Best Practices for Faster IV&V and Acceptance Testing in Defense Programs
Time pressure, the never-ending need for more secure software, and design reuse from multiple sources have fundamentally changed the way IV&V operates.
Multiple tools are needed to determine the quality and security of an application in terms of custom code as well as open source. A full picture of CWEs and a software bill of materials with any known CVEs are both critical in providing authorization for changes in software to operate on a DOD network or weapon system.
Key technologies such as static application security testing (SAST) and software composition analysis (SCA) help auditors deliver actionable reports to the proper decision-makers.
Join Joe Jarzombek (USAF Lt. Col., retired) as he discusses means for successfully deploying best practices for IV&V. He will cover how:
- Deploying static analysis with actionable results to the appropriate coding standard and low false positives drives a better overall decision process.
- Delivering a software bill of materials of the open source used, the license requirements, the known security risk, and operational risk is a key and often overlooked factor.
- Ongoing monitoring of new issues that might be found in open source deployed is rarely done, yet very important.
Don’t miss this informative webinar. Register today.
RecordedAug 13 202049 mins
Your place is confirmed, we'll send you email reminders
Mark Radcliffe, Partner at DLA Piper & Tony Decicco, Shareholder, GTC Law Group & Affiliates & Phil Odence, GM, Synopsys
Gain insights into important legal developments from two of the leading open source legal experts, Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, and Tony Decicco, shareholder at GTC Law Group & Affiliates.
This annual review will highlight the most significant legal developments related to open source software in 2020.
Ben Landry, Assistant General Counsel, Health Catalyst, Inc.
Whether you sit on the buy-side or sell-side of an M&A transaction, open source use in the software development process introduces legal and security risks into the deal. There are a number of key considerations to be aware of to minimize risk through the M&A due diligence process.
Join this live Synopsys webinar to get a practical advice on preparing for tech due diligence from an in-house attorney with experience on both sides of the transaction. We’ll cover:
•When and how to invest in open source diligence
•How to manage open source and prepare for a sale
•How Covid has impacted the due diligence process
Don’t miss this informative webinar. Register today.
Anthony Decicco, Shareholder, GTC Law Group & Affiliates
If you offer a product via a software-as-a-service (SaaS) model, you may have heard that some of the most common open source licenses, while being potentially quite problematic for distributed software, may give a "free pass” to SaaS applications. Are you required to adhere to open source license obligations in a SaaS model?
Join us for this live Synopsys webinar to learn how to address open source software use in a SaaS model. We’ll cover:
- The legal considerations around open source license compliance
- How security impacts open source software in a SaaS application
- The operational and strategic pitfalls to avoid
- The impact on financing, M&A and IPO due diligence
Don’t miss the informative webinar. Register today.
Lisa Bryngelson, Senior Product Manager at Synopsys
Organizations across every industry increasingly rely on open source software to form the foundation of the products and technologies they deliver to the market. So you can assume that the third-party commercial software you depend on from supply chain partners and outsourcers also uses open source as its backbone. The challenge is deciding whether to trust that your vendors are managing potential open source security vulnerabilities proactively or to verify for yourself that the open source embedded in the software you procure remains up to date and secure. The latter, what we refer to as “trust but verify,” requires tools that can look inside compiled binaries to ensure the whole of your application is secure.
Join Lisa Bryngelson, senior product manager at Synopsys, as she pulls back the covers on how Black Duck tackles binary scanning. In this webinar, she’ll discuss:
· Binary scanning basics and best practices
· How binary scanning works
· The different types of binary scanning and identification techniques
· The challenges in detecting specific components or versions
· How developers can make it easier for scanners to produce accurate and precise results
So you’ve decided (or been told) that you need to implement SAST in your software development process. But SAST is not a one-size-fits-all solution, and implementation often requires a compromise between technology, time, process, and people—especially people. In this webinar, we’ll look at common objections and pitfalls that you might encounter along the way.
• What you should look for in a tool
• Considerations for implementing SAST
• Importance of the process (getting a good return on your investment)
• High-quality and more secure software
Eli Erlikhman Managing Principal, Synopsys SIG and Chai Bhat Sr. Product Marketing Manager, Synopsys SIG
With the emergence of COVID-19, the workforce is more dispersed and far from the secure enterprise environments that they were accustomed to working in. Malicious hackers are seizing the opportunity provided by a much larger and more vulnerable attack surface to launch even more sophisticated attacks. A solid foundation of software security initiatives (SSIs) derived from the best practices of best-of-breed organizations is more important now than ever before.
The Building Security in Maturity Model (BSIMM) provides just that—it’s a study of existing SSIs. By quantifying the practices of many different organizations, the BSIMM describes the common ground shared by many, as well as the variations that make each unique.
In this Synopsys webinar, you will learn:
• Engineering-led vs. software security group-led SSIs
• “Shift left” becoming “shift everywhere”
• What leading organizations are doing to address application security
Chandu Ketkar, Director Security Architecture Practice at Synopsys and Himanshu Tiwari, Managing Consultant at Synopsys
What differentiates a highly mature threat modeling program from a less mature program? How do companies get started with threat modeling? What does the journey to higher levels of maturity look like? What are the key anchors of building the threat modeling capability?
Join our talk as we share what we've learned through the years working with clients. Find out how companies evolve their threat modeling programs and maturity.
Most security issues are triggered by misuse - and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy?
Most security issues are triggered by misuse—and there are an infinite number of ways to misuse a system. Given that you don’t have an infinite amount of time to test for security issues, how will you know when a product is safe enough to ship or deploy? After you’ve analyzed the source code, the next step is to test its dynamic behavior using invalid input testing (fuzzing) that closely imitates what a hacker would do. Fuzzing provides a final test-run before rolling out to avoid costly bug fixes and product recalls.
Network devices must be able to handle malicious inputs on their interfaces and protocols. Defensics is a model-based stateful protocol fuzzer that is based on popular specifications and has millions of malformed inputs to cover misuse cases that can trigger critical unknown vulnerabilities.
Join us as we discuss the importance of fuzzing for network protocols and address its use cases:
Development. Complement SAST methods by integrating fuzzing into CI/CD
Quality assurance. Perform QA with enhanced test coverage in a manageable time
Security. Uncover zero day and unknown vulnerabilities before they turn costly Procurement. Ensure robustness, quality, and security of software and devices before introducing them into IT/lab environment
Meera Rao, Senior Director Product Management and Ainsley Braun, Product Director, Synopsys
The challenges the industry faces and how we can help support them.
Diversity is an ongoing priority - and challenge - for many organisations, especially in the technology space. Research has proven that diversity on a team brings unique benefits, including new perspectives and innovative solutions. These, in turn, contribute to a stronger overall company.
And yet, in many companies around the world, achieving a diverse workforce is still more aspiration than reality. For instance, despite having International Women’s Day and conversations around gender and sexual-orientation diversity, women and LGBTQ+ individuals remain underrepresented in most companies.
This webinar focuses on the challenges of diversity within the cybersecurity industry, and what steps companies can take to overcome them. This boils down to recruiting more women, LGBTQ+ individuals, and minorities in terms of race, religion, ethnicity, and even age. Level pay, investing in diverse talent, and empowering voices within a company’s culture all play important roles, as well.
Join us for this vital webinar to learn how you can promote opportunity for all in your organisation.
Ashutosh Kumar, Product Marketing Manager, Staff, Synopsys; James Croall, Director, Technical Product Management at Synopsys
As part of your DevSecOps strategy, it’s important to implement security tools that help your developers and don’t slow them down. Coverity static application security testing (SAST) provides a developer-centric approach to security testing that aids adoption and helps your development teams write high-quality secure code, without having to be security experts. With SAST tools such as Coverity, developers can get early feedback and identify security issues as they code within their IDE. Coverity can also be seamlessly integrated into different stages of your CI/CD pipelines, which can help automate SAST scans for your needs.
In this webinar, we’ll cover:
- Evolving developer needs and best practices for AppSec integration into development workflows
- How Coverity helps developers get early feedback on security and quality issues in their code with our Code Sight IDE plugin and integrated eLearning courses
- How Coverity can be seamlessly integrated into your CI/CD pipeline to automatically trigger scans with every pull request, serve as a security gate on the build server, create issue tickets, and more
Patrick Carey, Director Product Marketing, Synopsys and Dave Gruber, Senior Analyst, Enterprise Strategy Group
A recent study by Enterprise Strategy Group, commissioned by Synopsys, revealed that nearly half of the cybersecurity and development professionals surveyed indicate that their organization knowingly pushes vulnerable code into production due to time pressures. In every sector, development and security teams grapple with the competing demands of development velocity and application security.
In this webinar, we speak with the study’s author, ESG Senior Analyst, Dave Gruber, about how organizations are working to build security into their development toolchains and processes. Highlights include:
- Why many organizations’ AppSec programs aren’t as effective as they think.
- Key attributes of the most successful AppSec programs.
- Trends and challenges organizations are facing in implementing their AppSec programs.
- How organizations are working to improve AppSec ROI while simplifying deployments.
Miriam Ballhausen, Bird & Bird & Matt Jacobs, Synopsys
Free and Open Source software is meant to be used and shared but you must comply with the license obligations. If licensees fail to do so, there may be legal consequences including license enforcement actions. But what does open source license enforcement mean in practice?
Join this live webinar to get an overview of the risks and enforcement of Free and Open Source Licenses We’ll cover:
•Understanding the Free and Open Source License landscape
•What companies should look out for (and how tools may help)
•Strategies for protecting against enforcement
Don’t miss this informative webinar. Register today.
In today’s fast-paced world, everything needs to move quickly—including development. But organizations can’t compromise on security while delivering products in rapid succession. Modern static application security testing (SAST) tools address this urgent need to identify and secure applications while not impacting production timelines. In this session learn how you can integrate SAST tools in the SDLC and discover the options available to customize and optimize for time-sensitive results. You also learn about some common pitfalls and mistakes that are made while trying to integrate SAST tools into an automation process and DevSecOps. You’ll come away with a better understanding of how to reach a mature and secure software development life cycle and how to use SAST tools effectively in such environments.
Jonathan Knudsen, Technical Marketing Manager, Synopsys
One challenge of fuzzing is figuring out which malformed inputs (test cases) to use. Generational (or model-based) fuzzing tools use a detailed data model to generate high quality test cases. Because test cases are mostly correct, they traverse a variety of control paths and can drive the target software into a variety of states before “detonating” with a carefully placed anomaly.
Defensics is a generational fuzzer with over 250 test suites for a wide variety of network protocols and file formats. But what if you need to fuzz something with no corresponding test suite? For proprietary protocols and other specialized fuzzing needs, the Defensics SDK enables you to apply the power of Defensics to any data model you wish.
This presentation outlines the capabilities of the Defensics SDK and shows how data models and semantics can be defined in code, allowing you to fuzz any type of software in any context.
Simon King, VP Solutions, Synopsys Software Integrity Group
DevOps and Agile development teams work iteratively to deliver customer value faster. They accelerate productivity with external software such as open-source, and external infrastructure such as cloud and containers. But this increases the threat surface and potential security risk. This leads to using more security tools, and complexity associated with managing test results and governance.
Join Simon King from Synopsys on this journey enabling teams to see the larger security picture – transparently – enhancing the tools you already use.
In this session you’ll learn about:
- The challenges associated with managing test execution with multiple tools.
- The opportunities to streamline communication between teams when coordinating triage and issue remediation.
- How to make app sec “invisible” to the development team inside your existing CI/CD toolchain.
- How to manage continuous improvement in risk posture
Tobias Mccurry, Senior Security Consultant, Synopsys Software Integrity Group
We all put a lot of trust in the applications we use chat with other people. Have you ever wondered what your chat application is doing in the background? How is it storing the message or pictures you send? You are required to login to send and receive messages....or are you? Come see how some of the most popular chat clients send data and if anyone else could see this data.
We'll begin with the underlining vulnerability of Cross Object Resource Sharing (CORS) and if misconfigured data could be leaked without the user knowing. I’ll cover in details how each client handles messages between clients. Three of the most popular clients were tested to see how well they handle the data transactions.
Meera Rao at Synopsys, Cojan Van Ballegooijen at CloudBees & Rania Mohamed at Google Cloud
DevOps enables you to release features and bug fixes faster than ever. But, can security keep up? Instead of waiting to fix security vulnerabilities, treat them like any other bug within your DevOps process. This allows you to reduce DevSecOps friction, increase release velocity, improve quality and facilitate collaborative change - just to name a few.
This webinar will cover how your DevOps strategy can best include security with Synopsys, CloudBees and Google. You’ll learn more about:
•Integrating the right tools in your DevOps pipeline
•How Google Cloud Platform (GCP) improves your security posture
•Beginning your DevSecOps journey with CloudBees CI and easy procurement through the GCP Marketplace
•The field point of view from Synopsys on CloudBees CI + GCP = secure pipelines
Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:
· Why you need an accurate inventory of open source components
· How to prioritize the vulnerabilities to fix
· Where to integrate testing into your SDLC
Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.
Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.
Best Practices for Faster IV&V and Acceptance Testing in Defense ProgramsJoe Jarzombek, Director for Government & Critical Infrastructure Programs[[ webcastStartDate * 1000 | amDateFormat: 'MMM D YYYY h:mm a' ]]49 mins