Hi [[ session.user.profile.firstName ]]

ご質問回答編 : Webアプリのセキュリティ・テスト、DASTや手動テストの課題とその解決手法 (IASTのご紹介)

CI/CDやDevOpsのプロセスにセキュリティ・テストを組み込む、DASTや脆弱性診断に代わる新たな手法としてIASTがあります。
5月にIAST解説セミナーを開催しましたが、その際に大変多くのご質問を承り、残念ながらお時間等の関係ですべてにお答えすることができませんでした。

そこで、頂いたご質問に対し改めて回答させていただき、さらにIASTに対する理解を深めていただくセッションを開催させていただきます。前回のセミナーにご参加いただけなかった方もご参加いただけます。また、先日リリースされた最新バージョン「2020.06」での機能追加についても簡単に紹介いたします。

主なご質問など
- DASTに比べてIAST Seekerの誤検知が少なくなる理由
- IASTを使いこなすには有償サービスなどが必須か
- 検出した不具合のソースコードにおける行指定など、どこまで見えるか
- 当日さらに追加でのQ&A

* 前回セミナーの内容は録画版(約60分)としていつでもご参照いただけます。ぜひ合わせて事前にご確認ください。
講演資料PDFはプレゼン画面下のAttachmentからダウンロードいただけます。
https://www.brighttalk.com/webcast/13983/402408
Recorded Jun 19 2020 60 mins
Your place is confirmed,
we'll send you email reminders
Presented by
日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 川原翔
Presentation preview: ご質問回答編 : Webアプリのセキュリティ・テスト、DASTや手動テストの課題とその解決手法 (IASTのご紹介)
  • Channel
  • Channel profile
  • Under Pressure – Building Security into Application Development Sep 30 2020 5:30 pm UTC 60 mins
    Patrick Carey, Director Product Marketing, Synopsys and Dave Gruber, Senior Analyst, Enterprise Strategy Group
    A recent study by Enterprise Strategy Group, commissioned by Synopsys, revealed that nearly half of the cybersecurity and development professionals surveyed indicate that their organization knowingly pushes vulnerable code into production due to time pressures. In every sector, development and security teams grapple with the competing demands of development velocity and application security.

    In this webinar, we speak with the study’s author, ESG Senior Analyst, Dave Gruber, about how organizations are working to build security into their development toolchains and processes. Highlights include:

    - Why many organizations’ AppSec programs aren’t as effective as they think.

    - Key attributes of the most successful AppSec programs.

    - Trends and challenges organizations are facing in implementing their AppSec programs.

    - How organizations are working to improve AppSec ROI while simplifying deployments.
  • Free and Open Source License Enforcement and Compliance Sep 30 2020 4:00 pm UTC 60 mins
    Miriam Ballhausen, Bird & Bird & Matt Jacobs, Synopsys
    Free and Open Source Licenses are enforced by copyright owners globally, but by far most frequently in Germany. Overall, approximately 100 enforcement claims are initiated against companies. Global players may be targeted just as likely as SMEs. But how is that even possible, if Free and Open Source Licenses allow everyone to do everything with the code they apply to? And what does enforcement mean in practice? This talk will give a brief overview over the legal background to set the scene for a look into how enforcement works (at least in Germany). It will then lay out the aspects that companies should look out for, how tooling may help both on the claimant’s and the defendant’s side and how companies may protect themselves against enforcement.
  • Reduce DevSecOps Friction with Synopsys, CloudBees and Google Cloud Aug 27 2020 12:30 pm UTC 60 mins
    Meera Rao at Synopsys, Cojan Van Ballegooijen at CloudBees & Rania Mohamed at Google Cloud
    DevOps enables you to release features and bug fixes faster than ever. But, can security keep up? Instead of waiting to fix security vulnerabilities, treat them like any other bug within your DevOps process. This allows you to reduce DevSecOps friction, increase release velocity, improve quality and facilitate collaborative change - just to name a few.

    This webinar will cover how your DevOps strategy can best include security with Synopsys, CloudBees and Google. You’ll learn more about:
    •Integrating the right tools in your DevOps pipeline
    •How Google Cloud Platform (GCP) improves your security posture
    •Beginning your DevSecOps journey with CloudBees CI and easy procurement through the GCP Marketplace
    •The field point of view from Synopsys on CloudBees CI + GCP = secure pipelines
  • What the 2020 OSSRA Report Means for Your Security Teams Aug 25 2020 3:00 pm UTC 60 mins
    Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
    Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:

    · Why you need an accurate inventory of open source components

    · How to prioritize the vulnerabilities to fix

    · Where to integrate testing into your SDLC

    Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
  • Why SAST and SCA Together Are Better, Faster, Stronger Aug 25 2020 6:00 am UTC 42 mins
    Utsav Sanghani, Senior Product Manager, Staff, Synopsys
    Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.

    Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
  • OpenChain - Reducing Risk and Friction in the Supply Chain Aug 20 2020 4:00 pm UTC 60 mins
    Andrew Katz, Moorcrofts & Matt Jacobs, Synopsys
    OpenChain standardizes license compliance requirements around the use of open source software in the supply chain. Customers purchasing from an OpenChain compliant company know that the software has been developed in line with a set of documented and tested procedures and that all the relevant meta data (SBOMs and compliance notices) is available. So what does that mean for you?

    Join us for a live webinar to learn why companies like Scania (Volkswagen group), Cisco, ARM, Facebook, Uber, Google, Microsoft, Sony and Qualcomm rely on OpenChain. We’ll cover:

    •The history of OpenChain, steps to compliance and overall benefits
    •How OpenChain scales, and works for companies large and small
    •What happens when the 2.1 specification becomes an ISO standard in September 2020

    Don’t miss this informative webinar. Register today.
  • The DoS goes loop-di-loop Aug 13 2020 3:30 pm UTC 50 mins
    Allon Mureinik, Senior Manager, Synopsys
    Do you know the common ways Node.js applications may be vulnerable to denial-of-service attacks?

    The single-threaded nature of Node.js makes it very susceptible to DoS attacks. While the Node.js event loop allows you to perform some operations asynchronously, it’s still quite easy to write a vulnerable Node.js application by making a few simple mistakes.

    In this talk, Allon will cover some common ways a Node.js application may be vulnerable to DoS attacks and some common best practices and countermeasures to defend against such attacks.
  • Threat Modeling: A Synopsys Approach Aug 12 2020 1:00 pm UTC 60 mins
    Chandu Ketkar, Senior Consultant and Andre Joseph, Consultant at Synopsys
    Including threat modeling early in the software development process can ensure your organization is building security into your applications. For applications that are further along in development or currently launched, it can help you pinpoint the need for additional security testing.
    Threat modeling identifies the types of threats that are applicable in the context of the application and its environment. Knowledge of such threats, along with their likelihood and impact, enables us to secure our design in anticipation, identify security requirements early, and inform downstream security testing.

    There are many threat modeling approaches out there. In this webinar, we provide insights into Synopsys’ threat modeling approach, which has evolved as we’ve conducted threat assessments for various types of applications for our clients.
  • The State of Open Source with Synopsys and Red Hat Aug 11 2020 5:00 pm UTC 60 mins
    Tim Mackey, Principal Security Strategist at Synopsys & Gordon Haff, Technology Evangelist at Red Hat
    The adoption of open source continues to grow rapidly, both in market share and in its strategic importance to businesses. Understanding how organizations use open source and do so in a way that minimizes risk is therefore essential to both an overall IT strategy and cyber security response plans. These are among the topics we’ll investigate in this joint webinar from Red Hat and Synopsys. Drawing from Red Hat’s “The State of Enterprise Open Source” report, technology evangelist Gordon Haff will explain why IT decision makers value open source so highly and the processes that commercial open source vendors put in place to protect their customers from vulnerabilities.

    At the same time, changing development practices and escalating threats mean that security remains a concern with respect to open source software, as it is for IT more broadly. Tim Mackey, Principal Security Strategist from Synopsys will walk through findings from the Synopsys “2020 Open Source Security and Risk Analysis” report with an eye on how teams can use the data to inform their overall open source governance plans.

    We’ll close with some practical advice about getting the most value from open source software while keeping your organization safe.
  • 5 Steps to Integrate SAST into the DevSecOps Pipeline Recorded: Aug 5 2020 60 mins
    Meera Rao, Senior Director Product Management, Synopsys
    Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.

    First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
    - How do I manage false positives?
    - How do I triage the results?
    - What happens to new issues identified?
    - My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
    - What is a “baseline scan”?

    Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
  • Developing a COVID-19 track and trace app – through the lens of Synopsys Recorded: Jul 30 2020 45 mins
    Ian Ashworth and Bhavin Shah
    Adversaries continuously evolve their behaviours and defenders must respond accordingly. Governments around the world are striving to supplement manual tracing efforts with the adoption of a "Track and Trace" mobile application to help prevent further spread of COVID-19 and regain healthy levels of economic activity. In this short interactive session, Synopsys will discuss the topic as seen through their "security eyes" and with some key takeaways:

    •How to develop applications at speed and remain security-aware?
    •What security measures are considered essential when building any mobile application?
    •Where is your data being recorded and used? Does this feel too much like Big Brother is watching your every move?
    •How can Synopsys support you through your own software development lifecycle?

    This session will run for 35 minutes followed by a 10-minute Q&A session.
  • Your Developers Aren’t Security Experts - But They Can Be With the Right Tools Recorded: Jul 30 2020 51 mins
    Patrick Carey, Director Product Marketing, Synopsys and Sandy Carielli, Principal Analyst, Forrester Research, Inc.
    Securing your applications is critical, but maintaining release velocity and developer productivity is just as important. Let’s face it: Developers aren’t security experts. They unwittingly introduce security weaknesses and vulnerable open source components into your applications, and they’re ultimately responsible for fixing any issues that surface. But what if you could equip developers with the tools and information they need to prevent security issues from ever making it into your codebase, without creating unnecessary friction or slowing them down?

    Join guest presenter Sandy Carielli, Principal Analyst, Forrester Research, Inc., and Patrick Carey, Synopsys, as they discuss the benefits of IDE-based security testing and the role developers can play in securing your applications.
  • Software Is Manufacturing Recorded: Jul 29 2020 43 mins
    Jonathan Knudsen, Technical Marketing Manager, Synopsys
    Modern software is assembled rather than written. Developers usually select third-party open source software components that provide useful chunks of functionality, then write some code to glue everything together into a complete product. Each software component carries its own risk, which means that managing the supply chain of components is crucial to minimizing overall risk.
    Software components carry three types of risk. Known vulnerabilities in software components can be directly absorbed in a software product. Component licenses can be incompatible with a product’s license model. Finally, components can present operational risks.
    Left unchecked, software supply chain risks can result in consequences that range from irritating to catastrophic. All product development processes should include automated software supply chain management integrated into the development toolchain.
    This webinar describes the current landscape of open source adoption and shows how managing the software supply chain results in products that are safer, more secure, and lower risk.
  • Binary Scanning 101: Pulling back the covers on binaries Recorded: Jul 28 2020 62 mins
    Lisa Bryngelson, Senior Product Manager at Synopsys
    Organizations across every industry increasingly rely on open source software to form the foundation of the products and technologies they deliver to the market. So you can assume that the third-party commercial software you depend on from supply chain partners and outsourcers also uses open source as its backbone. The challenge is deciding whether to trust that your vendors are managing potential open source security vulnerabilities proactively or to verify for yourself that the open source embedded in the software you procure remains up to date and secure. The latter, what we refer to as “trust but verify,” requires tools that can look inside compiled binaries to ensure the whole of your application is secure.

    Join Lisa Bryngelson, senior product manager at Synopsys, as she pulls back the covers on how Black Duck tackles binary scanning. In this webinar, she’ll discuss:

    · Binary scanning basics and best practices

    · How binary scanning works

    · The different types of binary scanning and identification techniques

    · The challenges in detecting specific components or versions

    · How developers can make it easier for scanners to produce accurate and precise results
  • Secure your "Dev" and "Ops" Pipeline with Synopsys and Red Hat Recorded: Jul 28 2020 57 mins
    Gautam Baghel, Global Technical Alliances, Synopsys and Dave Meurer, Partner Solutions Architect
    Synopsys and Red Hat team up once again to bring you the best in class solution to secure your "Dev" & "Ops" pipeline without compromising speed. Red Hat Openshift's secure-by-design platform provides operations teams with an out of the box secure Kubernetes deployment and Synopsys application security tools ensure development teams build secure applications and images with high quality. Combining the capabilities of Red Hat and Synopsys together is key in making sure that deployed applications are less susceptible to attacks.

    Join the experts from Red Hat and Synopsys as they present and demonstrate:
    * Augmenting Red Hat's secure-by-design OpenShift platform
    * Consolidating Containerized Application Security Perspectives
    * Integrating Synopsys’ Application Security testing (AST) solutions into Tekton-based OpenShift Pipelines
    * Application and Host Container Security with CoreOS, Quay & Black Duck
    * Reducing false positives by combining Security feeds with OVAL, RHSA and BDSA
  • Crafting Reps and Warranties to Reduce Open Source Risk in M&A Transactions Recorded: Jul 23 2020 46 mins
    Danny Ogburn & Matt Jacobs at Synopsys
    Synopsys is an active acquirer with more than 80 deals over the last 33 years. In addition to having a thorough tech due diligence process, we structure our M&A agreements to minimizing license, security, and code quality risks in the software we’re acquiring. We’re offering a peek at our approach.

    Join us for this live webinar as we talk through how to minimize risk and maximize value with every transaction. We’ll cover:

    · The use of open source in targets’ offerings

    · Ensuring intellectual property value

    · Protecting against known vulnerabilities in open source components

    · Other elements of security and code quality

    · How software audits help inform reps and warranties

    Don’t miss this informational webinar. Register today.
  • Implementing SAST into your SDLC: What to look for & what to consider Recorded: Jul 22 2020 51 mins
    Rob Haines, Senior Sales Engineer, Synopsys
    So you’ve decided (or been told) that you need to implement SAST in your software development process. But SAST is not a one-size-fits-all solution, and implementation often requires a compromise between technology, time, process, and people—especially people. In this webinar, we’ll look at common objections and pitfalls that you might encounter along the way.

    We'll cover:
    • What you should look for in a tool
    • Considerations for implementing SAST
    • Importance of the process (getting a good return on your investment)
    • High-quality and more secure software
  • Remote Security Testing & Training: Busting Myths and Offering Solutions Recorded: Jul 15 2020 62 mins
    Sandesh Mysore Anand, Managing Consultant at Synopsys and Rakshitha R Rao, Security Consultant at Synopsys
    While digital transformation and BYOD have allowed many IT activities to occur remotely, many enterprises still prefer to perform security testing on-site. Concerns about data security, network/application accessibility, assessment quality and project management have discouraged teams from making the leap. In this webinar, we leverage lessons learned from many years of delivering Managed Application Security Services to provide guidelines on addressing these concerns and offer solutions on how to conduct remote security testing and security training.
  • Secure Automotive Software Development in the Age of ISO/SAE 21434 Recorded: Jul 15 2020 72 mins
    Dr. Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys
    Modern vehicles run on software containing more than 150 million lines of code. As a result of more advanced safety-relevant functionality, such as ADAS and autonomous driving, as well as new communication interfaces, mobile apps, and back-end servers based on connected car use cases, the need for developing secure systems in the automotive industry is higher than ever. A draft of the new cyber security standard ISO/SAE 21434 was recently released to help automotive companies address cyber security for the entire vehicle life cycle.

    This talk presents cyber security activities in the software development process based on ISO/SAE 21434 to help automotive companies develop more secure systems. We’ll provide examples of what is required from a resources and tools perspective to ensure an efficient and practical implementation of the various cyber security steps in the development process.
Build secure, high-quality software faster.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: ご質問回答編 : Webアプリのセキュリティ・テスト、DASTや手動テストの課題とその解決手法 (IASTのご紹介)
  • Live at: Jun 19 2020 7:00 am
  • Presented by: 日本シノプシス合同会社 ソフトウェア インテグリティ グループ シニアセールスエンジニア 川原翔
  • From:
Your email has been sent.
or close