Building a Culture of Secure Programming in your Organisation
We all know that fixing defects early in the SDLC is the right approach to building secure software. Security needs to be in every part of the pipeline but it’s often hard to get everybody onboard with software security initiatives.
Come join us on this webinar to explore how to build a culture of proactive secure programming in your technical organization and how to implement security as an enabler without disrupting the velocity of projects in modern development teams. See how Synopsys tools and services can allow you to build secure, reliable and quality software.
RecordedFeb 20 201970 mins
Your place is confirmed, we'll send you email reminders
Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group
Traditionally, and often unfortunately, security has been treated as a secondary and isolated process considered only at the end of the software development lifecycle (SDLC). Noble as their intentions are, it can be frustrating to discover security vulnerabilities at such a late stage.
With the proliferation of agile development methodology and CI/CD, is it possible to leverage on Static Application Security Testing (SAST) tool to constantly verify the code changes and improve application integrity throughout the SDLC? In our 4th July 2019 webinar, Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group, will provide insights into the following:
•What is SAST? Are SAST Tools Glorified Grep?
•What can SAST help?
•Touch points – where and how do we apply SAST in CI/CD pipeline?
•Considerations in choosing a SAST tool
Amy DeMartine, Forrester Principal Analyst and Utsav Sanghani, Senior Product Manager, Synopsys
Application vulnerabilities are a prime target for attackers, and the critical task of identifying and remediating these flaws before they’re exploited can be daunting, especially for organizations adopting DevOps and CI/CD practices. Security teams don’t have the time or resources to find and fix every vulnerability, and developers prefer to do what they do best – build and deploy features quickly. Fortunately, developers can be good at their jobs and be your most effective application security resources if you enable them with the low-friction tools and training at the precise time they need them.
Join guest speaker Amy DeMartine, principal analyst at Forrester Research, and Utsav Sanghani, senior product manager at Synopsys, as they explore tools and techniques that can transform your developers into AppSec rock stars:
- Rapid and continuous in-IDE security testing can help your developers find and fix issues before they ever get committed to your codebase.
- Delivering short, contextualized AppSec training modules to developers in real time when they introduce vulnerabilities.
- Most modern applications contain more open source code than proprietary code. Help your developers identify and avoid risky OSS components.
Development organizations view open source software as not just important but also strategic. That’s just one of the topics we’ll investigate in this joint webinar from Red Hat and Synopsys. Drawing from Red Hat’s “The State of Enterprise Open Source” report, technology evangelist Gordon Haff will explain why IT decision makers value open source so highly.
At the same time, changing development practices and escalating threats mean that security remains a concern with respect to open source software, as it is for IT more broadly. Dave Meurer of the Synopsys Software Integrity Group will explain findings from the Synopsys “2019 Open Source Security and Risk Analysis” report to offer an in-depth look at the state of open source security, compliance, and code quality risk in commercial software.
We’ll close with some practical advice about getting the most value from open source software while keeping your organization safe.
Kevin Nassery, Senior Principal Consultant, Synopsys
Intuition can take you quite far at the beginning of your application security journey. But even the most experienced leaders will eventually need data to guide them through a decision or justify their investments. Well-designed software security metrics provide that compass.
This webinar will arm software security group leadership with the knowledge necessary to design key metrics that drive thoughtful investment and enhancement of their software security initiative (SSI).
We’ll pay special attention to must-have application security metrics, common missteps, and executive visibility across the Software Security Development Lifecycle (SSDL) and SSI.
Meera Rao, Secure Development Practice Director, Synopsys Software Integrity Group
Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities.
A risk-based adaptive pipeline can close the gap between DevOps and security teams, helping DevOps teams accelerate deployment to production without compromising security.
In this webinar, you’ll learn:
- How the adaptive pipeline can help you rank risks, identify changes, and improve responsiveness.
- How to accelerate deployment to production without compromising security.
- Four models you can implement to help align your people, process, and technology.
With each new technology cycle, we seek to improve both business efficiency and security. Unfortunately, our legacy practices can severely hold us back from achieving the full potential of our new technology stack. When this occurs, organisations with the most valuable data come under attack first.
Tony Decicco, GTC Law Group & Phil Odence, Synopsys
Just like most software assets contain open source, modern software applications commonly link to external web services via APIs. By using web services, developers may be inadvertently signing their companies up to terms of service or using a web service without a suitable agreement. And using these services can expose a company to security, data privacy, and operational risks that could disrupt or severely affect the business. As part of the tech M&A due diligence process, you should be aware of these web services-related risks so that you can make informed decisions about deal valuation and remediation.
Join Tony Decicco, shareholder at GTC Law Group and Affiliates, and Phil Odence, GM of Black Duck Audits, as they discuss the types of risk associated with web services and how they can affect an M&A transaction. They’ll cover:
• Typical terms of service and common pitfalls
• The legal compliance, data privacy, security, and business risks that come with web services
• Real-world examples of these risks
• How a buyer can get a better understanding of these risks in a target’s codebase or a seller can prepare for diligence to avoid risks in this area
Don’t miss this informative webinar. Register today.
Asma Zubair, Product Mgmt Mgr, Sr Staff, Synopsys and Kimm Yeo, Product Marketing Mgr, Staff, Synopsys
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation AppSec tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
- Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
- Prioritize and triage vulnerability findings in real time with 100% confidence.
- Fully automate secure code delivery and deployment, without the need for extra security scans or processes.
- Free up development and security resources to focus on strategic or mission-critical tasks and contributions.
Joe Jarzombek, Director for Government, Aerospace & Defense Programs, Synopsys
As the cyber threat landscape evolves and external dependencies grow more complex, managing risks to enterprise and connected embedded systems requires more than reactive measures. Many organizations proactively reduce attack surfaces in their cyber supply chain and assets targeted for exploitation. IT asset management should leverage automated means to detect weaknesses and vulnerabilities in software. Addressing cyber supply chain dependencies enables the hardening of attack surfaces by comprehensively identifying exploit targets, understanding how assets are attacked, and providing responsive mitigation. Automation tools and services, testing and certification programs now provide means to reduce risk attributable to exploitable software. This presentation addresses means of using information to prioritize mitigation efforts focused on reducing exploitable attack vectors; enabling organizations to proactively harden their attack surface and become more resilient in the face of growing threats and asymmetric attacks.
Lt. Col. Joe Jarzombek (USAF, ret.) is Director, Government, Aerospace & Defense Programs at Synopsys. He previously served as Deputy Director, Information Assurance in the Office of the CIO Dept. of Defense. He later served as Director, Software and Supply Chain Assurance in the Dept. of Homeland Security. Today, Joe guides Synopsys’ global leadership to address needs of public sector, aerospace and defense communities. He participates in consortia, public-private collaboration and standards groups, and R&D projects to accelerate technology adoption. Joe has 30+ years in software security, safety and quality in embedded and networked systems and enterprise IT. Joe is a Certified Secure Software Lifecycle Professional (CSSLP) and project management professional with an MS in Computer Information Systems, a BA in Computer Science and a BBA in Data Processing and Analysis.
Containers and Kubernetes have changed the way organizations develop and deploy applications. But with increased agility comes increased risk. The last thing any company wants is to deploy software from unknown sources or with known vulnerabilities. Binary Authorization together with GKE allows you to “sign” software as it moves through the software supply chain. This way, you can ensure that no software goes to production till you approve it. In this webinar, we’ll discuss the role Black Duck plays in this signing process. We’ll also demonstrate how Black Duck, as part of a Cloud Build workflow, can attest to the security and license compliance of a software offering, so you can deploy with confidence.
We need to learn from industries where we see parallels forming and see how they have leveraged and understood their testing capabilities and placed them correctly within their pipeline. Based on life time experience Stephen Giguere, Solution Architect at Synopsys, explores and differentiates open source and commercial SAST in combination with cross-industry learning applicable to software development. See how Synopsys tools and services can allow you to build secure, reliable and quality software.
Open source components form the foundation of modern applications, but ineffective open source risk management can lead to security breaches that negatively affect your business and damage your brand. The Open Source Security and Risk Analysis (OSSRA) report examines trends in open source usage and risk management practices based on the audits of more than 1,200 codebases.
Listen in as we explore how the open source landscape has changed—and improved, in some cases—but more importantly, how development, security, and legal teams can improve their open source risk posture.
- 96% of codebases scanned in 2018 contain open source
- The average code base contains 298 open source components, up from 257 in 2017
- 60% of codebases contained at least one open source vulnerability—still significant, but much better than 78% in 2017
Phil Odence, General Manager, Black Duck On-Demand
In over 1,000 codebases audited in 2018, Black Duck Audits found that nearly every one contained open source components. Not only that, but a significant percentage of “proprietary code” overall was open source. Virtually every company building software now depends on open source, and with great reason. However, left unmanaged, open source can lead to license compliance issues plus security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.
Many acquirers have come to understand all this in concept; the Black Duck audit services group has the data. Join us for this webinar as we answer questions about the code of tech companies being acquired today. We’ll cover:
• Open source license and security risks by the numbers
• Why audits have become the norm in M&A tech due diligence
• How you can get a complete picture of open source risks
Don’t miss this informational webinar – register today.
Lewis Ardern, Senior Security Consultant, Synopsys
Lewis Ardern, Senior Security Consultant, Synopsys
Glen Kosaka, VP of Product Management, NeuVector and Tim Mackey, Senior Technical Evangelist, Synopsys
The promise of containers and cloud-based microservices is fast time to market for applications. But there are security requirements that, if not handled properly, can slow down the pipeline and lengthen time to market. Automation is critical to a CI/CD pipeline, and it is also critical to secure deployment of containers. Join Synopsys and NeuVector to explore the key automation integration points in the pipeline and learn how to build security into your process, culture, and toolchain, from build to ship to run.
Who should attend?
•DevSecOps and DevOps practitioners
•Network and application security engineers
Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group
Open source usage has had a steady increase over the years and so has the Open Source content, which has seen exponential release. The strength of open source is attributed to the fact that there has been a growing adoption of Open source in enterprise application.
In our 11th April 2019 webinar, Balaji Bhardwaj, Senior Security Engineer, Synopsys Software Integrity Group, will provide insights into the following:
•Usage trends of Open Source
•How large enterprise users understands risks associated with using Open Source
•Methodologies derived to mitigate Open Source risks and issues
•Is Open Source an enabler or a liability
The Product Team at Synopsys is excited to introduce the Polaris Software Integrity Platform™, which brings the power of Synopsys Software Integrity products and services together into an integrated solution that enables security and development teams to build secure, high-quality software faster. Polaris uses a SaaS delivery model and provides a centralized web-based user interface for Synopsys products and services—ensuring quick deployment and a unified user experience across Synopsys solutions.
Polaris includes Code Sight™, our new IDE plugin that automatically and continuously analyzes code as it’s being written—allowing developers to focus on their tasks at hand without needing to initiate scans or leave the IDE for security information.
By unifying our market-leading solutions on a single platform, Polaris simplifies the deployment and operation of application security tools, so teams can quickly prioritize and remove exploitable software vulnerabilities across their application portfolio. In this webinar, you’ll learn:
- How Polaris empowers DevOps managers with easy-to-use, automated CI/CD integrations
- How Code Sight provides the real-time feedback developers need to fix their code quickly, as they write it
- How Polaris’ extensible, cross-product reporting capabilities help security practitioners prioritize security issues and measure compliance across their application portfolio
Ksenia Peguero, Sr. Research Lead, Synopsys; Apoorva Phadke, Associate Principal Consultant, Synopsys
Stories of women in the modern workforce continue to seize our attention, not least because of the dedicated champions who work tirelessly to empower women to speak out about what they need, what they want, and what talents they bring to the table. But the tech industry lags far behind the overall U.S. workforce when it comes to closing the gender gap. In a sector that employs fewer women in any position—even fewer in technical positions—and is fed by an educational system with a stubborn gender imbalance, what can we do to encourage more woman to work in tech?
We can start by celebrating the women who are already here. In this panel, we invite some of the women of Synopsys to tell us about their experiences in the tech industry. We’ll discuss how they got started in tech and advice for other women who want to enter the field. Our panelists will dive into the unique challenges they’ve faced and how to balance priorities in a fast-paced, high-stress environment. And they’ll provide insight into what organizations are doing—and should be doing—to enrich their culture with employees that have a variety of experiences and perspectives.
There is risk in any M&A transaction but having the right tech due diligence approach can help mitigate that risk. If software is a large part of the deal valuation, you need to understand any potential legal and security risks in the target’s codebase that could affect the value of the IP, and the remediation required to address those risks.
Join Phil Odence, General Manager of Black Duck On-Demand with Synopsys, to take a closer look at how you can identify and reduce risks in M&A tech due diligence. He’ll cover the following points and more:
• Uncovering application risks: What’s in the code
• Taking a comprehensive approach to security audits
• Choosing the right partner for audits
Don’t miss this informational webinar. Register today!
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.