Hi [[ session.user.profile.firstName ]]

4 Steps to Risk Ranking Your Vulnerabilities

Vulnerabilities are an inevitable part of software development and management. Whether it’s open source or custom code, new vulnerabilities will be discovered as a code base ages. A 2017 Black Duck analysis of code audits conducted on 1,071 applications found that 97% contained open source, but 67% of the applications had open source vulnerabilities, half of which were categorized as severe. As the number of disclosures, patches, and updates grows, security professionals must decide which items are critical and must be addressed immediately and which items can be deferred.
Join Black Duck’s VP of Security Strategy, Mike Pittenger, for a 30-minute discussion of best practices in open source security and vulnerability management. You’ll learn:
- Methods for determining which applications are most attractive to attackers, and which pose the greatest risk
- Ways to assess the risk associated with a disclosed open source vulnerability
- Strategies to minimize the impact of open source security vulnerabilities when immediate fixes can’t be made
Recorded Dec 19 2017 29 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Mike Pittenger, VP Security Strategy, Black Duck Software
Presentation preview: 4 Steps to Risk Ranking Your Vulnerabilities
  • Channel
  • Channel profile
  • Do We Trust Software? Jun 20 2018 5:00 pm UTC 60 mins
    Chris Clark, Principal Security Engineer – Strategic Initiatives, Synopsys
    Trying to keep pace in a highly connected world and increasingly hostile environment is a challenge for any developer, let alone an entire industry. To protect the software they write, developers turn to technologies and processes such as audits, reverse engineering, application firewalls, sandboxing, and many others to provide a level of protection. But these technologies also have the potential to become entry points for vulnerabilities. So do we really trust software?

    See how Synopsys started the software security journey and is taking an active role in providing industry expertise to help organizations deliver robust software security solutions. We will focus on how the cyber supply chain can have a direct and meaningful impact on the overall design and deployment of software. See how known vulnerability management, mitigation, and training can affect the known risk profile of overall software design. Learn about what we are working on and how you can participate in improving standards and programs that reduce cyber risk.
  • 2018 Open Source Audit Findings: Assessing Open Source Risk in M&A May 31 2018 3:00 pm UTC 60 mins
    Phil Odence, GM of Black Duck On-Demand; Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
    Open source components are the foundation of modern applications, but ineffective management of open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
    This webinar will detail the findings in the OSSRA report, showing that M&A target organizations are not always effective in securing and managing their open source. Not surprisingly, 96% of audited codebases contained open source components, and nearly 78% contained at least one vulnerability. We’ll discuss these findings and the risk associated with not understanding them before making investment decisions.
  • 2018 Open Source Audit Findings: How Do You Stack Up? May 24 2018 3:00 pm UTC 60 mins
    Tim Mackey, Sr. Technology Evangelist at Black Duck by Synopsys
    Open source components are the foundation of modern applications, but ineffective management around open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
    Not surprisingly, 96% of the audited codebases contained open source components, and nearly 78% of the codebases contained at least one vulnerability. As the percentage of open source in codebases continues to grow, it’s clear that open source management practices need to improve.
    In this webinar, open source expert Tim Mackey will walk through the report’s findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the benefits open source provides.
  • Digging into DevSecOps: Realities and Opportunities Recorded: May 15 2018 62 mins
    Jay Lyman, Principal Analyst, Cloud Management and Containers, 451 Research; Meera Rao, Senior Principal Consultant, Synopsys
    To learn more about the realities of DevSecOps today and the real degree to which security is or is not being included in enterprise continuous integration/continuous delivery workflows, we surveyed 350 decision-makers at large enterprises across a variety of industries.

    What we found is that only about half of enterprise CI/CD workflows include any security elements at all, highlighting ample room for improvement. Enterprises did seem to show an awareness of the importance of adding security elements into DevOps releases, but they are not necessarily injecting security early in the process -- ideally at code commit and in pre-implementation. This webinar will cover these and other results of our survey, and offer guidance on how enterprise organizations can effectively integrate security tools, thinking and people into their CI/CD workflows to reduce rework and risk without sacrificing velocity.
  • Introduction to Open Source Software and Licensing Recorded: May 9 2018 62 mins
    Mark Radcliffe, Partner, DLA Piper/Counsel OSI; Tony Decicco, Shareholder, GTC Law Group
    Open source software is an important part of mainstream software development organizations. Active open source use in development can drive down costs, speed time to market and increase software functionality, all without adding to the bottom line.

    And yet, even as it has become mainstream, open source is often misunderstood by legal professionals. With over two thousand different licenses in use today, it can be difficult to properly manage open source and ensure compliance.

    In this webinar, top open source legal experts Mark Radcliffe (Partner at DLA Piper and General Counsel for the Open Source Initiative) and Tony Decicco (Shareholder, GTC Law Group) will cover:

    - Brief history and definition of open source
    - The most popular open source licenses and their obligations
    - Permissive licenses vs. Restrictive licenses
  • Securing Your Applications Against Spectre Recorded: May 3 2018 31 mins
    James Croall, Director of SAST Product Management at Synopsys
    The recently discovered Spectre security vulnerability has taken the tech industry and security world by storm. By exploiting security vulnerabilities inherent in the design of many modern microprocessors, Spectre attacks can cause damaging leakage of personal information and data.

    There are several proposed workarounds to protect applications affected by Spectre. However, they can adversely affect performance and be time consuming for developers.

    A novel solution to mitigate Spectre is to use a static analysis tool that quickly identifies vulnerable code patterns that are likely to be exploited and reduces potential app performance degradation. In this webinar, James Croall, director of SAST product management at Synopsys, will detail how this works and cover the following:

    -What is Spectre and how is the attack carried out?
    -What are the various ways to mitigate the effects of this attack?
    -What can software development organizations do to help secure their apps against Spectre?
    -What are some best practices and examples of how to use Synopsys Static Analysis (Coverity) to better secure your apps against Spectre attacks?
  • Winning the Cage-Match: Successfully Navigate Open Source Software Issues in M&A Recorded: Apr 26 2018 62 mins
    Tony Decicco, Shareholder, GTC Law Group; Leon Schwartz, Associate, GTC Law Group
    Join Tony Decicco and Leon Schwartz of GTC Law Group for a blow-by-blow discussion of key open source software-related issues and deal points from the perspective of buyer/investor vs. seller/investee. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to speed and smooth negotiations, avoid protracted due diligence and get better deal terms, increasing overall value. Tony and Leon will dive into what both sides of an M&A transaction are looking for, and how to stay ahead of the game when it comes to open source software.
  • DevSecOps Best Practices with Synopsys and GitHub Recorded: Apr 24 2018 50 mins
    Bryan Cross, Sr. Solutions Engineer, GitHub; Dave Meurer, Alliances Technical Mgr, Black Duck by Synopsys
    It's time to add “Sec” into DevOps! But while moving towards newer processes and technologies like agile methodologies, cloud and containers can help you build faster and deliver continuously, there's always the fear that adding security can severely slow things down. By using GitHub with Black Duck by Synopsys, you can automate your secure development workflows, shift security left, and avoid software rot.

    Whether you are an open source developer or enterprise software engineer, GitHub and Synopsys have solutions to help you put “Sec” into the center of DevOps without sacrificing speed and agility. In this live webinar, the experts from Synopsys and GitHub will demonstrate solutions for both open source and enterprise developers. Some highlights will include:

    - The real life of a vulnerability in 2017: Apache Struts
    - Black Duck CoPilot: It’s Free!
    - Black Duck your Pull Requests
  • Securing the Software Supply Chain – Binary Analysis and Open Source Security Recorded: Apr 11 2018 35 mins
    Lisa Bryngelson, Sr. Product Manager, Black Duck by Synopsys
    Organizations of all kinds increasingly rely on third-party software from their supply chain partners and outsourcers to power the products and technology they deliver to the marketplace. Whether you’re an automotive company or a medical device manufacturer, use of third-party software libraries is now commonplace and essential to success in the competitive global marketplace.

    One of the biggest challenges companies face with third-party software is they often have no visibility into the open source libraries being used in the software they embed in their products. Over the last year, a continuous stream of news stories has attributed major security breaches to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail and media.

    These incidents shine a light on the need for organizations to carefully manage the open source used in the third-party libraries they consumer in order to protect themselves—and their customers—from the consequences of catastrophic security breaches.

    Our webinar will arm you with the information and statistics needed to:

    -Explain the importance of open source security to your organization
    -Understand the key differences between identifying open source in source code vs. binaries
    -Define a clear road map for unearthing, managing, and securing the open source hiding in your software supply chain
    -Take the steps to help your company avoid becoming the next security breach media story
  • Hub 4.5: Customer Driven Features around License and Compliance Recorded: Apr 5 2018 60 mins
    Jeff Michael, Senior Product Manager and Hal Hearst, Principle Product Manager for Black Duck by Synopsys
    The latest Hub release – Hub 4.5 – has some exciting new, customer-driven features. Join our senior product management team as they walk you through some of the latest features and answer your questions, including:
    -Snippets scanning: Customers with the Compliance module or Professional Edition now have the ability to find OSS code fragments in their proprietary code.
    -License compliance review and approval improvements: Customers with the Compliance Module or Professional Edition will be able to globally review and approve licenses and specify policy rules to manage their use.
    -Enterprise user roles: Enhanced and extended Hub user roles allow customers more control and flexibility in distributing access and privileges in the Hub.
    -Improvements to the performance of the scan client: Stability and scalability improvements to Hub scan services as well as the scan client allows customers to consistently scan larger code bases.
  • Securing the Modern Automobile from Software Security Threats Recorded: Mar 29 2018 43 mins
    Art Dahnert, Managing Consultant, Synopsys
    Today’s automobiles are advanced, complex machines relying on dozens of computers and millions of lines of software code. They are also increasingly targets for sophisticated hackers. In fact, the software running on your car could contain multiple flaws that allow an attacker to take over control of the vehicle – either in your driveway or on the freeway. What steps are manufacturers taking to secure all of that code?

    Register for our webinar to learn about these topics and more:
    - The kinds of security flaws that are possible and how were they're exploited
    - How vulnerabilities can be mitigated
    - Ways to build security in from the beginning of the software/system development process
    - Unique approaches manufacturers are taking to deal with some of these issues and what that means to you
  • DevOps Security in the Cloud with Black Duck by Synopsys and AWS Recorded: Mar 28 2018 59 mins
    Erin McGill, Partner Solutions Architect, Amazon Web Services; Dave Meurer, Alliances Technical Mgr, Black Duck by Synopsys
    Automation and containerization can help you build faster and deliver continuously, but can also make managing security challenging. By integrating Black Duck Hub with the development tools you use in AWS, you can scan images in your container registry, automate build scans in your CI pipeline, and stay notified on any security vulnerabilities or policy violations found in your open source code.

    Join experts from Black Duck by Synopsys and Amazon Web Services as we explore how to build applications and containers safely in the cloud without sacrificing agility, visibility, or control. In this hands-on webinar we’ll demonstrate how to:

    -Get started with Black Duck Hub and AWS
    -Build better solutions through Open Source Intelligence
    -Use open source management automation and integration with AWS

    Plus, we'll feature a real-world example using Apache Struts, as well as the resources you can put to use today to gain the security you need without sacrificing the agility you want.
  • Application Security: What to Know for 2018 Recorded: Mar 27 2018 55 mins
    Mike Pittenger, Security Strategist
    Application security is quickly becoming a "must have" for security teams. High profile breaches, including Equifax and a multitude of ransomware attacks, have the attention of senior management of company Boards. Knowing where to start can be difficult.

    Not every company has the same needs or organizational maturity to manage a full-blown application security program. This webinar will cover some of the tools and exercises deployed by application security teams to build security into their processes, including:

    - Tools and security tips for each phase of the development lifecycle
    - Which tools to use for different types of code
    - In-house and 3rd party options for starting an application security program
  • Open Source Projects That Break Boundaries Recorded: Mar 22 2018 60 mins
    Steven Zimmerman, Product Marketing Manager, Black Duck by Synopsys
    Over the last decade, Black Duck by Synopsys has recognized some of the most innovative and influential open source projects launched during the previous year, as recognition to the success and momentum of these projects, and affirmation of their prospects going forward.
    In this webinar, we'll explore the origins and evolution of this year's most outstanding Open Source Rookies, who are investing their efforts in everything from Autonomous Driving, through Scalable Blockchain, and VNF Orchestration, to Personal Security and Relationship Management.
  • Software Development with Open Source: Securing Applications and IP Recorded: Mar 21 2018 59 mins
    Tim Mackey, Sr. Technology Evangelist at Black Duck by Synopsys
    Open source software is embraced by developers, enterprises, and governments at every level, and with it comes many strong opinions and few facts. How much open source is really being used in the applications you buy? Does the "many eyes" theory make open source more secure? Does traditional security testing address vulnerabilities in open source?

    With organizations becoming more agile but facing increasing regulatory governance, understanding how open source software development works, and how to secure open source, is increasingly important. In this session we’ll cover:
    - Code contribution and IP management
    - Fork management
    - Release process
    - Security response processes
    - Realities of IP risk and open source
    - Pass through security risk and responsibility
    - Keeping up with scope of impact changes within a single disclosure
    - Automating awareness of security risk from development through integration and delivery to deployment
  • M&A Checklist in a Post-Equifax World Recorded: Mar 14 2018 57 mins
    Hal Hearst, Senior Product Manager and Phil Odence, Sr. Director & GM of Black Duck On-Demand
    How has the massive security breach of 2017, caused by an unpatched open source vulnerability, impacted the way your company thinks about diligence for acquisitions? Whether you are on the buy-side and tightening your checklist to ensure ROI on an asset, or a seller looking to secure the best possible price, making sure there are no diligence surprises is key.
    Undoubtedly your company has a list of items that it examines during diligence, and maybe open source license compliance is one. But has open source security risk made it onto the list yet? What are the implications of acquiring an Equifax level issue? The continued growth of the use of open source software underscores the importance of software diligence, and the increasing regulations and potential risks associated with data privacy magnify the point. Join Hal Hearst, Senior Product Manager and Phil Odence, Sr. Director & GM of Black Duck On-Demand for this webinar to examine how the Equifax breach impacted the world of open source, and what that means for your M&A diligence checklist.
  • Breaking Down DevSecOps: Build AppSec Into Your CI/CD Pipeline with SAST and SCA Recorded: Mar 1 2018 60 mins
    Amy DeMartine, Forrester Principal Analyst and Patrick Carey, Synopsys
    While software grows more complex and the pace of development accelerates, the stakes for building secure software have never been higher. If you’re like most teams embracing a DevOps culture, you’re focused on breaking down silos, streamlining workflows, and cranking out functional software at a nearly continuous clip. Amid all these fundamental changes, how do you ensure your software is secure without clogging up the pipeline?

    Listen as guest Forrester Principal Analyst, Amy DeMartine and Black Duck Open Source Security Expert, Patrick Carey come together to discuss how to automate and distribute application security testing across the SDLC. In this webinar, we’ll discuss

    - Why it's important to build application security into your development and operations toolchains and processes
    - Best practices for integration application security throughout the application lifecycle
    - How to use SAST and SCA together to maximize the security of the software your teams deliver
  • Container Security at Scale - Best Practices for Secure Container Deployments Recorded: Feb 15 2018 59 mins
    Jay Dobies, Partner Technical Marketing Engineer, Red Hat; Tim Mackey, Sr. Technology Evangelist, Black Duck by Synopsys
    DevOps organizations are increasing turning to container environments to meet the demand for faster, more agile software delivery. Container orchestration presents the most effective way to manage the operational challenges as these production environments scale. However, large-scale container deployments present a new array of security challenges, including how to properly manage open source security risk. A 2017 451 research report recently identified security as the single biggest hurdle to container adoption.

    The challenges of managing security risk increase in scope and complexity with the size of your deployment and the number of open source software components that are a part of your application code base. In 2017, dozens of new CVEs were reported every day, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.

    Join experts from Red Hat and Black Duck as they share the latest insights and recommendations for securing open source in your containers. You’ll learn:

    - The role of containers in addressing some of the problems faced by teams moving to DevOps
    - How OpenShift enhances that solution by answering questions of networking, image registries, deployment automation, application lifecycle, etc.
    - Why container environments present new application security challenges, including those posed by open source
    - How to scan applications running in containers to identify open source and map against known vulnerabilities
    - Best practices and methodologies for deploying secure containers with trust
  • Vulnerability Triage, Prioritization & Remediation Best Practices with Hub Recorded: Feb 8 2018 40 mins
    Jeff Michael, Senior Product Manager and Chris Fearon, Senior Manager, Research Engineering
    As development teams automate the software development lifecycle through the use of agile DevOps tools and practices, the need to mitigate open source risk throughout the DevOps tool chain has become critical.

    Learn how to extract maximum value from your investment in Black Duck Hub through this in-depth webinar focused on:

    - Vulnerability Triage—Ranking vulnerabilities in open source components by the risk of a successful attack and the potential impact on your business.
    - Prioritization—Using Hub policy management to categorize development projects by security priority and to flag high-risk open source components.
    - Remediation—Tracking the remediation status of all open source vulnerabilities in any given development project.
  • Understanding SaaS Solutions: Security and Compliance Risks from Web Services Recorded: Jan 31 2018 39 mins
    Lisa Bryngelson, Sr. Product Manager, Black Duck; Niles Madison, Manager, Code Quality Audits - Black Duck On-Demand
    Data related web services are becoming important for enterprises for achieving their businesses goals. Web services create tremendous business value for them, but the improper use of web services could pose legal and security risks. At Black Duck, we have devised a technology that detects the usage of APIs in the source codes. Our technology automatically detects the legal agreements applicable to the usage of web services and quantify the legal and security risk associated with them. In this webinar, we will share the insights we gained by analyzing 300 real SaaS projects. In particular, we will discuss the relationship between legal documents, privacy, compliance and security risks that come with the usage of web services.
Webcasts around application security and container security.
Black Duck by Synopsys provides automated solutions for securing and managing open source software. With the rapid, widespread adoption of open source software, Black Duck is a key component of Synopsys’ Software Integrity Platform, the most comprehensive solution for integrating security into the SDLC and software supply chain.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: 4 Steps to Risk Ranking Your Vulnerabilities
  • Live at: Dec 19 2017 4:00 pm
  • Presented by: Mike Pittenger, VP Security Strategy, Black Duck Software
  • From:
Your email has been sent.
or close