Duck On-Demand, for a discussion of these risks and how to address them.
  • Using Security Champions to Build a DevSecOps Culture Within Your Organization Recorded: Sep 13 2018 42 mins
    Brendan Sheairs, Managing Consultant, Synopsys Software Integrity Group (SIG)
    The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.

    Outside the software security group, Security Champions are the leaders of this cultural change. Embedding knowledgeable champions within development teams to assist with security activities and vulnerability remediation will help your organization see this cultural shift. As a result, you’ll build new features not only faster but also more securely. In this webinar, you’ll learn the foundations of a successful Security Champions program and the challenges you’ll face implementing such a program.
  • Open Source Supply Chains and Consumption Risk - Governance, Containers & Trust Recorded: Sep 4 2018 58 mins
    Tim Mackey, Technology Evangelist
    Organisations increasingly rely on open source software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace.
    Whether you’re an automotive company or a medical device manufacturer, use of open source software accelerates development schedules, and reduces costs, but how do you minimise security risks?

    One way some DevOps organisations are facing this challenge is by deploying their applications in containers.

    In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.

    Our webinar will arm you with the information to:
    •Explain the importance of open source security to your organisation
    •Why container environments present new application security challenges
    •Best practices and methodologies for deploying secure containers with trust
  • Enterprise Security at Scale With IAST Recorded: Aug 28 2018 50 mins
    Asma Zubair, Sr. Product Manager, Synopsys and Tamir Shavro, Sr. Engineering Manager, Synopsys
    With all the different application security testing tools available, you may be wondering whether interactive application security testing (IAST) makes sense for you. If you want to equip your developers with everything they need to fix vulnerabilities quickly and accurately in CI/CD workflows, then the answer is yes.

    In this webinar, Asma Zubair, Sr. Product Manager for Seeker, our IAST solution and Tamir Shavro, Sr. Engineering Manager at Synopsys, will show you how to gain unparalleled visibility into the security posture of your web applications and how to identify vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, and CWE/SANS). You’ll also learn how IAST can:

    - Be deployed in existing environments with ease
    - Give you real-time, accurate results
    - Integrate with software composition analysis
  • Security Champions: Only YOU Can Prevent File Forgery Recorded: Aug 22 2018 57 mins
    Marisa Fagan, Product Security Lead, Synopsys
    If you’re a developer, there will come a time when you realize that you have the power not only to ship awesome features but also to protect them so that no one else can tamper with all your hard work. Every developer is responsible for coding securely, but a brave few among us will take this duty one step further by wearing the mantle of a Security Champion.

    This webinar is your guide to becoming the Security Champion you always wanted to be, in just five easy steps. We’ll also talk about what benefits you’ll get out of it, besides saving the world, and what to do if your company doesn’t have a Security Champions program or even a product security program.
  • Enhance Application Security with Automated, Open-Source Security Management Recorded: Aug 15 2018 60 mins
    Dave Meurer, Alliances Technical Manager at Black Duck by Synopsys, Kamala Dasika, Pivotal
    Almost every major company uses or builds software containing open-source components today—96% of them, according to a report from Black Duck by Synopsis. The same report revealed that 78% of the apps that were audited had at least one vulnerability, including several that were reported nearly six years ago! Needless to say, not having solid open-source use policies and procedures in place for your developers poses a significant risk to any enterprise.

    Black Duck and Pivotal collaborated to deliver a secure and simple user experience for rapidly building and deploying applications so that developers can benefit from the many advantages of using open source in their apps with confidence.
    Join Dave Meurer from Black Duck and Kamala Dasika from Pivotal as they discuss:

    - Key security concepts you need to know pertaining to cloud-native application development
    - How to simplify and automate open-source security management for your applications and reduce license, operational risk, or policy violations

    Dave Meurer, Alliances Technical Manager at Black Duck by Synopsys, leads solution development, enablement, and evangelism for Synopsys Software Integrity Group.

    Kamala leads GTM with Pivotal Cloud Foundry Technology partners. She has been working at Pivotal since 2013 and has previously held various product or engineering positions at VMware, Tibco, SAP, and Applied Biosystems.

    Pivotal Privacy Statement:
    https://pivotal.io/privacy-policy

    BlackDuck Privacy Statement:
    https://www.blackducksoftware.com/legal/privacy

    This webinar:
    https://content.pivotal.io/webinars/aug-15-enhance-application-security-with-automated-open-source-security-management-webinar
  • AppSec in Financial Services through the BSIMM Lens Recorded: Aug 14 2018 39 mins
    Nabil Hannan, Managing Principal, Synopsys Software Integrity Group (SIG)
    Do you ever wonder whether your software security program is the correct one for your organization? You spend time and money on processes, technology, and people. But how do you know whether the security efforts you’ve put in place even make sense? The Building Security In Maturity Model, or BSIMM, is a metrics-driven study of existing security initiatives at other organizations. BSIMM results help you assess the current state of your software security initiative and determine which areas need improvement.

    During the webinar, we’ll use a BSIMM broken down by the financial services industry to see what other companies are doing. We’ll also:

    · Use real data to help drive your software security initiative
    · Learn how organizations use the BSIMM to measure the maturity of their software security initiatives
    · Look at the aggregate data of the FSI vertical in the BSIMM
    · Discuss some of the most common activities that we observe with FSI companies and the drivers of those activities
  • DevSecOps: Security at the Speed of DevOps with Comcast Recorded: Aug 3 2018 50 mins
    Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
    Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

    What’s needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

    This webinar includes guidance on the characteristics of security tools compatible with DevOps, but it focuses primarily on the harder part: the people. This talk introduces the DevSecOps manifesto and provides you with a process model, based on agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture transformation. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
  • Reviewing Spectre 6 Months Later Recorded: Jul 25 2018 30 mins
    Taylor Armerding, Senior Security Strategist for Synopsys
    It’s been more than six months since the major design flaw in computer chips labeled Spectre became public. And, as predicted, it is still haunting the world of information technology. The CPU (central processing unit) is, after all, the “brain” of any computer, phone, tablet, modern TV, or other “smart” device.
    Since then, we’ve all learned a bit about terms some of us had never heard before—“speculative execution,” anyone? We’ve also been told that you can’t just patch a chip the way you can patch bugs in software. But you can create work-arounds with software patches.
    In this webinar, Taylor Armerding, senior security strategist for Synopsys Software Integrity Group, will address some of the questions that “regular”—i.e., nontechnical—users may have about Spectre:
    - What is it?
    - How does it work?
    - Why does it work?
    - Why didn’t chip makers catch a flaw of this magnitude during the design phase?
    - Why is a tool called static analysis the best way to work around Spectre without causing intolerable performance slowdowns?
  • Best Practices for Managing Open Source in an Organization and Throughout M&A Recorded: Jul 18 2018 58 mins
    Mark Radcliffe, Partner, DLA Piper/General Counsel OSI; Anthony Decicco, Shareholder, GTC Law Group & Affiliates
    The use of open source has surpassed the occasional and solidified itself as the standard. In fact, the Black Duck by Synopsys 2018 Open Source Security and Risk Analysis found that 96% of the applications we scanned last year contained open source components.

    It’s increasingly difficult to properly manage open source in an organization to ensure compliance with the over 2,000 different licenses in use today and defend against new vulnerabilities, which surface frequently.

    Join this webinar with top open source legal experts Mark Radcliffe (partner at DLA Piper and general counsel for the Open Source Initiative) and Tony Decicco (shareholder, GTC Law Group & Affiliates) as they discuss best practices for managing open source in an organization and throughout an M&A transaction:

    - How do you conduct an open source / third-party software audit?
    - How do you get the most out of your Black Duck code scan?
    i.e. Handling license compliance issues and managing security vulnerabilities
    - What are key aspects of an effective open source / third-party software policy for both inbound use and outbound contributions?
    - What are key success factors for effectively releasing code as open source?
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Buyer and Seller Perspectives on Open Source in Tech Contracts
  • Live at: Nov 30 2017 8:00 pm
  • Presented by: Phil Odence, Black Duck Software and David Tollen, Tech Contracts Academy
  • From:
Your email has been sent.
or close