Crafting Reps and Warranties to Reduce Open Source Risk in M&A Transactions
Synopsys is an active acquirer with more than 80 deals over the last 33 years. In addition to having a thorough tech due diligence process, we structure our M&A agreements to minimizing license, security, and code quality risks in the software we’re acquiring. We’re offering a peek at our approach.
Join us for this live webinar as we talk through how to minimize risk and maximize value with every transaction. We’ll cover:
· The use of open source in targets’ offerings
· Ensuring intellectual property value
· Protecting against known vulnerabilities in open source components
· Other elements of security and code quality
· How software audits help inform reps and warranties
Don’t miss this informational webinar. Register today.
RecordedJul 23 202046 mins
Your place is confirmed, we'll send you email reminders
Eli Erlikhman Managing Principal, Synopsys SIG and Chai Bhat Sr. Product Marketing Manager, Synopsys SIG
With the emergence of COVID-19, the workforce is more dispersed and far from the secure enterprise environments that they were accustomed to working in. Bad hackers are seizing the opportunity provided by a much larger and vulnerability prone attack surface to launch even more highly sophisticated attacks. A solid foundation of Software Security Initiatives (SSIs) derived from best practices of best of breed organizations is more important now than ever before.
The Building Security in Maturity Model (BSIMM) provides just that, it is a study of existing SSIs. By quantifying the practices of many different organizations, BSIMM describes the common ground shared by many as well as the variations that make each unique.
In this Synopsys webinar, you will learn about:
• Engineering-led vs. Software Security Group-led SSIs
• “Shift left” is becoming “shift everywhere”
• What leading organizations are doing to address application security?
Meera Rao, Senior Director Product Management and Ainsley Braun, Product Director, Synopsys
The challenges the industry faces and how we can help support them.
Diversity is an ongoing priority - and challenge - for many organisations, especially in the technology space. Research has proven that diversity on a team brings unique benefits, including new perspectives and innovative solutions. These, in turn, contribute to a stronger overall company.
And yet, in many companies around the world, achieving a diverse workforce is still more aspiration than reality. For instance, despite having International Women’s Day and conversations around gender and sexual-orientation diversity, women and LGBTQ+ individuals remain underrepresented in most companies.
This webinar focuses on the challenges of diversity within the cybersecurity industry, and what steps companies can take to overcome them. This boils down to recruiting more women, LGBTQ+ individuals, and minorities in terms of race, religion, ethnicity, and even age. Level pay, investing in diverse talent, and empowering voices within a company’s culture all play important roles, as well.
Join us for this vital webinar to learn how you can promote opportunity for all in your organisation.
Ashutosh Kumar, Product Marketing Manager, Staff, Synopsys; James Croall, Director, Technical Product Management at Synopsys
As part of your DevSecOps strategy, it’s important to implement security tools that help your developers and don’t slow them down. Coverity static application security testing (SAST) provides a developer-centric approach to security testing that aids adoption and helps your development teams write high-quality secure code, without having to be security experts. With SAST tools such as Coverity, developers can get early feedback and identify security issues as they code within their IDE. Coverity can also be seamlessly integrated into different stages of your CI/CD pipelines, which can help automate SAST scans for your needs.
In this webinar, we’ll cover:
- Evolving developer needs and best practices for AppSec integration into development workflows
- How Coverity helps developers get early feedback on security and quality issues in their code with our Code Sight IDE plugin and integrated eLearning courses
- How Coverity can be seamlessly integrated into your CI/CD pipeline to automatically trigger scans with every pull request, serve as a security gate on the build server, create issue tickets, and more
Patrick Carey, Director Product Marketing, Synopsys and Dave Gruber, Senior Analyst, Enterprise Strategy Group
A recent study by Enterprise Strategy Group, commissioned by Synopsys, revealed that nearly half of the cybersecurity and development professionals surveyed indicate that their organization knowingly pushes vulnerable code into production due to time pressures. In every sector, development and security teams grapple with the competing demands of development velocity and application security.
In this webinar, we speak with the study’s author, ESG Senior Analyst, Dave Gruber, about how organizations are working to build security into their development toolchains and processes. Highlights include:
- Why many organizations’ AppSec programs aren’t as effective as they think.
- Key attributes of the most successful AppSec programs.
- Trends and challenges organizations are facing in implementing their AppSec programs.
- How organizations are working to improve AppSec ROI while simplifying deployments.
Miriam Ballhausen, Bird & Bird & Matt Jacobs, Synopsys
Free and Open Source software is meant to be used and shared but you must comply with the license obligations. If licensees fail to do so, there may be legal consequences including license enforcement actions. But what does open source license enforcement mean in practice?
Join this live webinar to get an overview of the risks and enforcement of Free and Open Source Licenses We’ll cover:
•Understanding the Free and Open Source License landscape
•What companies should look out for (and how tools may help)
•Strategies for protecting against enforcement
Don’t miss this informative webinar. Register today.
In today’s fast-paced world, everything needs to move quickly—including development. But organizations can’t compromise on security while delivering products in rapid succession. Modern static application security testing (SAST) tools address this urgent need to identify and secure applications while not impacting production timelines. In this session learn how you can integrate SAST tools in the SDLC and discover the options available to customize and optimize for time-sensitive results. You also learn about some common pitfalls and mistakes that are made while trying to integrate SAST tools into an automation process and DevSecOps. You’ll come away with a better understanding of how to reach a mature and secure software development life cycle and how to use SAST tools effectively in such environments.
Jonathan Knudsen, Technical Marketing Manager, Synopsys
One challenge of fuzzing is figuring out which malformed inputs (test cases) to use. Generational (or model-based) fuzzing tools use a detailed data model to generate high quality test cases. Because test cases are mostly correct, they traverse a variety of control paths and can drive the target software into a variety of states before “detonating” with a carefully placed anomaly.
Defensics is a generational fuzzer with over 250 test suites for a wide variety of network protocols and file formats. But what if you need to fuzz something with no corresponding test suite? For proprietary protocols and other specialized fuzzing needs, the Defensics SDK enables you to apply the power of Defensics to any data model you wish.
This presentation outlines the capabilities of the Defensics SDK and shows how data models and semantics can be defined in code, allowing you to fuzz any type of software in any context.
Simon King, VP Solutions, Synopsys Software Integrity Group
DevOps and Agile development teams work iteratively to deliver customer value faster. They accelerate productivity with external software such as open-source, and external infrastructure such as cloud and containers. But this increases the threat surface and potential security risk. This leads to using more security tools, and complexity associated with managing test results and governance.
Join Simon King from Synopsys on this journey enabling teams to see the larger security picture – transparently – enhancing the tools you already use.
In this session you’ll learn about:
- The challenges associated with managing test execution with multiple tools.
- The opportunities to streamline communication between teams when coordinating triage and issue remediation.
- How to make app sec “invisible” to the development team inside your existing CI/CD toolchain.
- How to manage continuous improvement in risk posture
Tobias Mccurry, Senior Security Consultant, Synopsys Software Integrity Group
We all put a lot of trust in the applications we use chat with other people. Have you ever wondered what your chat application is doing in the background? How is it storing the message or pictures you send? You are required to login to send and receive messages....or are you? Come see how some of the most popular chat clients send data and if anyone else could see this data.
We'll begin with the underlining vulnerability of Cross Object Resource Sharing (CORS) and if misconfigured data could be leaked without the user knowing. I’ll cover in details how each client handles messages between clients. Three of the most popular clients were tested to see how well they handle the data transactions.
Meera Rao at Synopsys, Cojan Van Ballegooijen at CloudBees & Rania Mohamed at Google Cloud
DevOps enables you to release features and bug fixes faster than ever. But, can security keep up? Instead of waiting to fix security vulnerabilities, treat them like any other bug within your DevOps process. This allows you to reduce DevSecOps friction, increase release velocity, improve quality and facilitate collaborative change - just to name a few.
This webinar will cover how your DevOps strategy can best include security with Synopsys, CloudBees and Google. You’ll learn more about:
•Integrating the right tools in your DevOps pipeline
•How Google Cloud Platform (GCP) improves your security posture
•Beginning your DevSecOps journey with CloudBees CI and easy procurement through the GCP Marketplace
•The field point of view from Synopsys on CloudBees CI + GCP = secure pipelines
Shandra Gemmiti, Product Marketing Manager at Synopsys and Mike McGuire, Product Marketing Manager at Synopsys
Open source is a great foundation for modern software development, but when left unmanaged, it exposes you to security risks. In the upcoming webinar “What the 2020 OSSRA Report Means for Your Security Team,” we’ll explore the findings of our 2020 Open Source Security and Risk Analysis report and what that means to teams like yours. Specific topics include:
· Why you need an accurate inventory of open source components
· How to prioritize the vulnerabilities to fix
· Where to integrate testing into your SDLC
Join us and together we’ll harness the power of open source without sacrificing the security of your applications.
Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn’t designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time consuming. That’s where software composition analysis (SCA) comes in.
Join Utsav Sanghani, product manager, as he explores the benefits of bringing SAST and SCA together. He’ll explain why using an SCA tool to scan open source dependencies is as imperative to a software development strategy as using SAST to test proprietary code. He’ll also demonstrate how developers, by combining SAST and SCA analysis in the IDE, can address issues holistically as they code, saving time and increasing productivity so they can deliver secure, high-quality software faster.
OpenChain standardizes license compliance requirements around the use of open source software in the supply chain. Customers purchasing from an OpenChain compliant company know that the software has been developed in line with a set of documented and tested procedures and that all the relevant meta data (SBOMs and compliance notices) is available. So what does that mean for you?
Join us for a live webinar to learn why companies like Scania (Volkswagen group), Cisco, ARM, Facebook, Uber, Google, Microsoft, Sony and Qualcomm rely on OpenChain. We’ll cover:
•The history of OpenChain, steps to compliance and overall benefits
•How OpenChain scales, and works for companies large and small
•What happens when the 2.1 specification becomes an ISO standard in September 2020
Don’t miss this informative webinar. Register today.
Do you know the common ways Node.js applications may be vulnerable to denial-of-service attacks?
The single-threaded nature of Node.js makes it very susceptible to DoS attacks. While the Node.js event loop allows you to perform some operations asynchronously, it’s still quite easy to write a vulnerable Node.js application by making a few simple mistakes.
In this talk, Allon will cover some common ways a Node.js application may be vulnerable to DoS attacks and some common best practices and countermeasures to defend against such attacks.
Chandu Ketkar, Director Security Architecture Practice and Andre Joseph, Principal Consultant at Synopsys
Including threat modeling early in the software development process can ensure your organization is building security into your applications. For applications that are further along in development or currently launched, it can help you pinpoint the need for additional security testing.
Threat modeling identifies the types of threats that are applicable in the context of the application and its environment. Knowledge of such threats, along with their likelihood and impact, enables us to secure our design in anticipation, identify security requirements early, and inform downstream security testing.
There are many threat modeling approaches out there. In this webinar, we provide insights into Synopsys’ threat modeling approach, which has evolved as we’ve conducted threat assessments for various types of applications for our clients.
Tim Mackey, Principal Security Strategist at Synopsys & Gordon Haff, Technology Evangelist at Red Hat
The adoption of open source continues to grow rapidly, both in market share and in its strategic importance to businesses. Understanding how organizations use open source and do so in a way that minimizes risk is therefore essential to both an overall IT strategy and cyber security response plans. These are among the topics we’ll investigate in this joint webinar from Red Hat and Synopsys. Drawing from Red Hat’s “The State of Enterprise Open Source” report, technology evangelist Gordon Haff will explain why IT decision makers value open source so highly and the processes that commercial open source vendors put in place to protect their customers from vulnerabilities.
At the same time, changing development practices and escalating threats mean that security remains a concern with respect to open source software, as it is for IT more broadly. Tim Mackey, Principal Security Strategist from Synopsys will walk through findings from the Synopsys “2020 Open Source Security and Risk Analysis” report with an eye on how teams can use the data to inform their overall open source governance plans.
We’ll close with some practical advice about getting the most value from open source software while keeping your organization safe.
Meera Rao, Senior Director Product Management, Synopsys
Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.
First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
- How do I manage false positives?
- How do I triage the results?
- What happens to new issues identified?
- My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
- What is a “baseline scan”?
Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
Adversaries continuously evolve their behaviours and defenders must respond accordingly. Governments around the world are striving to supplement manual tracing efforts with the adoption of a "Track and Trace" mobile application to help prevent further spread of COVID-19 and regain healthy levels of economic activity. In this short interactive session, Synopsys will discuss the topic as seen through their "security eyes" and with some key takeaways:
•How to develop applications at speed and remain security-aware?
•What security measures are considered essential when building any mobile application?
•Where is your data being recorded and used? Does this feel too much like Big Brother is watching your every move?
•How can Synopsys support you through your own software development lifecycle?
This session will run for 35 minutes followed by a 10-minute Q&A session.
Patrick Carey, Director Product Marketing, Synopsys and Sandy Carielli, Principal Analyst, Forrester Research, Inc.
Securing your applications is critical, but maintaining release velocity and developer productivity is just as important. Let’s face it: Developers aren’t security experts. They unwittingly introduce security weaknesses and vulnerable open source components into your applications, and they’re ultimately responsible for fixing any issues that surface. But what if you could equip developers with the tools and information they need to prevent security issues from ever making it into your codebase, without creating unnecessary friction or slowing them down?
Join guest presenter Sandy Carielli, Principal Analyst, Forrester Research, Inc., and Patrick Carey, Synopsys, as they discuss the benefits of IDE-based security testing and the role developers can play in securing your applications.
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.