Hi [[ session.user.profile.firstName ]]

2018 Open Source Audit Findings: How Do You Stack Up?

Open source components are the foundation of modern applications, but ineffective management around open source can lead to serious risks and unwanted media attention when security flaws lead to data breaches. The Black Duck by Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) examines the previous year’s open source and security news and analyzes trends based on the audits of more than 1,100 codebases.
Not surprisingly, 96% of the audited codebases contained open source components, and nearly 78% of the codebases contained at least one vulnerability. As the percentage of open source in codebases continues to grow, it’s clear that open source management practices need to improve.
In this webinar, open source expert Evan Klein will walk through the report’s findings in depth and discuss strategies companies can use to minimize open source security risk while maximizing the benefits open source provides.
Recorded May 24 2018 28 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
Presentation preview: 2018 Open Source Audit Findings: How Do You Stack Up?
  • Channel
  • Channel profile
  • Growth of Web Services & APIs and the Risks in M&A May 23 2019 4:00 pm UTC 60 mins
    Tony Decicco, GTC Law Group & Phil Odence, Synopsys
    Just like most software assets contain open source, modern software applications commonly link to external web services via APIs. By using web services, developers may be inadvertently signing their companies up to terms of service or using a web service without a suitable agreement. And using these services can expose a company to security, data privacy, and operational risks that could disrupt or severely affect the business. As part of the tech M&A due diligence process, you should be aware of these web services-related risks so that you can make informed decisions about deal valuation and remediation.

    Join Tony Decicco, shareholder at GTC Law Group and Affiliates, and Phil Odence, GM of Black Duck Audits, as they discuss the types of risk associated with web services and how they can affect an M&A transaction. They’ll cover:

    • Typical terms of service and common pitfalls
    • The legal compliance, data privacy, security, and business risks that come with web services
    • Real-world examples of these risks
    • How a buyer can get a better understanding of these risks in a target’s codebase or a seller can prepare for diligence to avoid risks in this area

    Don’t miss this informative webinar. Register today.
  • Mitigating Software Risks for DoD and Government Agencies May 21 2019 4:00 pm UTC 60 mins
    Joe Jarzombek, Director for Government, Aerospace & Defense Programs, Synopsys
    As the cyber threat landscape evolves and external dependencies grow more complex, managing risks to enterprise and connected embedded systems requires more than reactive measures. Many organizations proactively reduce attack surfaces in their cyber supply chain and assets targeted for exploitation. IT asset management should leverage automated means to detect weaknesses and vulnerabilities in software. Addressing cyber supply chain dependencies enables the hardening of attack surfaces by comprehensively identifying exploit targets, understanding how assets are attacked, and providing responsive mitigation. Automation tools and services, testing and certification programs now provide means to reduce risk attributable to exploitable software. This presentation addresses means of using information to prioritize mitigation efforts focused on reducing exploitable attack vectors; enabling organizations to proactively harden their attack surface and become more resilient in the face of growing threats and asymmetric attacks.

    Lt. Col. Joe Jarzombek (USAF, ret.) is Director, Government, Aerospace & Defense Programs at Synopsys. He previously served as Deputy Director, Information Assurance in the Office of the CIO Dept. of Defense. He later served as Director, Software and Supply Chain Assurance in the Dept. of Homeland Security. Today, Joe guides Synopsys’ global leadership to address needs of public sector, aerospace and defense communities. He participates in consortia, public-private collaboration and standards groups, and R&D projects to accelerate technology adoption. Joe has 30+ years in software security, safety and quality in embedded and networked systems and enterprise IT. Joe is a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional with an MS in Computer Information Systems, a BA in Computer Science and a BBA in Data Processing and Analysis.
  • 2019 Open Source Security Report: Challenges and Positive Trends May 9 2019 4:00 pm UTC 60 mins
    Tim Mackey, Senior Technical Evangelist, Synopsys
    Open source components are the foundation of modern applications, but ineffective open source risk management can lead to security breaches that negatively impact your business and damage your brand. The Open Source Security and Risk Analysis (OSSRA) report examines trends in open source usage and risk management practices based on the audits of more than 1,200 codebases.
    Listen in as we explore how the open source landscape has changed—and in some cases, improved—but more importantly, how development, security, and legal teams can improve their open source risk posture.
    - 96% of codebases scanned in 2018 contain open source
    - The average code base contains 298 open source components, up from 257 in 2017
    - 60% of codebases contained at least one open source vulnerability—still significant, but much better than 78% in 2017.
  • Open Source Risk in M&A by the Numbers May 2 2019 4:00 pm UTC 60 mins
    Phil Odence, General Manager, Black Duck On-Demand
    In over 1,000 codebases audited in 2018, Black Duck Audits found that nearly every one contained open source components. Not only that, but a significant percentage of “proprietary code” overall was open source. Virtually every company building software now depends on open source, and with great reason. However, left unmanaged, open source can lead to license compliance issues plus security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.

    Many acquirers have come to understand all this in concept; the Black Duck audit services group has the data. Join us for this webinar as we answer questions about the code of tech companies being acquired today. We’ll cover:

    • Open source license and security risks by the numbers
    • Why audits have become the norm in M&A tech due diligence
    • How you can get a complete picture of open source risks

    Don’t miss this informational webinar – register today.
  • Reviewing Modern JavaScript Applications Apr 29 2019 2:00 pm UTC 90 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
  • How to Automate Container Security Into your CI/CD Pipeline Recorded: Apr 18 2019 60 mins
    Glen Kosaka, VP of Product Management, NeuVector and Tim Mackey, Senior Technical Evangelist, Synopsys
    The promise of containers and cloud-based microservices is fast time to market for applications. But there are security requirements that, if not handled properly, can slow down the pipeline and lengthen time to market. Automation is critical to a CI/CD pipeline, and it is also critical to secure deployment of containers. Join Synopsys and NeuVector to explore the key automation integration points in the pipeline and learn how to build security into your process, culture, and toolchain, from build to ship to run.

    Who should attend?
    •Security architects
    •Application architects
    •DevSecOps and DevOps practitioners
    •Network and application security engineers
  • Understanding Open Source – Strengths and Challenges for Enterprise users Recorded: Apr 11 2019 53 mins
    Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group
    Open source usage has had a steady increase over the years and so has the Open Source content, which has seen exponential release. The strength of open source is attributed to the fact that there has been a growing adoption of Open source in enterprise application.

    In our 11th April 2019 webinar, Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group, will provide insights into the following:
    •Usage trends of Open Source
    •How large enterprise users understands risks associated with using Open Source
    •Methodologies derived to mitigate Open Source risks and issues
    •Is Open Source an enabler or a liability
  • Introducing the Polaris Software Integrity Platform Recorded: Apr 3 2019 37 mins
    Utsav Sanghani, Senior Product Manager, Synopsys; Neal Goldman, Senior Product Manager, Synopsys
    The Product Team at Synopsys is excited to introduce the Polaris Software Integrity Platform™, which brings the power of Synopsys Software Integrity products and services together into an integrated solution that enables security and development teams to build secure, high-quality software faster. Polaris uses a SaaS delivery model and provides a centralized web-based user interface for Synopsys products and services—ensuring quick deployment and a unified user experience across Synopsys solutions.

    Polaris includes Code Sight™, our new IDE plugin that automatically and continuously analyzes code as it’s being written—allowing developers to focus on their tasks at hand without needing to initiate scans or leave the IDE for security information.

    By unifying our market-leading solutions on a single platform, Polaris simplifies the deployment and operation of application security tools, so teams can quickly prioritize and remove exploitable software vulnerabilities across their application portfolio. In this webinar, you’ll learn:

    - How Polaris empowers DevOps managers with easy-to-use, automated CI/CD integrations
    - How Code Sight provides the real-time feedback developers need to fix their code quickly, as they write it
    - How Polaris’ extensible, cross-product reporting capabilities help security practitioners prioritize security issues and measure compliance across their application portfolio
  • Women in Tech: Get Inspired Recorded: Apr 2 2019 31 mins
    Ksenia Peguero, Sr. Research Lead, Synopsys; Apoorva Phadke, Associate Principal Consultant, Synopsys
    Stories of women in the modern workforce continue to seize our attention, not least because of the dedicated champions who work tirelessly to empower women to speak out about what they need, what they want, and what talents they bring to the table. But the tech industry lags far behind the overall U.S. workforce when it comes to closing the gender gap. In a sector that employs fewer women in any position—even fewer in technical positions—and is fed by an educational system with a stubborn gender imbalance, what can we do to encourage more woman to work in tech?

    We can start by celebrating the women who are already here. In this panel, we invite some of the women of Synopsys to tell us about their experiences in the tech industry. We’ll discuss how they got started in tech and advice for other women who want to enter the field. Our panelists will dive into the unique challenges they’ve faced and how to balance priorities in a fast-paced, high-stress environment. And they’ll provide insight into what organizations are doing—and should be doing—to enrich their culture with employees that have a variety of experiences and perspectives.
  • Top Considerations for Software Audits in M&A Due Diligence Recorded: Mar 21 2019 61 mins
    Phil Odence, Synopsys
    There is risk in any M&A transaction but having the right tech due diligence approach can help mitigate that risk. If software is a large part of the deal valuation, you need to understand any potential legal and security risks in the target’s codebase that could affect the value of the IP, and the remediation required to address those risks.

    Join Phil Odence, General Manager of Black Duck On-Demand with Synopsys, to take a closer look at how you can identify and reduce risks in M&A tech due diligence. He’ll cover the following points and more:

    • Uncovering application risks: What’s in the code
    • Taking a comprehensive approach to security audits
    • Choosing the right partner for audits

    Don’t miss this informational webinar. Register today!
  • Mjukvara i hjärtat av alla fordon Recorded: Mar 21 2019 63 mins
    Per-Olof Persson, Security Advisor, Synpsys | Dennis Kengo Oka, Application Engineer, Synopsys
    När fordon blir smartare blir även säkerheten inom bilindustrin allt viktigare. Bilar förvandlas till Wi-Fi-hotspots och innehåller många miljoner kodlinjer för autonom körning. Som ett resultat är fordonen mer sårbara än någonsin för buggar, hackare och dataintrång.

    Kärnan i morgondagens fordon är programvara med artificiell intelligens och kraftfulla kiselchips som alla arbetar tillsammans. Lär dig hur dessa tekniker kommer att förvandla den traditionella underleverantörskedjan från en mekanisk driven värld till en digital.
  • OpenShift 4 and Black Duck: New Runtime, Same Secure Containers Recorded: Mar 20 2019 59 mins
    Jay Dobies, Red Hat & Dave Meurer, Synopsys
    OpenShift 4 represents the culmination of a number of new technologies. One key feature of this release is CRI-O, the new container runtime that is optimized for OpenShift. But a new runtime doesn’t have to be scary. Black Duck OpsSight for OpenShift still provides the same security intelligence and visibility into all the third-party open source software that composes your containers.

    Join experts from Synopsys and Red Hat as we explore the following topics:
    • Upcoming features in Red Hat OpenShift 4, including the drivers and benefits of the Operator Framework
    • How Black Duck and Clair complement each other
    • The Synopsys application security portfolio
    • Black Duck OpsSight for OpenShift architecture
    • OpenShift 4 Black Duck OpsSight demonstration on a CRI-O container
  • Software at the Heart of Any Vehicle Recorded: Mar 20 2019 46 mins
    Per-Olof Persson, Security Advisor, Synopsys
    As vehicles get smarter, security in the automotive industry is an increasing concern. Cars are being turned into Wi-Fi hotspots and contain many millions of lines of code for autonomous driving. As a result, they are more vulnerable than ever to bugs, hackers, and data theft.

    At the heart of the vehicles of tomorrow is software with artificial intelligence and powerful silicon chips all working together. Learn how these technologies will transform the traditional automotive supply chain from a mechanical-driven world to a digital one.
  • Master Class: Life Cycle of an Open Source Vulnerability Recorded: Mar 13 2019 52 mins
    Tim Mackey, Sr. Technology Evangelist, Synopsys SIG
    The world of software development has firmly adopted open source development paradigms. Regardless of the type of application you’re developing, it’s safe to say that open source is a key part of your solution—whether you wanted it to be or not. Similarly, developers deal with security issues in their code throughout the development cycle, but most don’t think about how open source components affect the security of their end product. In this master class, we’ll look at how open source development works, how open source components are embedded in solutions, and how an open source vulnerability is both disclosed and patched. After all, while open source software is just as secure as its commercial cousins, the security disclosure processes for the two types of software is far from the same!
  • Security at the Speed of Development Recorded: Feb 28 2019 59 mins
    Andrei Bezdedeanu, VP of Engineering, CYBRIC & Dave Meurer, Alliances Technical Manager, Synopsys
    Moving to cloud-native development is no less transformative than were moves from client/server to web, or from browsers to mobile devices. The software life cycle has changed, and along with it, the cadence of development and the tools on which that life cycle depends. The best security tools have required a lot of hand-holding to accomplish their thorough analyses.

    In this webinar, we’ll discuss recent advancements in best-of-breed security tools (such as composition analysis and vulnerability discovery) that allow organizations to scale their use to a portfolio of software without an army of staff. We’ll discuss how test orchestration and vulnerability management platforms allow CISOs to package these tools as “software security in a box” and deploy them seamlessly to brownfield development teams maintaining large business-critical software, as well as those tiger teams conducting digital transformation in a hybrid or multicloud world.

    Key topic areas:
    * Coverity 2018.12
    * Seeker
    * Black Duck, now with binary support
    * CYBRIC Security Platform
  • Shifting Gears: Focus on Cybersecurity Recorded: Feb 27 2019 60 mins
    Larry Ponemon, Founder, Ponemon Institute; Tim Weisenberger, PM, SAE; Chris Clark, Principal Security Engineer, Synopsys
    Today’s vehicle is a connected, mobile computer, a situation that has introduced an issue the automotive industry has limited experience dealing with: cybersecurity risk. Automotive manufacturers have become as much software companies as they are transportation companies, facing all the challenges inherent to software security.

    In this webinar, Synopsys and SAE International experts will discuss key findings from the report Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, including these:
    - The automotive industry has insufficient cybersecurity resources and skills.
    - Some of those most knowledgeable about automotive cybersecurity feel powerless to voice their concerns.
    - Automotive cybersecurity testing may be occurring too late in the product development life cycle.

    We will also discuss how SAE International and Synopsys can help lead the industry in planning cybersecurity strategy and generating solutions using the data points collected in the survey.

    Topics covered include:
    - Survey methodology
    - Industry standards
    - Best practices
    - Professional development
    - Security controls
  • Building a Culture of Secure Programming in your Organisation Recorded: Feb 20 2019 70 mins
    Amanvir Sangha, Consultant, Synopsys
    We all know that fixing defects early in the SDLC is the right approach to building secure software. Security needs to be in every part of the pipeline but it’s often hard to get everybody onboard with software security initiatives.

    Come join us on this webinar to explore how to build a culture of proactive secure programming in your technical organization and how to implement security as an enabler without disrupting the velocity of projects in modern development teams. See how Synopsys tools and services can allow you to build secure, reliable and quality software.
  • Polaris Software Integrity Platform Partner Webinar Recorded: Feb 19 2019 41 mins
    Neal Goldman, Product Manager, Synopsys
    The Polaris Software Integrity Platform™ brings the power of Synopsys Software Integrity products and services together into an integrated solution that enables security and development teams to build secure, high-quality, software faster. Polaris comes as a subscription entitlement with Coverity as well as Black Duck, Seeker and Managed Services. Polaris allows customers to start with a single SIG product subscription (e.g. Coverity) and seamlessly add other products as needed, by providing a unified user experience and deployment architecture.

    In this Partner focused webinar, Neal Goldman, Product Manager of Polaris, will provide an overview of the Polaris Platform and its unique value to our Partners as an Ecosystem Platform. Neal will discuss how Polaris provides a common integration framework for the SIG portfolio, allowing our Application Development, Cloud, Vulnerability Management, and Global System Integrator partners ease of integration into their products and processes. Neal will also discuss how our Partner’s existing integrations into SIG products will continue to be supported and how they will interact with the Polaris platform.
  • The 2018 Open Source Year in Review Recorded: Feb 6 2019 59 mins
    Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
    Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, Partner at DLA Piper and General Counsel for the Open Source Initiative and Tony Decicco, Shareholder, at GTC Law Group & Affiliates.

    This annual review will highlight the most significant legal developments related to open source software in 2018, including:

    •The rising importance of data and licensing considerations
    •Business model problems and the proposed solutions (RedisLabs and MongoDB)
    •Dangerous Legal Theories: core developers as fiduciaries
    •OSS vs. SSO: clash of models
    •Return of Linux patent troll: McHardy
    •The need to extend the scope of an audit to cover web services/APIs
    •The changing tide in open source license adoption
    •Big open source transactions
    •And more

    Live attendees will earn CLE credit for this webinar. Don’t miss out – register today.

    DLA Piper LLP (US) has been certified by the State Bar of California, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an accredited CLE provider. The following CLE credit is being sought:
    •California: 1.0 Credit (1.0 General, 0.0 Ethics)
    •New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
    •New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
    CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, Pennsylvania, and Puerto Rico.
  • Meeting Enterprise AppSec Needs With Coverity 2018.12 Recorded: Jan 31 2019 51 mins
    Yatin Patil, Product Management, Coverity
    As organizations come to rely heavily on software to perform critical business functions and deliver customer value, cyberattacks have unfortunately become common. Web application attacks were responsible for 38% of data breaches in 2018. Securing these applications is critical to promote customer trust, protect business critical information and the company’s reputation. Fixing vulnerabilities before applications are deployed isn’t just smart, it saves downstream costs too.

    Modern web applications are increasingly reliant on frameworks that simplify the application code but can introduce their own vulnerabilities. In this webinar we discuss how the Coverity 2018.12 release enables organizations to build secure web applications faster. The latest release addresses three increasingly important needs for enterprise application security teams: scalability, broad language and framework support, and comprehensive vulnerability analysis. Building upon its historic advantages in deep, accurate code analysis, Coverity 2018.12 greatly expands upon its coverage of web languages and popular frameworks and makes it fast and easy to analyze applications. The result is applications that are inherently more secure before they are deployed into production.

    In this webinar Yatin Patil, Senior Product Manager for Coverity will cover:
    •Importance of application security testing
    •Enterprise application security best practices
    •What a SAST solution needs to provide
    •Newest features of Coverity 2018.12
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: 2018 Open Source Audit Findings: How Do You Stack Up?
  • Live at: May 24 2018 3:00 pm
  • Presented by: Evan Klein, Head of Product Marketing for Software Composition Analysis, Synopsys
  • From:
Your email has been sent.
or close