Vulnerabilities are an inevitable part of software development and management. Whether it’s open source or custom code, new vulnerabilities will be discovered as a code base ages. A 2017 Black Duck analysis of code audits conducted on 1,071 applications found that 97% contained open source, but 67% of the applications had open source vulnerabilities, half of which were categorized as severe. As the number of disclosures, patches, and updates grows, security professionals must decide which items are critical and must be addressed immediately and which items can be deferred.
Join Black Duck’s VP of Security Strategy, Mike Pittenger, for a 30-minute discussion of best practices in open source security and vulnerability management. You’ll learn:
- Methods for determining which applications are most attractive to attackers, and which pose the greatest risk
- Ways to assess the risk associated with a disclosed open source vulnerability
- Strategies to minimize the impact of open source security vulnerabilities when immediate fixes can’t be made
RecordedDec 19 201729 mins
Your place is confirmed, we'll send you email reminders
Mark Radcliffe, Partner at DLA Pipe & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, Partner at DLA Piper and General Counsel for the Open Source Initiative and Tony Decicco, Shareholder, at GTC Law Group & Affiliates.
This annual review will highlight the most significant legal developments related to open source software in 2018, including:
•The rising importance of data and licensing considerations
•Business model problems and the proposed solutions (RedisLabs and MongoDB)
•Dangerous Legal Theories: core developers as fiduciaries
•OSS vs. SSO: clash of models
•Return of Linux patent troll: McHardy
•The need to extend the scope of an audit to cover web services/APIs
•The changing tide in open source license adoption
•Big open source transactions
Live attendees will earn CLE credit for this webinar. Don’t miss out – register today.
As organizations come to rely heavily on software to perform critical business functions and deliver customer value, cyberattacks have unfortunately become common. Web application attacks were responsible for 38% of data breaches in 2018. Securing these applications is critical to promote customer trust, protect business critical information and the company’s reputation. Fixing vulnerabilities before applications are deployed isn’t just smart, it saves downstream costs too.
Modern web applications are increasingly reliant on frameworks that simplify the application code but can introduce their own vulnerabilities. In this webinar we discuss how the Coverity 2018.12 release enables organizations to build secure web applications faster. The latest release addresses three increasingly important needs for enterprise application security teams: scalability, broad language and framework support, and comprehensive vulnerability analysis. Building upon its historic advantages in deep, accurate code analysis, Coverity 2018.12 greatly expands upon its coverage of web languages and popular frameworks and makes it fast and easy to analyze applications. The result is applications that are inherently more secure before they are deployed into production.
In this webinar Yatin Patil, Senior Product Manager for Coverity will cover:
•Importance of application security testing
•Enterprise application security best practices
•What a SAST solution needs to provide
•Newest features of Coverity 2018.12
Scott Crawford, Research Director for Information Security, 451 Research & Phil Odence, GM, Black Duck by Synopsys
It’s no secret that “software is eating the world,” as Marc Andreessen once described—and it’s taking entire development communities to support it. Recently, open source has become a primary contributor to software found in the enterprise. According to a 2018 report from the Synopsys Center for Open Source Research & Innovation, the average percentage of open source in codebases examined in Black Duck audits has increased to 57% from only 36% from the previous year. But open source isn’t risk-free—and the implications can have a direct impact on the business.
Join Scott Crawford, research director for information security with 451 Research, and Phil Odence, general manager of Black Duck On-Demand with Synopsys, to take a closer look at open source risks and the ways that businesses can better evaluate and mitigate them. They’ll cover the following points and more:
• One of the highest-profile breaches of 2017 was the result of a widely exposed vulnerability in a popular open source application component, exposing millions of personal financial records—and costing business leaders their jobs.
• In just the last few weeks, the implicit trust on which the open source ecosystem is based has been exploited to steal tangible assets.
• What’s the real cost of a data breach? In at least one highly visible case, a breach reduced the dollar value of an acquisition by hundreds of millions. As business dependence on open source grows, so too does business exposure.
• And of course, compliance with open source licenses remains a concern.
Getting a handle on taming these threats to the business requires an approach that fits with the central role open source plays in the fast-moving world of continuous innovation.
See how Synopsys started the software security journey and is taking an active role in providing industry expertise to help organizations deliver robust software security solutions. We will focus on identifying cyber risks and equip you with solutions to overcome security issues. If you want more than our Q&A at the end of the webinar, visit us in Copenhagen, Denmark. Synopsys will be hosting the Copenhagen Security Symposium at the Carlsberg Museum 6th February 2019.
Olli Jarva, APAC Managing Consultant, Synopsys Software Integrity Group
The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives (SSIs). and provide a way to assess the current state of your software security initiative, identify gaps, prioritize change, and determine how and where to apply resources for immediate improvement. In this webinar, Olli Jarva, Managing Consultant, Synopsys Software Integrity Group, will give an introduction to BSIMM and also how organizations can use it before diving into the changes observed in the latest version 9.
Jeff Michael, Senior Product Manager for Black Duck by Synopsys
Black Duck Security Advisories (BDSA) has been receiving great reviews from customers. Come learn about the great advantages of BDSA, migrating to BDSA, and have all your questions answered by Jeff Micheal.
Emmanuel Tournier, Sr. Manager, Black Duck On-Demand and Phil Odence, GM – Black Duck On-Demand at Synopsys
You won’t want to miss this webinar, if you have received Black Duck audit reports and anticipate more in the future.
Black Duck by Synopsys constantly strives to improve our offerings and reporting capabilities. We’ve expanded the range of our audit offerings, and by the first of the year, we’ll be rolling out a new set of reports and a new process for sharing them. Join us for a preview of the new reports and process. Black Duck On-Demand’s Phil Odence and Emmanuel Tournier will demonstrate how we have combined customers’ ideas with the best elements of our reporting to develop new reporting technology and processes designed to make reviewing audit results easier, more insightful, and more productive.
The headline of Wall Street Journal article from March read “Due Diligence on Cybersecurity Becomes Bigger Factor in M&A.” In April, Gartner reported, “Cybersecurity is Critical to the M&A Due Diligence Process.” Companies that invest in open source license compliance as part of diligence are starting to dive more deeply into security issues.
A first step in assigning the security of software assets is looking at known vulnerabilities in open source components. But, now as part of the Synopsys Software Integrity Group, Black Duck can bring much broader capabilities to bear to analyze the overall security of code assets, including proprietary code.
This webinar will discuss application security issues at a high level and the security services that you can include with a due diligence audit.
Bryan Cross, Sr. Solutions Engineer, GitHub; Dave Meurer, Partner Solution Architect, Black Duck by Synopsys
In April, Synopsys and GitHub spoke about adding “Sec” to DevOps by using solutions that don’t sacrifice speed or agility. Most of the discussion focused on software composition analysis for applications. But DevOps organizations are increasingly adopting container technologies. Do our solutions have what it takes to properly secure the code found in every layer of a container image?
The answer is yes. With GitHub and Synopsys solutions, you can ensure the code in your containers is secure—from the code you write, to the open source you depend on, and to the operating system components that come with the container. In this live webinar, experts from Synopsys and GitHub will demonstrate solutions that can help keep your container contents secure. Some highlights:
- The application security tool landscape, and when and where to run these tools
- Linux component vulnerabilities vs. application component vulnerabilities
- Demo: GitHub repo to a running container
- Black Duck CoPilot: It’s free!
In early October, we released the latest version of the BSIMM report, BSIMM9. While many things about the report haven’t changed much, it’s the new things that make it really exciting. Mike Ware will give a quick recap of the BSIMM and how organizations can use it before diving into the changes observed in BSIMM9, including these:
- The incorporation of three new cloud-related activities and what that says about AppSec
- The addition of retail as a stand-alone vertical
- The growth in the number of security and developer resources
Jeff Michael, Hal Hearst, and Lisa Bryngelson, Senior Product Managers for Black Duck by Synopsys
Join us on to hear about our exciting new features and functionalities in 5.0. Features requested by you, our customers! Our senior project management team, Jeff Michael, Hal Hearst, and Lisa Bryngelson will cover the latest features and leave plenty of time to answer your questions. In this webinar, we will discuss:
Kinnaird McQuade, Senior Consultant, Synopsys Software Integrity Group
When you’re operating in a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning resources and applications increases—significantly affecting all aspects of IT security. Security must keep up with these demands without compromising on auditability, least privilege, and secure development practices while receiving the benefits of automation. In cloud environments, security must be built in with configuration management and infrastructure as code. This talk aims to piece all of it together while providing practical guidance (and examples) that will help your organization operate safely in this age of cloud computing.
Topics will include:
- Building security in with infrastructure as code
- Pipeline-friendly OS hardening
- Vulnerability scanning considerations for building cloud applications
- Migrating to the cloud with rapid deployments in mind
Binoy Das, Partner Solution Architect, Amazon Web Services; Dave Meurer, Partner Solution Architect, Black Duck by Synopsys
Automation in the cloud can help you build faster and deliver continuously, but it can also make managing security a challenge. By integrating Black Duck by Synopsys with the development tools you use in Amazon Web Services, you can scan images in your container registry, automate build scans in your CI pipeline, and stay notified of any security vulnerabilities or policy violations found in your open source code.
Join experts from Synopsys and AWS as we explore how to build applications and containers safely in the cloud without sacrificing agility, visibility, or control. In this hands-on webinar, we’ll demonstrate how to:
- Get started with Black Duck and AWS
- Build better solutions through open source intelligence
- Use open source management automation and integration with AWS
Mark Radcliffe, Partner, DLA Piper/General Counsel OSI; Anthony Decicco, Shareholder, GTC Law Group & Affiliates
Once you get a handle on what open source your organization has in house and you're through remediating any issues that came up during your code scan, then what? How do you ensure you avoid surprises the next time around and fully leverage your investment?
Join this webinar with top open source legal experts Mark Radcliffe (partner at DLA Piper and General Counsel for the Open Source Initiative) and Tony Decicco (shareholder, GTC Law Group & Affiliates) as they discuss effective policies for managing and releasing open source in your company:
- What are key aspects of an effective open source / third-party software policy for both inbound use and outbound contributions?
- What are key success factors for effectively releasing code as open source?
- How does this play out in transaction due diligence and integration following an acquisition?
Static application security testing (SAST) is the process of examining source code for security defects. SAST is one of many checks in an application security assurance program designed to identify and mitigate security vulnerabilities early in the DevOps process. Integrating SAST tools into DevOps processes is critical to building a sustainable program. And automating these tools is also an important part of adoption, as it drives efficiency, consistency, and early detection.
But DevOps practitioners looking to integrate SAST tools into the DevOps pipeline often have questions:
- How do I manage false positives?
- How do I triage the results?
- What happens to new issues identified?
- How can I use a tool in my DevOps pipeline?
If you have questions like these, and you’re concerned about integrating SAST tooling into your DevOps process, this session will offer actionable advice to automate security testing that supports DevOps velocity.
Amy DeMartine, Forrester Principal Analyst and Ofer Maor, Director, Solutions Management at Synopsys
IAST, or Interactive Application Security Testing, is an emerging technology that is transforming the way organizations secure their web apps at the speed of DevOps. IAST automatically and continuously scans apps during QA testing to detect security vulnerabilities earlier in the SDLC than traditional DAST or pen testing solutions—when it’s easier, faster, and cheaper to fix them. Using a combination of static and dynamic testing techniques, IAST produces highly accurate and actionable results that can be interpreted directly by the developers responsible for fixing the code.
Join guest speaker and Forrester Principal Analyst, Amy DeMartine and Ofer Maor, Director of Solutions Management at Synopsys, as they unpack the promise of IAST from the perspective of an analyst and a technology provider. Learn about the unique benefits and use cases for IAST, as well as the technology’s limitations and which types of organizations stand to gain the most from it.
Daniel Kennedy, Research Director - Information Security, 451 Research; Phil Odence, GM – Black Duck On-Demand
Modern applications are constructed using open source components. Most organizations understand they’re using open source. What they likely underestimate is its prevalence in their homegrown applications and the potential security and license compliance risks they assume if they’re not continuously monitoring those libraries. When companies merge or are acquired, that unknown risk is transferred, potentially to organizations with greater regulatory exposure. Join Daniel Kennedy, Research Director, Information Security, and Phil Odence, GM, Black Duck On-Demand, for a discussion of these risks and how to address them.
Brendan Sheairs, Managing Consultant, Synopsys Software Integrity Group (SIG)
The security industry has made great strides developing tools and technology to integrate software security into the application development life cycle. However, it’s important not to ignore the people and process aspects of DevSecOps. Building security into application teams’ culture is necessary for DevSecOps to be successful.
Outside the software security group, Security Champions are the leaders of this cultural change. Embedding knowledgeable champions within development teams to assist with security activities and vulnerability remediation will help your organization see this cultural shift. As a result, you’ll build new features not only faster but also more securely. In this webinar, you’ll learn the foundations of a successful Security Champions program and the challenges you’ll face implementing such a program.
Organisations increasingly rely on open source software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace.
Whether you’re an automotive company or a medical device manufacturer, use of open source software accelerates development schedules, and reduces costs, but how do you minimise security risks?
One way some DevOps organisations are facing this challenge is by deploying their applications in containers.
In this webinar, Tim Mackey explores this new era of large scale container deployments and how to manage and secure them.
Our webinar will arm you with the information to:
•Explain the importance of open source security to your organisation
•Why container environments present new application security challenges
•Best practices and methodologies for deploying secure containers with trust
With all the different application security testing tools available, you may be wondering whether interactive application security testing (IAST) makes sense for you. If you want to equip your developers with everything they need to fix vulnerabilities quickly and accurately in CI/CD workflows, then the answer is yes.
In this webinar, Asma Zubair, Sr. Product Manager for Seeker, our IAST solution and Tamir Shavro, Sr. Engineering Manager at Synopsys, will show you how to gain unparalleled visibility into the security posture of your web applications and how to identify vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, and CWE/SANS). You’ll also learn how IAST can:
- Be deployed in existing environments with ease
- Give you real-time, accurate results
- Integrate with software composition analysis
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.