Hi [[ session.user.profile.firstName ]]

DevSecOps: Security at the Speed of DevOps with Comcast

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What’s needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This webinar includes guidance on the characteristics of security tools compatible with DevOps, but it focuses primarily on the harder part: the people. This talk introduces the DevSecOps manifesto and provides you with a process model, based on agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture transformation. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Recorded Aug 3 2018 50 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
Presentation preview: DevSecOps: Security at the Speed of DevOps with Comcast
  • Channel
  • Channel profile
  • Remote Security Testing & Training: Busting Myths and Offering Solutions Jul 1 2020 3:30 pm UTC 62 mins
    Sandesh Mysore Anand, Managing Consultant at Synopsys and Rakshitha R Rao, Security Consultant at Synopsys
    While digital transformation and BYOD have allowed many IT activities to occur remotely, many enterprises still prefer to perform security testing on-site. Concerns about data security, network/application accessibility, assessment quality and project management have discouraged teams from making the leap. In this webinar, we leverage lessons learned from many years of delivering Managed Application Security Services to provide guidelines on addressing these concerns and offer solutions on how to conduct remote security testing and security training.
  • The DoS goes loop-di-loop Jun 23 2020 9:00 am UTC 60 mins
    Allon Mureinik, Senior Manager, Synopsys
    Do you know the common ways Node.js applications may be vulnerable to denial-of-service attacks?

    The single-threaded nature of Node.js makes it very susceptible to DoS attacks. While the Node.js event loop allows you to perform some operations asynchronously, it’s still quite easy to write a vulnerable Node.js application by making a few simple mistakes.

    In this talk I’ll cover some common ways a Node.js application may be vulnerable to DoS attacks and some common best practices and countermeasures to defend against such attacks.
  • Do Design Quality and Code Quality Matter in M&A Tech Due Diligence? Jun 18 2020 4:00 pm UTC 46 mins
    Phil Odence, GM, Synopsys & Daniel Sturtevant, CEO and Co-founder, Silverthread
    (Spoiler alert: Yes.)

    In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software before doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly, laborious, and risky. The cost of fixes can significantly affect the long-term technical and economic viability of the application, and maintaining the software can seriously degrade ROI. That’s why understanding a software system’s design and architectural health and the likely “cost of ownership” is key.

    Join us for this lwebinar to learn how to paint a complete picture of the technical quality of software to avoid buyer’s remorse post-close. We’ll cover:

    •The dimensions of technical due diligence
    •The difference between design quality and code quality
    •How software architecture can have a long-term impact
    •What to look for in software design and code quality audits

    Don’t miss this informative webinar. Register today.
  • AUTOSARの今後とコーディング規約との向き合い方 Jun 17 2020 6:30 am UTC 135 mins
    日本シノプシス合同会社 ソフトウェアインテグリティグループ シニアソリューションアーキテクト 岡デニス健五、シニアセールスエンジニア 勝岡宣彦
    車載ソフトウェア開発においてMISRAやAUTOSARのコーディング規約への対応は大きな課題ですが、目検でのソースコードレビューなど開発現場にとって非常に大きな負担にもなっています。サプライチェーンをベースにしたソフトウェア開発体制において、AUTOSARの目指すところや規約との向き合い方を関係者がともに理解し、納得できる形でコーディング規約を活用することは、安全でセキュアなソフトウェアをより効率的に開発するうえで欠かせません。

    また安全でセキュアなソフトウェアを開発するためには、コーディング規約に則るだけではなく、不具合や脆弱性の原因となるリスクをいかにコントロールするかがより重要です。

    そこで、C++のコーディング規約を切り口にAUTOSARやMISRAの位置づけ、今後の展望と、静的解析ツールCoverityを使って効率的にコーディング規約と向き合い、安全でセキュアなソフトウェアを効率的に開発する方法について解説いたします。

    主な内容
    - C++を切り口にしたMISRAやAUTOSARの変遷と今後
    - AUTOSARコーディング規約を効率的に活用して安全でセキュアなソフトウェアを開発する方法
    - 静的解析CoverityのFinding Manager機能のデモ
  • Bridging the Security Testing Gap in Your CI/CD Pipeline Jun 16 2020 5:00 pm UTC 60 mins
    Asma Zubair, Product Mgmt Mgr, Sr Staff, Synopsys and Kimm Yeo, Product Marketing Mgr, Staff, Synopsys
    Are you struggling with application security testing? Do you wish it were easier, faster, and better? Join us to learn more about Seeker, a modern interactive application security testing tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
    - Run in the background and report vulnerabilities during functional tests, integrated QA, and CI/CD activities.
    - Auto-verify, prioritize, and triage vulnerability findings in real time with 100% confidence.
    - Fully automate secure app development, testing, and delivery, without the need for extra security scans or processes.
    - Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
  • Modernizing Your SSI for DevOps and CI/CD Jun 11 2020 3:00 pm UTC 17 mins
    Kevin Nassery, Practice Director, Synopsys
    What’s the most pressing issue in software security from the last 20 years? We think it’s how to evolve your software security initiative (SSI) to support a modern DevOps practice and CI/CD pipeline while still meeting your security objectives. In this talk, we’ll discuss the key challenges of DevOps and CI/CD and arm you with a simple but effective method to optimize software security efforts. We’ll also highlight the inherent benefits of DevOps and CI/CD for secure software development to ensure nothing is left on the table as your SSI transforms.

    Key learning points:
    • Defining core CI/CD and DevOps SSI capabilities for your organization
    • Dimensions of maturity for SSDL gates in modern lifecycles
    • Software security culture, DevSecOps, and your SSI
    • Key performance indicators and critical SSI telemetry
  • 商用ソフトウェア資産に含まれるOSSとそのリスクの現状 - 2020年版レポートに基づく分析と提言 Jun 10 2020 7:00 am UTC 120 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 吉井雅人
    シノプシスのオープンソース・セキュリティ&リスク分析レポート2020年版は、
    世界中のエンタープライズ企業、医療、金融、通信インフラ等の17業種、1,250を超える商用のコードベースに含まれるOSSを監査した結果から得られたOSSの利用状況とリスクの現状と分析をまとめたレポートの最新版です。

    ソフトウェア開発や商用ソフトウェアでのOSS利用は急速に拡大しており、保有資産に含まれるOSSとリスクの把握は益々大きな課題になっています。

    最新版レポートをベースにOSS利用とリスクの現状の整理、管理の方法と課題、シノプシスが提案する確実で効率的な管理を実施する方法を紹介するセミナーを実施します。

    主な内容
    - 今多く使われるOSSの傾向と、脆弱性やライセンスのリスクの現状解説
    - OSSとそのリスクを適切に管理するための手法と課題の整理
    - シノプシスが提案する確実・効率的にOSSを管理する方法
    - Q&A
  • Effective Vulnerability Remediation Requires More than One Data Point Jun 9 2020 7:00 am UTC 40 mins
    Jeff Michael, Senior Product Manager, Synopsys and Chris Fearon, Director Research Engineering, Synopsys
    The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. Their vulnerability feed contains timely, accurate vulnerability reports (Black Duck Security Advisories, or BDSAs) with all the relevant, actionable information customers need to optimize remediation efforts.

    BDSAs provide multiple data points that are important to consider when triaging vulnerabilities. Now, Black Duck customers can use this data to automatically prioritize vulnerabilities for remediation. With Black Duck’s advanced policy management and best-in-class vulnerability reports, developers can focus on fixing the most critical vulnerabilities quickly and effectively.

    In this webinar, Chris Fearon, director of research engineering, and Jeff Michael, head of Black Duck product management, will take you through Black Duck’s approach to vulnerability prioritization and explain why informed, focused remediation is the preferred approach to open source security management.
  • Managing Tech Due Diligence From a Social Distance Jun 4 2020 4:00 pm UTC 60 mins
    Phil Odence, Synopsys, Tony Decicco, GTC Law Group & Affiliates, Tom Jannak, Independent Consultant, Previously Vista, WMP
    Numerous M&A transactions have recently been put on hold while the parties wait to see what happens. Travel bans, quarantines, social distancing, closures of nonessential businesses, and shelter-in-place orders make it impossible to conduct due diligence in a normal fashion. So how do you assess technology when no one can travel?

    Join us for this webinar as we discuss what tech due diligence may look like in this new normal. We’ll cover:

    •Tips for managing software due diligence and audits in the current environment
    •Setting realistic expectations and gaining insight from more limited information
    •Leveraging tech due diligence providers and tech-focused legal counsel to minimize increased M&A risk

    Don’t miss this informative webinar. Register today.
  • 組み込み機器がクラウドと繋がることの 課題と基本的な対策 Jun 3 2020 6:30 am UTC 120 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアプロダクトマーケティングマネージャ 松岡正人、シニアセールスエンジニア 中野哲也
    この数年、ネットワークに接続したパソコンやサーバーだけでなく、事務機器や医療機器などでのサイバーセキュリティ事故についてのニュースが報道されるようになってきました。ネットワークに繋がる組み込み機器の代表的な構成とその変遷、機器だけではなく関連するサービスを含めたビジネスモデルの変化に伴い、セキュリティリスクが増大しています。
    開発者だけでなく経営者の観点からも見逃せない気になるデータを参照しながら、安全や品質対策の観点とセキュリティ対策の観点とのギャップを整理しつつ、ギャップを埋めるために有用なソフトウェアやシステムを検証するための手法や技術、検証の実践方法について議論します。

    主な内容
    - 組み込み機器の構成や提供サービスの変遷とセキュリティリスクの整理
    - 安全でセキュアな製品の開発と検証に有用な手法や技術とその実践方法
    - シノプシスが提供するセキュアな製品開発のためのツールと利用例
    - Q&A
  • Lessons on Open Source Governance From the 2020 OSSRA Report Jun 2 2020 5:00 am UTC 57 mins
    Tim Mackey, Principal Security Strategist, Synopsys
    The 2020 Open Source Security and Risk Analysis report looks at the state of open source use in over 1,250 distinct applications created by organizations in 17 industries. As we’ve seen in past years, the use of open source in commercial applications continues to grow, and businesses of all sizes are now powered by open source software. Whether your organization uses open source intentionally or via commercial vendors, understanding how open source communities update their software is a key factor when planning any cyber security response plan. In this webinar, we’ll walk through the findings from the 2020 OSSRA report with an eye on how teams can use the data to inform their overall open source governance plans.
  • Secure Automotive Software Development in the Age of ISO/SAE 21434 Recorded: May 28 2020 73 mins
    Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys
    Modern vehicles run on software containing more than 150 million lines of code. As a result of more advanced safety-relevant functionality, such as ADAS and autonomous driving, as well as new communication interfaces, mobile apps, and back-end servers based on connected car use cases, the need for developing secure systems in the automotive industry is higher than ever. A draft of the new cyber security standard ISO/SAE 21434 was recently released to help automotive companies address cyber security for the entire vehicle life cycle.

    This talk presents cyber security activities in the software development process based on ISO/SAE 21434 to help automotive companies develop more secure systems. We’ll provide examples of what is required from a resources and tools perspective to ensure an efficient and practical implementation of the various cyber security steps in the development process.
  • Secure your "Dev" and "Ops" Pipeline with Synopsys and Red Hat Recorded: May 27 2020 58 mins
    Gautam Baghel, Global Technical Alliances, Synopsys and Dave Meurer, Partner Solutions Architect
    Synopsys and Red Hat team up once again to bring you the best in class solution to secure your "Dev" & "Ops" pipeline without compromising speed. Red Hat Openshift's secure-by-design platform provides operations teams with an out of the box secure Kubernetes deployment and Synopsys application security tools ensure development teams build secure applications and images with high quality. Combining the capabilities of Red Hat and Synopsys together is key in making sure that deployed applications are less susceptible to attacks.

    Join the experts from Red Hat and Synopsys as they present and demonstrate:
    * Augmenting Red Hat's secure-by-design OpenShift platform
    * Consolidating Containerized Application Security Perspectives
    * Integrating Synopsys’ Application Security testing (AST) solutions into Tekton-based OpenShift Pipelines
    * Application and Host Container Security with CoreOS, Quay & Black Duck
    * Reducing false positives by combining Security feeds with OVAL, RHSA and BDSA
  • ISA/IEC 62443に準拠したISASecure認証 そのメリットと課題 Recorded: May 27 2020 72 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアプロダクトマーケティングマネージャー 松岡正人、セキュリティコンサルティング マネージングプリンシパル 大森健史
    BES(Bulk Electric System:大規模電力システム)を保護するため、NERC(North American Electric Reliability Corporation:北米電力信頼度協議会)では CIP(Critical Infrastructure Protection:重要インフラ保護)基準が制定され、罰則付きの運用がなされていることはよく知られていますが、一般の製造業や重要製造業の安全な稼働を支える各種ICS(Industrial Control System:産業用制御システム)コンポーネント(ソフトウェアおよびハードウェア)の安全性を担保するためのISA/IEC 62443に沿ったISASecure認証が遅まきながら進展を見せています。
    本セッションでは従来のISASecure EDSA認証と新たに登場したCSA認証との違いを概説するとともに、より高度化しつつあるICSを対象としたサイバーインシデントの状況を各種レポートから紐解き、より競争力のあるICSコンポーネントの開発のためのアイデアを共有、議論します。

    主な内容
    - ICSを狙うサイバー攻撃とセキュア認証の現状
    - セキュアなICSコンポーネントを開発するために必要な措置
    - シノプシスが提供するセキュア開発のためのサービスとツール
    - Q&A
  • The Ins and Outs of Fuzzing Recorded: May 26 2020 58 mins
    Kimm Yeo, Product Marketing Manager and Rikke Kuipers, Product Manager
    “Another day, another data breach” is not just a cliché; it’s a reality. But all data breaches are not equal. To avoid becoming the next victim, you must create software that’s more secure, higher quality, and compliant with standards.

    This webinar will introduce you to the concept of fuzzing, as well as Synopsys’ best-of-breed fuzzing solution, Defensics. Fuzzing is well established as an excellent technique for locating vulnerabilities in software. Register for this webinar to learn:

    •What fuzzing is, how it works, and when and why you should use it
    •How various fuzzing approaches differ and the pros and cons of each
    •How Defensics uses generational / specification-based fuzzing to test over 250 protocols effectively and efficiently
  • Open Source Risk in M&A by the Numbers Recorded: May 21 2020 58 mins
    Phil Odence, Synopsys
    In over 1,000 codebases audited in 2019, Black Duck Audits found that nearly every one contained open source components. Not only that, but a significant percentage of “proprietary code” overall was open source. However, left unmanaged, open source can lead to license compliance issues plus security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.

    Many acquirers have come to understand all this in concept; the Black Duck Audit Services group has the data. Join us for this webinar as we answer questions about the code of tech companies being acquired today. We’ll cover:

    •Open source license and security risks by the numbers
    •Why audits have become the norm in M&A tech due diligence
    •How you can get a complete picture of open source risks

    Don’t miss this informative webinar. Register today.
  • セキュリティ・テストにおけるファジングの位置づけ、開発工程への組み込みとテストの効率化 Recorded: May 21 2020 61 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 中野哲也
    ファジングは、アプリケーションの意図しない挙動や不具合を検出する強力なテスト手法です。ペンテストとの比較からファジングが開発工程のどこで実施すべき手法かを整理し、いくつかのプロトコルを例にファジングの環境構築、開発工程への組み込み、テスト効率化の手法も解説します。

    主な内容
    - ペンテストとの比較によるファジング適用工程
    - WeynToothでみるファジング結果解析方法
    - ファズ試験自動化に向けた環境構築と結果解析など開発工程への組み込み
    - シノプシスが提供するツール・サービス
    - Q&A
  • Webアプリのセキュリティ・テスト、DASTや手動テストの課題とその解決手法 Recorded: May 21 2020 61 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 川原翔
    CI/CDの整備やDevOps化など開発の体制やプロセスの効率化が図られる中、セキュリティ・テストをそこに組み込むのは困難です。
    これまでのDASTや脆弱性診断等の手動テストの課題を整理しつつ、新たなテスト手法IASTがどの様に課題を解決できるかを紹介します。

    主な内容
    - 従来のDASTツールや手動テストによるWebアプリのセキュリティ・テストの課題
    - 新テスト手法IASTツールによるテストの自動化と検知精度向上の仕組み
    - Seeker IASTのCI/CDへの組み込みとツールのデモンストレーション
    - Q&A
  • Your Developers Aren’t Security Experts - But They Can Be With the Right Tools Recorded: May 20 2020 52 mins
    Patrick Carey, Director Product Marketing, Synopsys and Sandy Carielli, Principal Analyst, Forrester Research, Inc.
    Securing your applications is critical, but maintaining release velocity and developer productivity is just as important. Let’s face it: Developers aren’t security experts. They unwittingly introduce security weaknesses and vulnerable open source components into your applications, and they’re ultimately responsible for fixing any issues that surface. But what if you could equip developers with the tools and information they need to prevent security issues from ever making it into your codebase, without creating unnecessary friction or slowing them down?

    Join guest presenter Sandy Carielli, Principal Analyst, Forrester Research, Inc., and Patrick Carey, Synopsys, as they discuss the benefits of IDE-based security testing and the role developers can play in securing your applications.
  • ソフトウェアに含まれるOSSのライセンスと脆弱性の管理 Black Duck Recorded: May 19 2020 65 mins
    日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 吉井雅人
    効率的な開発にOSSの利用はもはや不可欠ですが、意図しないライセンス違反や脆弱性の混入を防ぐのは困難な上、サプライチェーン管理の観点でもOSSの管理は重要度を増しています。
    そこで、確実・効率的にOSSを管理するBlack Duckの機能・特長と効果的な利用方法を紹介します。

    主な内容
    - OSSを利用することのメリットとOSS管理の課題
    - OSSとそのリスクを効率的に管理するBlack Duckの特長
    - OSSの管理体制とベストプラクティス
    - Q&A
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: DevSecOps: Security at the Speed of DevOps with Comcast
  • Live at: Aug 3 2018 4:00 pm
  • Presented by: Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
  • From:
Your email has been sent.
or close