Hi [[ session.user.profile.firstName ]]

DevSecOps: Security at the Speed of DevOps with Comcast

Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

What’s needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. This requires that security specialists become self-service toolsmiths and advisors and stop thinking of themselves as gatekeepers.

This webinar includes guidance on the characteristics of security tools compatible with DevOps, but it focuses primarily on the harder part: the people. This talk introduces the DevSecOps manifesto and provides you with a process model, based on agile transformation techniques, to accomplish the necessary mindset shift and achieve an effective DevSecOps culture transformation. It has been successfully used in a large DevSecOps transformation at Comcast and has gained recognition in DevSecOps circles as a leading framework.
Recorded Aug 3 2018 50 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
Presentation preview: DevSecOps: Security at the Speed of DevOps with Comcast
  • Channel
  • Channel profile
  • You’ve Got Your Open Source Audit Report - Now What? Nov 14 2019 5:00 pm UTC 60 mins
    Tony Decicco & Leon Schwartz, GTC Law, Phil Odence, Synopsys
    Companies’ use of open source software has surpassed the occasional and solidified itself as mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether you’re acquiring another company, preparing for acquisition or simply wanting to manage the use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?

    Join us for this live webinar to learn best practices before and after an open source audit. We’ll cover how to:

    •Select and prepare the code base
    •Get the most out of an audit
    •Implement a third-party software policy
    •And more

    Don’t miss this informative webinar. Register today.
  • Implementing DevSecOps With Synopsys and CloudBees Nov 12 2019 5:00 pm UTC 60 mins
    Meera Rao, Synopsys & Chris Saleski, CloudBees
    As many organizations have learned, sometimes the hard way, DevOps transformation is as much about creating a process and adopting a mindset as it is about acquiring the right tools. But organizations creating a DevOps process shouldn’t neglect to implement security into their pipelines. Synopsys and CloudBees aim to deliver the best of both worlds to customers adopting DevOps: CI/CD optimization and application security testing automation.

    Join experts from Synopsys and CloudBees as we discuss:
    •How CloudBees Core™, built on Jenkins®, helps organizations scale
    CI/CD to a multitude of teams without increasing the administrative burden
    •How to add Synopsys tools Coverity, Black Duck, and Seeker to your pipelines
    •How to leverage the power of Kubernetes with the management of CloudBees Core to orchestrate the use of these tools as part of your SDLC
  • BSIMM10: A Decade of Software Security Science Nov 7 2019 6:00 pm UTC 60 mins
    Drew Kilbourne, Managing Director, Synopsys
    The Building Security In Maturity Model (BSIMM) is a data-driven model developed through the analysis of software security initiatives (SSIs), also known as application/product security programs. Register for this webinar to learn what 122 organizations in eight industry verticals are doing to improve their software security efforts. We’ll discuss:
    - How organizations are building their software security initiatives
    - How DevOps is affecting the way organizations perform software security
    - How emerging engineering-driven security cultures are changing approaches to software security
  • 5 Ways to Risk Ranking Your Vulnerabilities Nov 6 2019 6:00 pm UTC 60 mins
    Nivedita Murthy, Security Consultant, Synopsys Software Integrity Group
    Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
    Register for this webinar to learn best practices in vulnerability management. You’ll learn:
    - Methods for determining which applications are most attractive to attackers and which pose the greatest risk
    - Ways to assess the risk associated with a disclosed open source vulnerability
    - Strategies to minimize the impact of open source security vulnerabilities when you can’t fix them immediately
  • Do Design Quality and Code Quality Matter in M&A Tech Due Diligence? Oct 24 2019 4:00 pm UTC 60 mins
    Phil Odence, GM, Synopsys & Daniel Sturtevant, CEO and Co-founder, Silverthread
    (Spoiler alert: Yes.)

    In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software before doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly, laborious, and risky. The cost of fixes can significantly affect the long-term technical and economic viability of the application, and maintaining the software can seriously degrade ROI. That’s why understanding a software system’s design and architectural health and the likely “cost of ownership” is key.

    Join us for this live webinar to learn how to paint a complete picture of the technical quality of software to avoid buyer’s remorse post-close. We’ll cover:

    •The dimensions of technical due diligence
    •The difference between design quality and code quality
    •How software architecture can have a long-term impact
    •What to look for in software design and code quality audits

    Don’t miss this informative webinar. Register today.
  • Using Evidence-Based Security in Your Secure Development Life Cycle Oct 23 2019 5:00 pm UTC 60 mins
    Andrew van der Stock, Senior Principal Consultant, Managed Services SIG Consulting​, Synopsys
    All too often, security is stuck in the 1960s doing slow desk checks, the results of which are out of date before the PDF report lands on an auditor’s desk. If developers see this report, they’ll find it’s full of hot garbage. Security folks must become agile, thinking like developers and helping build secure applications, not criticizing and using recommendations from the last century. In this talk, you’ll learn how you can contribute data, offer better remediation advice, and use modern evidence-based standards such as the forthcoming OWASP Top 10 2020 and the OWASP Application Security Verification Standard 4.0 in your development pipeline. Security professionals have heard this all before, but we persist in doing the wrong things. Let’s not do security like it’s 1998; let’s build assurance in from the get-go, with each and every build.
  • Delivering Next Generation Vulnerability Feed Recorded: Oct 17 2019 46 mins
    Siobhan Hunter, Security Research Team Lead, Synopsys
    The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. The team delivers a customer-focused vulnerability feed comprising open source vulnerability reports called BDSAs (Black Duck Security Advisories). These reports are timely, accurate, and packed with relevant actionable information.

    In this webinar, Siobhan Hunter, security research lead, reveals why the high-quality content of the BDSA feed is best in class, with examples of how our BDSA feed compares with the NVD and insights into how we discover and deliver valuable vulnerability information for our customers every day.
  • Fuzzing Infotainment Systems and Telematics Units With Agent Instrumentation Recorded: Oct 8 2019 58 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys & Rikke Kuipers, Product Manager, Synopsys
    In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. Since these systems are typically based on operating systems providing more functionality such as Linux and Android, it is possible to use appropriate tools to collect additional information from the system under test (SUT) to determine whether there were any exceptions detected during the fuzz testing. Furthermore, it would be possible to gather more details about the detected exceptions on the SUT which helps developers to better understand and identify the root cause of the issues and fix the problems more efficiently. To this end, we introduce the Agent Instrumentation Framework and explain how it can be used to improve fuzz testing of IVIs and telematics units. We show how additional information can be collected from the target system and used to identify whether there are exceptions on the SUT and additionally help developers identify the underlying cause of any issues detected. Finally, to showcase the effectiveness of the agent instrumentation framework we built a test bench based on this approach and performed fuzz testing on multiple SUTs. Based on our findings we highlight several examples of issues that would have not been detected unless we used agent instrumentation.
  • Financial Services Study Shows Why Investing in AppSec Matters Recorded: Oct 8 2019 34 mins
    Drew Kilbourne and Larry Ponemon
    If you’re a provider of financial services, then client trust, privacy, and risk management are critical to your success. Therefore, you must protect your organization’s sensitive data from cyber attacks and data breaches. A recent survey of current software security practices in the financial services industry explores the industry’s software security posture and its ability to address security-related issues.

    In this webinar with Drew Kilbourne, managing director, Synopsys and Larry Ponemon, chairman, Ponemon Institute, will review findings from the report and discuss what they mean for the industry at large. Here’s a preview of some key findings:

    - 56% of organizations had experienced an attack resulting in system failure and downtime.
    - 74% were concerned about security vulnerabilities introduced by third-party suppliers, but less than 43% said they require third parties to adhere to cyber security requirements.
    - Only 34% of financial applications are tested for vulnerabilities, and only 25% of respondents were confident in their ability to detect vulnerabilities before going to market.
  • A Serial Seller’s Perspective on M&A Tech Due Diligence Recorded: Sep 26 2019 57 mins
    Irad Deutsch, CTO, Belong.Life and Phil Odence, GM, Synopsys
    On the buy side of a tech deal and want to better understand sellers? Selling a company and want to benefit from the experience of someone who’s been there (and been there and been there)?

    Building a successful software company takes a lot of blood, sweat, and tears. When a liquidity opportunity presents itself, sellers want to make sure they get the best deal they can, and quickly. During due diligence, the potential acquirer will delve into all facets of the technology. The more prepared the sell side is, the fewer issues will arise, and the smoother the transaction will be.

    What do buyers need, and what can prepared sellers do to streamline the process? Security, quality, and the intellectual property rights of the software are critical. Buyers, sellers, and their legal advisors need to be comfortable that no big technical issues will crop up post-close. Plus, they want to know that they have absolute and uncontested rights to the software assets—in particular, that there are no issues with open source licenses.

    Irad Deutsch, CTO of Belong.Life, has successfully made it through the process with two companies and has it down to a science for his third. Join Irad and Synopsys’ Phil Odence as they discuss the seller’s perspective, lessons learned on the seller’s side, and how to prepare for the M&A tech due diligence process.

    Don’t miss this informative webinar. Register today.
  • Financial Services Study Shows Why Investing in AppSec Matters Recorded: Sep 12 2019 35 mins
    Drew Kilbourne and Larry Ponemon
    If you’re a provider of financial services, then client trust, privacy, and risk management are critical to your success. Therefore, you must protect your organization’s sensitive data from cyber attacks and data breaches. A recent survey of current software security practices in the financial services industry explores the industry’s software security posture and its ability to address security-related issues.

    In this webinar with Drew Kilbourne, managing director, Synopsys and Larry Ponemon, chairman, Ponemon Institute, will review findings from the report and discuss what they mean for the industry at large. Here’s a preview of some key findings:

    - 56% of organizations had experienced an attack resulting in system failure and downtime.
    - 74% were concerned about security vulnerabilities introduced by third-party suppliers, but less than 43% said they require third parties to adhere to cyber security requirements.
    - Only 34% of financial applications are tested for vulnerabilities, and only 25% of respondents were confident in their ability to detect vulnerabilities before going to market.
  • Automating Pipeline Security with Synopsys and Azure DevOps Recorded: Sep 12 2019 59 mins
    Sasha Rosenbaum, Sr. Program Manager, Microsoft and Tomas Gonzalez, Alliance Technical Engineer, Synopsys
    Microsoft Azure DevOps is a collection of modern dev services designed to help development teams plan smarter, collaborate better, and ship faster. Azure CI/CD Pipelines, where applications are built, tested, and deployed, benefit from additional functionality provided by third-party extensions.
    Synopsys Detect, an extension for Azure DevOps, simplifies the addition of static code analysis and open source composition analysis to your pipelines. Tune in to learn how to plug Synopsys into your Azure Pipelines to fix potential leaks before they burst.

    In this webinar, Synopsys and Microsoft will explain how to:
    •Add static code analysis to your build pipelines with Coverity on Polaris
    •Integrate Black Duck open source compliance and security checks into your delivery pipelines
    •Perform Seeker interactive testing on apps deployed to Azure App Service

    This site is jointly operated by Microsoft and Synopsys, and both companies are committed to protecting your privacy. Any personal information we collect from you on this site may be shared between Microsoft and Synopsys. For complete information on the data collection and use practices of each company, please read the full privacy statements by clicking on the links in the attachments.
  • Improving Fuzz Testing of Infotainment Systems and Telematics Units using Agent Recorded: Sep 5 2019 59 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys & Rikke Kuipers, Product Manager, Synopsys
    In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. Since these systems are typically based on operating systems providing more functionality such as Linux and Android, it is possible to use appropriate tools to collect additional information from the system under test (SUT) to determine whether there were any exceptions detected during the fuzz testing. Furthermore, it would be possible to gather more details about the detected exceptions on the SUT which helps developers to better understand and identify the root cause of the issues and fix the problems more efficiently. To this end, we introduce the Agent Instrumentation Framework and explain how it can be used to improve fuzz testing of IVIs and telematics units. We show how additional information can be collected from the target system and used to identify whether there are exceptions on the SUT and additionally help developers identify the underlying cause of any issues detected. Finally, to showcase the effectiveness of the agent instrumentation framework we built a test bench based on this approach and performed fuzz testing on multiple SUTs. Based on our findings we highlight several examples of issues that would have not been detected unless we used agent instrumentation.
  • Security Tool Misconfiguration and Abuse Recorded: Aug 20 2019 40 mins
    Thomas Richards, Network and Red Team Practice Director
    As any security program matures, it will use tools and techniques to automate processes to improve the security posture of the organization. This includes asset management and discovery, patch management, deploying software, and vulnerability discovery. However, if these tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk we will go over a few case studies of abusing these tools while on penetration tests as well as remediation methods to prevent these attacks from occurring.
  • Shift Left, Shift Right, or Run Security Right Through The Middle? Recorded: Aug 20 2019 57 mins
    Meera Rao, Senior Principal Consultant, Synopsys, Brandon Dunlap, Moderator, (ISC)²
    Demands for more secure software and more rapid application development have led to the emergence of DevSecOps. DevSecOps maturity requires a risk-based approach to adding security activities, increasing depth, and improving testing governance. The best strategy is to shift from a reactive to a proactive security approach that injects security at the right time and place with automated continuous testing. This presentation covers these aspects of automated continuous testing:

    1. Practices to avoid
    2. Drawbacks
    3. Prerequisites
    4. When and where to use automated testing
    5. Best practices for implementing and improving continuous testing throughout the development life cycle
  • What You Need to Know About Open Source Licensing Recorded: Aug 15 2019 62 mins
    Mark Radcliffe, DLA Piper, Tony Decicco, GTC Law Group, Phil Odence, Synopsys
    Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks.

    Join top open source legal experts Mark Radcliffe from DLA Piper and Tony Decicco from GTC Law Group for a webinar as they do a deep dive into the types of open source licenses that could present challenges. They’ll cover:

    •The history and risk of open source software
    •Intellectual property law for software licensing
    •The most popular licenses and their obligations
    •Practical advice for helping your organizations or clients

    Don’t miss this informative webinar. Register today.

    CLE:

    DLA Piper LLP (US) has been certified by the State Bar of California, the Board on Continuing Legal Education of the Supreme Court of New Jersey, the New York State Continuing Legal Education Board, and the Pennsylvania Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought:
    •California: 1.0 Credit (1.0 General, 0.0 Ethics)
    •New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
    •New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
    •Pennsylvania: 1.0 Credit (1.0 General, 0.0 Ethics)
    CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, and Puerto Rico.
  • Achieving Security Outcomes in a Cloud-Native World Recorded: Aug 14 2019 60 mins
    Steve White, Field CISO, Pivotal Software & Dave Meurer, Senior Technical Alliances Manager, Synopsys
    Modern enterprises are moving to hybrid cloud solutions, containers, microservices, and functions for their core applications. At the same time, technology teams are implementing agile and DevOps models for software development, deployment, and operations. These changes provide the business with measurable benefits in terms of agility and execution, but they also create the need for a shift in traditional approaches to cyber security. To respond, security leaders need to adopt a cloud-native model for security. In this webinar, we’ll examine how solutions from Pivotal and Synopsys enable this move, allowing security teams to achieve their target outcomes while acting as a key enabler, helping the business with their application transformation efforts.
  • Reviewing Modern JavaScript Applications Recorded: Jul 31 2019 60 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    Many penetration testers approach modern JavaScript applications from an “outside-in” perspective. But this approach often misses security issues in plain sight. In this webinar, we’ll demystify common JavaScript issues that should be better understood/identified during security reviews. We’ll discuss how to review applications in a code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
  • Defuse Your Release Anxiety by Fusing DevOps and Security Recorded: Jul 30 2019 56 mins
    Vincent Lussenburg, XebiaLabs & Tomas Gonzalez, Synopsys
    In these times of DevSecOps, many companies claim that they’re “doing it.” But a false sense of security is worse than no security at all.
    In this webinar, Synopsys and XebiaLabs will explore how to embed multiple security perspectives on software vulnerability detection and
    prevention into your automated development release pipelines. The goal: To prevent your organization from being the next case study on how failure to cover an essential perspective resulted in an embarrassing data breach.

    By registering for this webinar you are agreeing to receive communications from both Synopsys and XebiaLabs.
  • Securing Vehicles after Production: Vulnerability Management & Security updates Recorded: Jul 30 2019 63 mins
    Dennis Kengo Oka, Senior Solutions Architect, Synopsys
    As the automotive software development life cycle puts greater focus on cyber security, we’ll see safer, more secure cars on the roads. OEMs and suppliers use static code analysis, software composition analysis, and fuzz testing to identify and remediate vulnerabilities in automotive components during development and testing. But even with the right tools and processes, it’s impossible to eliminate every software vulnerability in a vehicle’s 100 million lines of code before releasing it into the field.

    Therefore, it’s important to continue finding and fixing bugs in vehicles after production. During operations and maintenance, detecting and managing new vulnerabilities in automotive components is a high priority. Patching these vulnerabilities means performing secure over-the-air (OTA) updates—and ensuring those updates don’t introduce new vulnerabilities.

    This talk will present the current challenges and suggest solutions to securing vehicles during the operations phase.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: DevSecOps: Security at the Speed of DevOps with Comcast
  • Live at: Aug 3 2018 4:00 pm
  • Presented by: Larry Maccherone, Sr. Director DevSecOps Transformation, Comcast
  • From:
Your email has been sent.
or close