Hi [[ session.user.profile.firstName ]]

Security Tool Misconfiguration and Abuse

As an organization matures its security program, it improves its security posture by using tools and techniques to automate processes such as asset management and discovery, patch management, software deployment, and vulnerability discovery. However, if your tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk, we’ll discuss a few cases where penetration testing showed how these tools can be abused, as well as remediation methods to prevent these attacks from occurring.
Recorded Dec 11 2019 40 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Thomas Richards, Network and Red Team Practice Director
Presentation preview: Security Tool Misconfiguration and Abuse
  • Channel
  • Channel profile
  • Why All Open Source Scans Aren’t Created Equal Feb 20 2020 5:00 pm UTC 58 mins
    Phil Odence & Emmanuel Tournier at Synopsys
    Understanding the risks associated with open source software has become the norm in tech due diligence but not all approaches are created equal. Are you approaching open source diligence in the most efficient and effective way possible? Do you understand the difference between a point in time open source analysis for M&A and ongoing open source management?

    Join us for this live webinar and learn how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We’ll cover:

    •The types of risk around open source software
    •Why depth of analysis matters, and what it results in during M&A diligence
    •Why accuracy, reporting and expert human analysis are keys to thorough diligence

    Don’t miss this informative webinar. Register today.
  • Synopsys Black Duck is now on the VMware Cloud Marketplace Feb 18 2020 6:00 pm UTC 60 mins
    Dave Meurer, Sr. Technical Alliances Manager, Synopsys & Neeharika Palaka, Cloud Services Business Operations Manager, VMware
    The use of open source software is free, but that doesn’t mean it won’t cost you. Many customers have felt the pain of managing open source software due to security, license, and operational risk concerns. Luckily, Black Duck exists to help you automatically identify the open source software in your applications and easily manage these risks early in your development life cycle. Now the question becomes how and where to deploy Black Duck. If you want the world’s most trusted enterprise cloud, VMware is the place for you. We are proud to announce that Synopsys Black Duck is now published on VMware Cloud Marketplace.

    Join experts from Synopsys and VMware as we discuss:
    •The key capabilities of the VMware Cloud Marketplace
    •How Synopsys customers can leverage Black Duck on Marketplace
    •A Black Duck demo, showing the ability to identify and manage all
    open source software in your applications
  • 5 Steps to Integrate SAST into the DevSecOps Pipeline Feb 12 2020 6:00 pm UTC 60 mins
    Meera Rao, Senior Principal Consultant, Synopsys
    Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.

    First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
    - What is a “baseline scan”?

    Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
  • That's Not How This Works Feb 11 2020 6:00 pm UTC 60 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Register for this webinar to learn:
    - Why traditional approaches to software development usually end in tears and heartburn
    - How a structured approach to secure software development lowers risk for you and your customers
    - Why automation and security testing tools are key components in the implementation of a secure development life cycle
  • How Open Source Made Me a Better Manager Feb 11 2020 10:00 am UTC 60 mins
    Allon Mureinik, Senior Manager
    Management seems like a simple job - you tell people what to do, they do it, rinse, repeat. For bad managers, it really is this simple.

    Good managers do things differently. They let team members affect, if not drive, the team's direction. They allow the best ideas to guide the team's activity, no matter who brings them up. They are not intimidated by non-managers displaying leadership qualities, they encourage them.

    While these sentiments aren't unique to open source, they are the core of open source communities - allowing individuals to exert influence without any official authority. That's why I think working in open source is the best way to learn how to be a good manager, and I'll try to share this concept in my talk.
  • The 2019 Open Source Year in Review Recorded: Jan 23 2020 61 mins
    Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
    Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates.

    This annual review will highlight the most significant legal developments related to open source software in 2019, including:

    •Evolution of open source: control, sustainability, and politics
    •Litigation update: Cambium and Artifex cases
    •Patents and the open source community
    •Impacts of government sanctions
    •The shift left for compliance and rise of bug bounty programs
    •And much, much more

    Live attendees will earn CLE credit for this webinar. Don’t miss out—register today.

    CLE:
    DLA Piper LLP (US) has been certified by the State Bar of California, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an accredited CLE provider.
    The following CLE credit is being sought:
    •California: 1.0 Credit (1.0 General, 0.0 Ethics)
    •New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
    •New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
    CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, Pennsylvania, and Puerto Rico.
  • Guide to Application Security: What to Look For and Why Recorded: Jan 22 2020 34 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys; Anna Chiang, Product Marketing Manager, Senior Staff, Synopsys
    If your organization does software development in-house, there are many development workflows and processes to choose from. With all the different AppSec tools available (e.g., SAST, DAST, IAST), how do developers stay productive while ensuring that their code is secure?
    Register for this webinar to learn more about application security and how to leverage it in enterprise application development. You’ll learn:
    - About development workflows and the tools developers need to stay productive
    - How to evaluate different AppSec tools
    - What features to look for in an AppSec tool
  • Best Practices for DevSecOps at Scale Recorded: Jan 21 2020 53 mins
    Andrew van der Stock, Senior Principal Consultant, Managed Services SIG Consulting​, Synopsys
    Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
    - The threat landscape continues to evolve.
    - Application portfolios and their risk profiles continue to shift.
    - Security tools are difficult to deploy, configure, and integrate into workflows.
    - Consumption models continue to change.
    How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
  • Mobile Application Hardening: Protecting Business Critical Apps Recorded: Jan 14 2020 63 mins
    Grant Douglas, Mobile Practice Director, Synopsys and Nikola Cucakovic, Senior Security Consultant, Synopsys
    Mobile application security isn’t always super exciting or challenging. But when it comes to application hardening, things get more interesting. These days, some types of applications go out of their way to defend themselves at runtime, including:

    • Financial apps
    • Multiplayer games
    • Apps that feature DRM-protected content
    • Apps with intellectual property

    Such applications often attempt to protect themselves via internally developed controls, as well as commercial products.
    During this talk, we’ll look at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
  • The State of Open Source in M&A Transactions Recorded: Dec 12 2019 58 mins
    Chris Stafford, Senior Manager, M&A Advisory West Monroe Partners, Paul Cotter, Senior Architect West Monroe Partners
    With extensive experience in M&A, West Monroe Partners is on the front line of tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and sellers alike need to understand these trends to get the most value out of any transaction.

    Join us for this live webinar to learn what buyers and sellers need to know and how they operate during a transaction. We’ll cover:

    •Why OSS management should fit into a broader security program
    •How (and when) sellers need to prepare for a transaction
    •How buyers are becoming more sophisticated in transactions

    Don’t miss this informative webinar. Register today.
  • Security Tool Misconfiguration and Abuse Recorded: Dec 11 2019 40 mins
    Thomas Richards, Network and Red Team Practice Director
    As an organization matures its security program, it improves its security posture by using tools and techniques to automate processes such as asset management and discovery, patch management, software deployment, and vulnerability discovery. However, if your tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk, we’ll discuss a few cases where penetration testing showed how these tools can be abused, as well as remediation methods to prevent these attacks from occurring.
  • Vulnerabilities in Containerized Production Environments Recorded: Dec 10 2019 58 mins
    Tim Mackey, Principal Security Strategist, Synopsys
    With each new technology cycle, we seek to improve both business efficiency and security. Unfortunately, our legacy practices can severely hold us back from achieving the full potential of our new technology stack. When this occurs, organizations with the most valuable data come under attack first.
    In the webinar, Tim Mackey discusses how this paradigm is playing out within financial services organizations moving from a virtual world to a containerized world. He covers how modern applications differ from those of only a few years ago - and how containerization changes our security paradigms.
  • Static Analysis Security Testing (SAST) in CI/CD – why and how Recorded: Dec 5 2019 37 mins
    Shi Chao, Senior Sales Engineering Manager, Synopsys Software Integrity Group
    Traditionally, and often unfortunately, security has been treated as a secondary and isolated process considered only at the end of the software development lifecycle (SDLC). Noble as their intentions are, it can be frustrating to discover security vulnerabilities at such a late stage.

    With the proliferation of the agile development methodology and CI/CD, is it possible to use a static application security testing (SAST) tool to constantly verify code changes and improve application integrity throughout the SDLC?

    In this webinar, we’ll provide insights into the following:
    - What is SAST? Are SAST tools just glorified grep?
    - What can SAST help you do?
    - Where and how do you apply SAST in CI/CD pipeline?
    - What should you consider when choosing a SAST tool?
  • Implementing DevSecOps With Synopsys and CloudBees Recorded: Nov 28 2019 57 mins
    Meera Rao, Synopsys & Jeff Fry, CloudBees
    As many organizations have learned, sometimes the hard way, DevOps transformation is as much about creating a process and adopting a mindset as it is about acquiring the right tools. But organizations creating a DevOps process shouldn’t neglect to implement security into their pipelines. Synopsys and CloudBees aim to deliver the best of both worlds to customers adopting DevOps: CI/CD optimization and application security testing automation.

    Join experts from Synopsys and CloudBees as we discuss:

    •How CloudBees Core™, built on Jenkins®, helps organizations scale
    CI/CD to a multitude of teams without increasing the administrative burden

    •How to add Synopsys tools Coverity, Black Duck, and Seeker to your pipelines

    •How to leverage the power of Kubernetes with the management of CloudBees Core to orchestrate the use of these tools as part of your SDLC
  • OWASP Top 10 For JavaScript Developers Recorded: Nov 27 2019 66 mins
    Lewis Ardern, Senior Security Consultant, Synopsys
    With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
  • You’ve Got Your Open Source Audit Report - Now What? Recorded: Nov 14 2019 61 mins
    Tony Decicco & Leon Schwartz, GTC Law, Phil Odence, Synopsys
    Companies’ use of open source software has surpassed the occasional and solidified itself as mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether you’re acquiring another company, preparing for acquisition or simply wanting to manage the use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?

    Join us for this live webinar to learn best practices before and after an open source audit. We’ll cover how to:

    •Select and prepare the code base
    •Get the most out of an audit
    •Implement a third-party software policy
    •And more

    Don’t miss this informative webinar. Register today.
  • Implementing DevSecOps With Synopsys and CloudBees Recorded: Nov 12 2019 62 mins
    Meera Rao, Synopsys & Jeff Fry, CloudBees
    As many organizations have learned, sometimes the hard way, DevOps transformation is as much about creating a process and adopting a mindset as it is about acquiring the right tools. But organizations creating a DevOps process shouldn’t neglect to implement security into their pipelines. Synopsys and CloudBees aim to deliver the best of both worlds to customers adopting DevOps: CI/CD optimization and application security testing automation.

    Join experts from Synopsys and CloudBees as we discuss:
    •How CloudBees Core™, built on Jenkins®, helps organizations scale
    CI/CD to a multitude of teams without increasing the administrative burden
    •How to add Synopsys tools Coverity, Black Duck, and Seeker to your pipelines
    •How to leverage the power of Kubernetes with the management of CloudBees Core to orchestrate the use of these tools as part of your SDLC
  • BSIMM10: A Decade of Software Security Science Recorded: Nov 7 2019 43 mins
    Drew Kilbourne, Managing Director, Synopsys
    The Building Security In Maturity Model (BSIMM) is a data-driven model developed through the analysis of software security initiatives (SSIs), also known as application/product security programs. Register for this webinar to learn what 122 organizations in eight industry verticals are doing to improve their software security efforts. We’ll discuss:
    - How organizations are building their software security initiatives
    - How DevOps is affecting the way organizations perform software security
    - How emerging engineering-driven security cultures are changing approaches to software security
  • 5 Ways to Risk Ranking Your Vulnerabilities Recorded: Nov 6 2019 26 mins
    Nivedita Murthy, Security Consultant, Synopsys Software Integrity Group
    Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
    Register for this webinar to learn best practices in vulnerability management. You’ll learn:
    - Methods for determining which applications are most attractive to attackers and which pose the greatest risk
    - Ways to assess the risk associated with a disclosed open source vulnerability
    - Strategies to minimize the impact of open source security vulnerabilities when you can’t fix them immediately
  • Do Design Quality and Code Quality Matter in M&A Tech Due Diligence? Recorded: Oct 24 2019 47 mins
    Phil Odence, GM, Synopsys & Daniel Sturtevant, CEO and Co-founder, Silverthread
    (Spoiler alert: Yes.)

    In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software before doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly, laborious, and risky. The cost of fixes can significantly affect the long-term technical and economic viability of the application, and maintaining the software can seriously degrade ROI. That’s why understanding a software system’s design and architectural health and the likely “cost of ownership” is key.

    Join us for this live webinar to learn how to paint a complete picture of the technical quality of software to avoid buyer’s remorse post-close. We’ll cover:

    •The dimensions of technical due diligence
    •The difference between design quality and code quality
    •How software architecture can have a long-term impact
    •What to look for in software design and code quality audits

    Don’t miss this informative webinar. Register today.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Security Tool Misconfiguration and Abuse
  • Live at: Dec 11 2019 8:00 am
  • Presented by: Thomas Richards, Network and Red Team Practice Director
  • From:
Your email has been sent.
or close