Hi [[ session.user.profile.firstName ]]

Digging into DevSecOps: Realities and Opportunities

To learn more about the realities of DevSecOps today and the real degree to which security is or is not being included in enterprise continuous integration/continuous delivery workflows, we surveyed 350 decision-makers at large enterprises across a variety of industries.

What we found is that only about half of enterprise CI/CD workflows include any security elements at all, highlighting ample room for improvement. Enterprises did seem to show an awareness of the importance of adding security elements into DevOps releases, but they are not necessarily injecting security early in the process -- ideally at code commit and in pre-implementation. This webinar will cover these and other results of our survey, and offer guidance on how enterprise organizations can effectively integrate security tools, thinking and people into their CI/CD workflows to reduce rework and risk without sacrificing velocity.
Recorded May 15 2018 62 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Jay Lyman, Principal Analyst, Cloud Management and Containers, 451 Research; Meera Rao, Senior Principal Consultant, Synopsys
Presentation preview: Digging into DevSecOps: Realities and Opportunities
  • Channel
  • Channel profile
  • The 2020 Open Source Year in Review Jan 21 2021 5:00 pm UTC 75 mins
    Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
    Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates.

    This annual review will highlight the most significant legal developments related to open source software in 2020.
  • Open Source During an M&A Process: Buyer and Sellers Tips on How to Manage Risk Dec 16 2020 5:00 pm UTC 60 mins
    Ben Landry, Assistant General Counsel, Health Catalyst, Inc.
    Whether you sit on the buy-side or sell-side of an M&A transaction, open source use in the software development process introduces legal and security risks into the deal. There are a number of key considerations to be aware of to minimize risk through the M&A due diligence process.

    Join this live Synopsys webinar to get a practical advice on preparing for tech due diligence from an in-house attorney with experience on both sides of the transaction. We’ll cover:

    •When and how to invest in open source diligence
    •How to manage open source and prepare for a sale
    •How Covid has impacted the due diligence process

    Don’t miss this informative webinar. Register today.
  • Why Open Source Compliance Matters for SaaS: Truths, Myths, and Considerations Nov 19 2020 5:00 pm UTC 60 mins
    Anthony Decicco, Shareholder, GTC Law Group & Affiliates
    If you offer a product via a software-as-a-service (SaaS) model, you may have heard that some of the most common open source licenses, while being potentially quite problematic for distributed software, may give a "free pass” to SaaS applications. Are you required to adhere to open source license obligations in a SaaS model? 

    Join us for this live Synopsys webinar to learn how to address open source software use in a SaaS model. We’ll cover:

    - The legal considerations around open source license compliance 
    - How security impacts open source software in a SaaS application
    - The operational and strategic pitfalls to avoid
    - The impact on financing, M&A and IPO due diligence

    Don’t miss the informative webinar. Register today.
  • Binary Scanning 101: Pulling back the covers on binaries Nov 17 2020 8:00 am UTC 61 mins
    Lisa Bryngelson, Senior Product Manager at Synopsys
    Organizations across every industry increasingly rely on open source software to form the foundation of the products and technologies they deliver to the market. So you can assume that the third-party commercial software you depend on from supply chain partners and outsourcers also uses open source as its backbone. The challenge is deciding whether to trust that your vendors are managing potential open source security vulnerabilities proactively or to verify for yourself that the open source embedded in the software you procure remains up to date and secure. The latter, what we refer to as “trust but verify,” requires tools that can look inside compiled binaries to ensure the whole of your application is secure.

    Join Lisa Bryngelson, senior product manager at Synopsys, as she pulls back the covers on how Black Duck tackles binary scanning. In this webinar, she’ll discuss:

    · Binary scanning basics and best practices

    · How binary scanning works

    · The different types of binary scanning and identification techniques

    · The challenges in detecting specific components or versions

    · How developers can make it easier for scanners to produce accurate and precise results
  • Implementing SAST into your SDLC: What to look for & what to consider Nov 5 2020 5:00 pm UTC 50 mins
    Rob Haines, Senior Sales Engineer, Synopsys
    So you’ve decided (or been told) that you need to implement SAST in your software development process. But SAST is not a one-size-fits-all solution, and implementation often requires a compromise between technology, time, process, and people—especially people. In this webinar, we’ll look at common objections and pitfalls that you might encounter along the way.

    We'll cover:
    • What you should look for in a tool
    • Considerations for implementing SAST
    • Importance of the process (getting a good return on your investment)
    • High-quality and more secure software
  • Are You Acquiring the Next Big Breach? Security Vulnerabilities & M&A Oct 22 2020 4:00 pm UTC 57 mins
    Hal Hearst, Synopsys
    Software contains vulnerabilities and if you’re acquiring a company where software is a big part of the deal, you should understand if there is anything in that software that can be exploited.

    Join this live webinar to learn why security is a key piece of tech due diligence and the way your audit vendor manages their security data matters. We’ll cover:

    •Why due diligence has moved beyond license compliance
    •How you (and your vendor) can get a more in-depth view of your vulnerabilities
    •Strategies for understanding your security risks

    Don’t miss this informative webinar. Register today.
  • BSIMM11: The Evolution of DevSecOps Recorded: Oct 15 2020 59 mins
    Eli Erlikhman Managing Principal, Synopsys SIG and Chai Bhat Sr. Product Marketing Manager, Synopsys SIG
    With the emergence of COVID-19, the workforce is more dispersed and far from the secure enterprise environments that they were accustomed to working in. Malicious hackers are seizing the opportunity provided by a much larger and more vulnerable attack surface to launch even more sophisticated attacks. A solid foundation of software security initiatives (SSIs) derived from the best practices of best-of-breed organizations is more important now than ever before.

    The Building Security in Maturity Model (BSIMM) provides just that—it’s a study of existing SSIs. By quantifying the practices of many different organizations, the BSIMM describes the common ground shared by many, as well as the variations that make each unique.

    In this Synopsys webinar, you will learn:
    • Engineering-led vs. software security group-led SSIs
    • “Shift left” becoming “shift everywhere”
    • What leading organizations are doing to address application security
  • Threat Modeling Program Maturity – Establish and Mature Threat Modeling Programs Recorded: Oct 14 2020 59 mins
    Chandu Ketkar, Director Security Architecture Practice at Synopsys and Himanshu Tiwari, Managing Consultant at Synopsys
    What differentiates a highly mature threat modeling program from a less mature program? How do companies get started with threat modeling? What does the journey to higher levels of maturity look like? What are the key anchors of building the threat modeling capability?

    Join our talk as we share what we've learned through the years working with clients. Find out how companies evolve their threat modeling programs and maturity.
  • The Importance of Fuzzing for Network Protocols Recorded: Oct 13 2020 57 mins
    Vishwas Sharma, Senior Sales Engineer, Synopsys
    Most security issues are triggered by misuse - and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy?

    Description (paragraph):

    Most security issues are triggered by misuse—and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy? After you’ve analyzed the source code, the next step is to test its dynamic behavior using invalid input testing (fuzzing) that closely imitates what a hacker would do. Fuzzing provides a final test-run before rolling out to avoid costly bug fixes and product recalls.

    Network devices must be able to handle malicious inputs on their interfaces and protocols. Defensics is a model-based stateful protocol fuzzer that is based on popular specifications and has millions of malformed inputs to cover misuse cases that can trigger critical unknown vulnerabilities.

    Join us as we discuss the importance of fuzzing for network protocols and address its use cases:

    Development. Complement SAST methods by integrating fuzzing into CI/CD
    Quality assurance. Perform QA with enhanced test coverage in a manageable time
    Security. Uncover zero day and unknown vulnerabilities before they turn costly Procurement. Ensure robustness, quality, and security of software and devices before introducing them into IT/lab environment
  • Application Security within a Diverse World Recorded: Oct 8 2020 40 mins
    Meera Rao, Senior Director Product Management and Ainsley Braun, Product Director, Synopsys
    The challenges the industry faces and how we can help support them.

    Diversity is an ongoing priority - and challenge - for many organisations, especially in the technology space. Research has proven that diversity on a team brings unique benefits, including new perspectives and innovative solutions. These, in turn, contribute to a stronger overall company.

    And yet, in many companies around the world, achieving a diverse workforce is still more aspiration than reality. For instance, despite having International Women’s Day and conversations around gender and sexual-orientation diversity, women and LGBTQ+ individuals remain underrepresented in most companies.

    This webinar focuses on the challenges of diversity within the cybersecurity industry, and what steps companies can take to overcome them. This boils down to recruiting more women, LGBTQ+ individuals, and minorities in terms of race, religion, ethnicity, and even age. Level pay, investing in diverse talent, and empowering voices within a company’s culture all play important roles, as well.

    Join us for this vital webinar to learn how you can promote opportunity for all in your organisation.
  • Give Developers Earlier Feedback to Identify Security Issues Recorded: Oct 6 2020 45 mins
    Ashutosh Kumar, Product Marketing Manager, Staff, Synopsys; James Croall, Director, Technical Product Management at Synopsys
    As part of your DevSecOps strategy, it’s important to implement security tools that help your developers and don’t slow them down. Coverity static application security testing (SAST) provides a developer-centric approach to security testing that aids adoption and helps your development teams write high-quality secure code, without having to be security experts. With SAST tools such as Coverity, developers can get early feedback and identify security issues as they code within their IDE. Coverity can also be seamlessly integrated into different stages of your CI/CD pipelines, which can help automate SAST scans for your needs.
    In this webinar, we’ll cover:
    - Evolving developer needs and best practices for AppSec integration into development workflows
    - How Coverity helps developers get early feedback on security and quality issues in their code with our Code Sight IDE plugin and integrated eLearning courses
    - How Coverity can be seamlessly integrated into your CI/CD pipeline to automatically trigger scans with every pull request, serve as a security gate on the build server, create issue tickets, and more
  • Under Pressure – Building Security into Application Development Recorded: Sep 30 2020 62 mins
    Patrick Carey, Director Product Marketing, Synopsys and Dave Gruber, Senior Analyst, Enterprise Strategy Group
    A recent study by Enterprise Strategy Group, commissioned by Synopsys, revealed that nearly half of the cybersecurity and development professionals surveyed indicate that their organization knowingly pushes vulnerable code into production due to time pressures. In every sector, development and security teams grapple with the competing demands of development velocity and application security.

    In this webinar, we speak with the study’s author, ESG Senior Analyst, Dave Gruber, about how organizations are working to build security into their development toolchains and processes. Highlights include:

    - Why many organizations’ AppSec programs aren’t as effective as they think.

    - Key attributes of the most successful AppSec programs.

    - Trends and challenges organizations are facing in implementing their AppSec programs.

    - How organizations are working to improve AppSec ROI while simplifying deployments.
  • Free and Open Source License Enforcement and Compliance Recorded: Sep 30 2020 60 mins
    Miriam Ballhausen, Bird & Bird & Matt Jacobs, Synopsys
    Free and Open Source software is meant to be used and shared but you must comply with the license obligations. If licensees fail to do so, there may be legal consequences including license enforcement actions. But what does open source license enforcement mean in practice?

    Join this live webinar to get an overview of the risks and enforcement of Free and Open Source Licenses We’ll cover:

    •Understanding the Free and Open Source License landscape
    •What companies should look out for (and how tools may help)
    •Strategies for protecting against enforcement

    Don’t miss this informative webinar. Register today.
  • Accelerating your SDLC Securely using SAST Recorded: Sep 29 2020 24 mins
    Nivedita Murthy, Senior Security Consultant, Synopsys
    In today’s fast-paced world, everything needs to move quickly—including development. But organizations can’t compromise on security while delivering products in rapid succession. Modern static application security testing (SAST) tools address this urgent need to identify and secure applications while not impacting production timelines. In this session learn how you can integrate SAST tools in the SDLC and discover the options available to customize and optimize for time-sensitive results. You also learn about some common pitfalls and mistakes that are made while trying to integrate SAST tools into an automation process and DevSecOps. You’ll come away with a better understanding of how to reach a mature and secure software development life cycle and how to use SAST tools effectively in such environments.
  • Fuzz Anything with the Defensics SDK Recorded: Sep 17 2020 57 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    One challenge of fuzzing is figuring out which malformed inputs (test cases) to use. Generational (or model-based) fuzzing tools use a detailed data model to generate high quality test cases. Because test cases are mostly correct, they traverse a variety of control paths and can drive the target software into a variety of states before “detonating” with a carefully placed anomaly.

    Defensics is a generational fuzzer with over 250 test suites for a wide variety of network protocols and file formats. But what if you need to fuzz something with no corresponding test suite? For proprietary protocols and other specialized fuzzing needs, the Defensics SDK enables you to apply the power of Defensics to any data model you wish.

    This presentation outlines the capabilities of the Defensics SDK and shows how data models and semantics can be defined in code, allowing you to fuzz any type of software in any context.
  • See the Larger Security Picture - Enhancing the Tools You Already Have Recorded: Sep 15 2020 44 mins
    Simon King, VP Solutions, Synopsys Software Integrity Group
    DevOps and Agile development teams work iteratively to deliver customer value faster. They accelerate productivity with external software such as open-source, and external infrastructure such as cloud and containers. But this increases the threat surface and potential security risk. This leads to using more security tools, and complexity associated with managing test results and governance.

    Join Simon King from Synopsys on this journey enabling teams to see the larger security picture – transparently – enhancing the tools you already use.

    In this session you’ll learn about:
    - The challenges associated with managing test execution with multiple tools.
    - The opportunities to streamline communication between teams when coordinating triage and issue remediation.
    - How to make app sec “invisible” to the development team inside your existing CI/CD toolchain.
    - How to manage continuous improvement in risk posture
  • How your Chat application is leaking your .... sensitive pictures Recorded: Sep 15 2020 24 mins
    Tobias Mccurry, Senior Security Consultant, Synopsys Software Integrity Group
    We all put a lot of trust in the applications we use chat with other people. Have you ever wondered what your chat application is doing in the background? How is it storing the message or pictures you send? You are required to login to send and receive messages....or are you? Come see how some of the most popular chat clients send data and if anyone else could see this data.

    We'll begin with the underlining vulnerability of Cross Object Resource Sharing (CORS) and if misconfigured data could be leaked without the user knowing. I’ll cover in details how each client handles messages between clients. Three of the most popular clients were tested to see how well they handle the data transactions.
  • Reduce DevSecOps Friction with Synopsys, CloudBees and Google Cloud Recorded: Aug 27 2020 79 mins
    Meera Rao at Synopsys, Cojan Van Ballegooijen at CloudBees & Rania Mohamed at Google Cloud
    DevOps enables you to release features and bug fixes faster than ever. But, can security keep up? Instead of waiting to fix security vulnerabilities, treat them like any other bug within your DevOps process. This allows you to reduce DevSecOps friction, increase release velocity, improve quality and facilitate collaborative change - just to name a few.

    This webinar will cover how your DevOps strategy can best include security with Synopsys, CloudBees and Google. You’ll learn more about:
    •Integrating the right tools in your DevOps pipeline
    •How Google Cloud Platform (GCP) improves your security posture
    •Beginning your DevSecOps journey with CloudBees CI and easy procurement through the GCP Marketplace
    •The field point of view from Synopsys on CloudBees CI + GCP = secure pipelines
  • What the Open Source Security & Risk Report Means for Your Security Team Recorded: Aug 25 2020 37 mins
    Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
    Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:

    · Why you need an accurate inventory of open source components

    · How to prioritize the vulnerabilities to fix

    · Where to integrate testing into your SDLC

    Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
  • Why SAST and SCA Together Are Better, Faster, Stronger Recorded: Aug 25 2020 42 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys
    Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.

    Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Digging into DevSecOps: Realities and Opportunities
  • Live at: May 15 2018 5:00 pm
  • Presented by: Jay Lyman, Principal Analyst, Cloud Management and Containers, 451 Research; Meera Rao, Senior Principal Consultant, Synopsys
  • From:
Your email has been sent.
or close