Name: Is Your Software Supply Chain a Security Mystery?
Start: 2021-06-16T05:00:00Z
End: 2021-06-16T05:57:51.000Z
Location: BrightTALK
Rating: 4.33

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that’s best for them. Only Synopsys offers everything you need to build trust in your software.

Open source is widely used in software development because it allows you to create high-quality software quickly. But if left unmanaged, open source can lead to license compliance issues as well as security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.

Join this live Synopsys webinar for an inside look at the data Black Duck Audits complied in 2022 from the hundreds or tech transactions and thousands of codebases we audited. We’ll cover: 
 
• Open source license and security risks by the numbers
• Why audits have become the norm in M&A tech due diligence
• How you can get a complete picture of open source risks

By the Numbers: 2023 Open Source Risk in M&A

Les chaînes d'approvisionnement logicielles utilisées par les applications modernes peuvent se révélées très complexes. Elles consistent en un mélange de code propriétaire et d’open sources, d'API et d'interfaces utilisateur ainsi que de workflows de déploiement dans différents environnements. Les problèmes de sécurité à n'importe quelle étape de cette chaîne peuvent vous exposer, vous et vos clients, à un risque d'attaque. Selon les analystes du Gartner, 45 % des organisations dans le monde connaîtront une attaque d'ici 2025. Renforcer votre chaîne d'approvisionnement logicielle contre les menaces de sécurité est une nécessité, mais cela ne s'arrête pas là. Vous devez également être en mesure de démontrer que vous l'avez fait, afin d’avoir la confiance de vos clients et de respecter les obligations réglementaires.

Rejoignez-nous et découvrez comment nous proposons une approche globale de sécurité de la chaîne d'approvisionnement logicielle, notamment:
• À quoi ressemble une chaîne d'approvisionnement logicielle,
• Présentation des risques tout au long de la chaîne d'approvisionnement logicielle,
• Ce que cela signifie de sécuriser votre chaîne d'approvisionnement et de prouver que vous l'avez fait.

Sécuriser la chaîne d'approvisionnement logicielle

To build security into DevOps and achieve true DevSecOps, organizations need to manage AppSec workflows without hindering speed and flexibility. But how do you get there?

Join this live Synopsys webinar to learn how to inject security into DevOps without sacrificing efficiency. We’ll cover how to:

• Secure code as fast as it’s written
• Run the right tests at the right time
• Automate security testing to focus on what matters

Achieving DevSecOps: Ways to reduce AppSec noise at scale

Malicious code has been making headlines over the past years. The type of attacks may vary, but the consequences are real. We’ve seen a spate of malicious open source components identified within the NPM repository, or an ethical hacker gaining access to the systems of several notable tech companies using publicly hosted packages. 

Today, threat actors are looking beyond exploiting weaknesses in the application layer. Now they have started taking advantage of the inherent trust associated with open source software. Inadvertently building code with these weaknesses into applications leaves businesses and their customers prime targets of supply chain attacks.  

Join us as we discuss

• What can be classified as malicious code or malware 
• Some of the techniques that attackers use to inject malicious code into the supply chain 
• Methods for identifying malicious code and open source components

How Does Malicious Code Enter Applications?

Open source software continues to prove its staying power. It serves as the foundation for the modern applications that we depend on to run. 

Along with the significant scale of open source usage comes a decreased ability to effectively manage the associated risk. In fact, 96% of codebases we audited in 2022 contain open source, and 84% contain security vulnerabilities.  

So how can you adapt to the current scale of open source usage to mitigate software supply chain risk and secure your applications? 

Join our live webinar as we explore the findings of our 2023 “Open Source Security and Risk Analysis” report, and see what they mean to teams like yours. We’ll cover

• How our research reflects the current application development landscape 
• Open source risk including security threats 
• What leads to the build-up of risky dependencies 
• Why you need an accurate inventory of open source components 
• The core tenets of open source risk management programs

The 2023 Guide to Open Source

You’ve automated security tooling in development pipelines and your organization has moved to agile practices, but you are still not experiencing the DevSecOps promise land you were told about.

The three pillars of DevSecOps are people, process, and technology. Have you invested enough into your people? Without a bridge between the security and the development teams, all your hard work can get stuck in mud. 

A Security Champions program can help enable your teams reduce process friction and ensure successful adoption of security within developers’ daily work. This talk will address 

• Common challenges organizations experience
• Ways a Security Champions program can help
• Getting started with building your Security Champions program

Enable your DevSecOps Initiative with Security Champions

Static application security testing (SAST) is a key ingredient of any AppSec program. However, modern applications are built using processes, languages, and tools that didn’t exist when many SAST products were originally designed. This creates challenges for developers and security teams that need to deliver highly secure applications without slowing productivity.
 
In this webinar, we’ll discuss how SAST can help organizations drive security and quality across all their applications. Topics include

• Understanding how static analysis identifies weaknesses in application code
• Running the right level of SAST analysis for each application
• Integrating SAST throughout the software development life cycle
• Ensuring quality and compliance with policy-based code scans

What is SAST?

For a variety of reasons, everyone is talking about software Bills of Materials (SBOMs). Some organizations are being required to generate and provide them, while others are asking for them from their vendors. One thing is for certain though - there is a lot of noise surrounding SBOMs, and it's not making it any easier to understand what must be done, what should be done, and what can be done. 

Join Mike McGuire, security solutions manager with the Synopsys Software Integrity Group, as he cuts through the noise and simplifies the concept of the modern SBOM. Mike will address some of the market’s lingering questions, including:

- Why there is a heightened focus on SBOM
- What SBOM is and is not 
- How to build and use an SBOM
- How they can help you secure your software supply chain.

Coffee with a Slice of SBOM

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore: 
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

What the EU Cyber Resilience Act Means for AppSec

Shifting the Modern Application Security Paradigm

The emphasis on securing applications in development has not resulted in the reduction of breaches that was once expected. In fact, breaches are becoming even more common and more dangerous. Testing solely in development is a DAST-backwards approach that cannot protect applications from being breached in production.

If the ultimate goal of application security testing is a digital future that is free from breaches, we must now embrace a DAST-forward approach that accounts for the entire attack surface, incorporates continuous dynamic application testing and integrates DAST insights to increase the efficacy of SAST and software composition analysis.

Learn how a modern paradigm can take your application security DAST to the future.

DAST to the Future

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle. It expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle. 

DevSecOps needs to be risk-based like your application risk indicator. It needs to be able to optimize security testing based on your policies. It should be efficient so not every code change requires a full security analysis. 

In this talk, you will learn
• Actionable insights into what DevSecOps is
• What DevSecOps is not
• How DevSecOps works from build to production

DevSecOps Explained

The executive order issued by the White House last year calls for more robust software supply chain protections for federal agencies. Meanwhile, companies are also taking steps toward securing their supply chains. And they are now facing many of the same struggles that government bodies have endured while attempting to adhere to the executive order. So what are the challenges? They include: 
- Improving visibility into the global partners from which you’re sourcing components 
- Instituting and operationalizing software bills of materials (SBOMs) 
- Establishing the required scope of your supply chain security program 

* determining what your testing procedures will entail 

Join us as Tim Mackey, principal security strategist at Synopsys, offers inside analysis into the U.S. government’s foray into supply chain security. He will then reveal what lessons businesses can apply toward their own efforts in this space.

Supply Chain Security Snags

As development technologies become more fast-paced, modular, and automated, the tools and practices used to secure the software that passes through these pipelines must evolve. While many application security testing (AST) tools can be integrated into pipelines, teams often struggle with complexity, performance, and noisy results. Injecting security into DevOps without sacrificing efficiency requires a concerted approach focusing on:  

- Integration and automation that minimizes impediments, running necessary tests at appropriate times 
- Remediation of prioritized risks aligned to business needs 
- AppSec-enabled developers equipped with what they need to secure code as they write it 
- Modular AST that can be employed based on the software being tested

Building Security into DevOps Without Breaking It

Travailler en mode DevOps est désormais très répandu, et maintenant le mouvement DevSecOps est en plein essor. Mais l'intégration de la sécurité applicative dans les chaînes DevOps peut provoquer des frictions entre les développeurs de logiciels, les équipes chargées de la sécurité des applications et les équipes chargées des opérations, car chaque équipe a sa propre feuille de route, ses responsabilités et ses priorités. 
 
Il est alors impératif d'instaurer une culture organisationnelle qui permette aux trois équipes de travailler vers le même objectif final: mettre l'application en production le plus rapidement possible en minimisant les problèmes de qualité et de sécurité. Dès lors, comment faire en sorte que la sécurité ne soit pas laissée pour compte ? 
 
La solution est de passer d'une sécurité réactive à une sécurité proactive. Au lieu de vous concentrer sur de nouveaux moyens de trouver des bugs déjà présents dans le code, vous devez vous attaquer à la cause première des bugs. Le moyen d'y arriver est de développer l'expertise de vos équipes et de fournir les informations nécessaires pour empêcher les bogues d'entrer dans votre base de code en premier lieu. N’attendez pas pour corriger les vulnérabilités qu’elles fassent des ravages dans vos applications. Traitez-les comme n’importe quel autre bug de développement.

Ce webinaire fournit des informations concrètes sur ces activités : 
- Les défis DevSecOps 
- Les tendances du secteur 
- Les bonnes pratiques pour intégrer la sécurité dans votre cycle de vie de développement logiciel 
- Les points clefs pour pouvoir passer à l'échelle avec vos pipelines

DevSecOps: Implémenter la sécurité dans les chaînes DevOps

克服组织挑战，应对ISO/SAE 21434合规落地

The Forrester report, “The State of Application Security: 2022,” notes that web application exploits are the third-most-common cybersecurity attack. Of the 4,000+ tests Synopsys Application Security Testing (AST) services conducted for its annual “Software Vulnerability Snapshot” report, 95% uncovered some form of vulnerability in the target applications

In this webinar, we will focus on the findings of the “Software Vulnerability Snapshot” report as well as 

• Latest AppSec trends and challenges  
• Findings  from “black box” and gray box” testing  
• A brief overview of best practices to address the latest AppSec challenges

The Future of AppSec: What You Need To Know

The evolution of newer technologies, like artificial intelligence, machine learning, GitHub Copilot, blockchain, cryptocurrencies, DeFi, APIs, containers, and SaaS/PaaS/IaaS, raise new open source legal issues and license selection and compliance considerations.

With these technologies becoming increasingly common place, do you have a strategy to manage your risk and compliance?
 
Join this live Synopsys webinar to learn how open source legal experts navigate the complex and ever- changing impact of new technologies. Topics covered include:
 
• A brief history of technological evolution in relation to open source software
• Legal and other considerations raised by these new technologies
• Practical strategies to mitigate related risks
 
Don’t miss this informative webinar - register today.

CLE:
DLA Piper LLP (US) has been certified by the State Bar of California, Illinois MCLE Board, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought: 
• California: 1.0 Credit (1.0 General, 0.0 Ethics)
• Illinois: 1.0 Credit (1.0 General, 0.0 Ethics)
• New Jersey: 1.2 Credits (1.2 General, 0.0 Professional Responsibility)
• New York: 1.0 Transitional & Non-Transitional Credit (1.0 Professional Practice, 0.0 Ethics and Professionalism)
CLE credit will be applied in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, and Puerto Rico.

Open Source Risks with New Technologies: AI, GitHub Copilot, Blockchain & More

One of the biggest challenges companies face with third-party software is lack of visibility into the vulnerabilities it introduces in their codebase. There have been major security breaches attributed to exploits of vulnerabilities in the open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media.
 
These incidents highlight the need for organizations to carefully manage their supply chain, including the open source code in the third-party and commercial software they use. The goal is to protect themselves—and their customers—from the consequences of catastrophic security breaches.
 
This session explores:
1) How to make your supply chain more resilient from open source and commercial third-party code risks
2) The types of risks faced by organizations as consumers and producers of software
3) The types of activities organizations should be performing to secure the supply chain
4) The tools, services, and frameworks available to help you get started

Is Your Software Supply Chain a Security Mystery?

#opensourcesecurity

#opensource

#vulnerabilities

#supplychain

#softwaresecurity

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Internal audit and compliance professionals are facing increasingly stringent regulatory requirements when it comes to compliance reporting and internal control procedures. Join the audit and compliance community to learn best practices from thought leaders on topics such as regulatory compliance, internal audit checklists and audit program strategies.

Audit and Compliance

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Is Your Software Supply Chain a Security Mystery?

Presented by

About this talk

More from this channel