Name: Reduce Alert Volume and Prioritize Remediation with Deepfactor
Start: 2022-07-28T16:00:00Z
End: 2022-07-28T16:00:52.000Z
Location: BrightTALK
Rating: 5

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that’s best for them. Only Synopsys offers everything you need to build trust in your software.

Despite significant investment in AppSec tooling, staffing, and maintenance, organizations are unable to adequately secure their software. There is a lot of complexity in managing disparate tools, and not having the means to make testing well integrated or repeatable makes it difficult to get an accurate picture of software risk posture. At large, these factors downgrade the value of AppSec programs.

To achieve AppSec efficacy, security leaders need a way to standardize testing, triage, and remediation processes, all while continuously assessing software compliance, regardless of where source code resides or how it was built. This is where an Application Security Posture Management (ASPM) solution comes in.

In this session, you will:
- Understand how ASPM can help with issue identification, triage, and software compliance, from IDE to runtime testing
- Learn tactics to standardize issue detection, prioritization, and risk assessment through a centralized policy
- Discover how ASPM can help maximize the value of your existing AppSec investments and drive software resiliency at scale

A Practical Guide to Scaling AppSec with ASPM

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).

Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project).

With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format.

SPDX is a standard format for SBOMs.  Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models.

In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification.  We will touch on what goes into making a quality SBOM.

At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).

SBOMs and SPDX: Now and in the Future

Les chaînes d'approvisionnement logicielles utilisées par les applications modernes peuvent se révéler très complexes. Elles consistent en un mélange de code propriétaire et d’open sources, d'API et d'interfaces utilisateur ainsi que de workflows de déploiement dans différents environnements. Les problèmes de sécurité à n'importe quelle étape de cette chaîne peuvent vous exposer, vous et vos clients, à un risque d'attaque. Selon les analystes du Gartner, 45 % des organisations dans le monde connaîtront une attaque d'ici 2025. Renforcer votre chaîne d'approvisionnement logicielle contre les menaces de sécurité est une nécessité, mais cela ne s'arrête pas là. Vous devez également être en mesure de démontrer que vous l'avez fait, afin d’avoir la confiance de vos clients et de respecter les obligations réglementaires.

Rejoignez-nous et découvrez comment nous proposons une approche globale de sécurité de la chaîne d'approvisionnement logicielle, notamment:
• À quoi ressemble une chaîne d'approvisionnement logicielle,
• Présentation des risques tout au long de la chaîne d'approvisionnement logicielle,
• Ce que cela signifie de sécuriser votre chaîne d'approvisionnement et de prouver que vous l'avez fait.

Sécuriser la chaîne d'approvisionnement logicielle

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore: 
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

What the EU Cyber Resilience Act Means for AppSec

Organizations face a variety of threats from malicious actors. With the proliferation of web services, APIs are the fastest-growing attack surface in the industry. It's time to act. Join this webinar to get answers to some of the most pressing questions, such as

• What are the current industry trends on API usage?
• What are the challenges in dealing with application and API security?
• What are the solutions to API security challenges?
• What is an example of a firm that has adopted an IAST tool for API security?

Addressing API Security in Your DevSecOps Life Cycle

To build security into DevOps and achieve true DevSecOps, organizations need to manage AppSec workflows without hindering speed and flexibility. But how do you get there?

Join this live Synopsys webinar to learn how to inject security into DevOps without sacrificing efficiency. We’ll cover how to:

• Secure code as fast as it’s written
• Run the right tests at the right time
• Automate security testing to focus on what matters

Coffee with a Side of DevSecOps

As the popularity of cloud-native applications continues to surge, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they deliver. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.”

The popularity of containers has also attracted the attention of hackers who are constantly looking for new ways to exploit them. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive approach for container security is required to mitigate the risk to containerized applications and infrastructure.

In this webinar, we’ll outline the essential elements required to secure your container environments, including:
• Understanding what containers are (and aren’t)
• How to look at container security holistically
• The top threats to container landscapes
• Relevant case studies

Container Security Essentials

The economic downturn is impacting organizations, and application security is not exempt from budget pressures. You may need to make some difficult choices on application security spending that doesn’t add risk to the business. Do you have a plan in place today?
 
Join us for this Synopsys webinar to get insight into the latest application security risks and where budget trade-offs can be made. We’ll cover:
 
• Trends in AppSec in challenging times
• Factors when considering cloud vs on-prem solutions
• Trade-offs between platform and best-of-breed AppSec approaches

Transforming DevSecOps in Turbulent Times

The proliferation of software across every industry poses significant challenges for teams that must both keep up with the fast pace of innovation and ensure that the software they build is secure. This has led to security tool sprawl, unnecessary complexity, increased operational costs and in many cases, a decreased ability to quickly assess risk. As a result, many organizations are looking to consolidate the number of security tools and vendors they manage to improve resource efficiency and overall risk posture.
 
In this webinar, we will discuss the key things necessary to capitalize on consolidation initiatives beyond a simple reduction of tools, and provide a roadmap for how organizations can realize these benefits rapidly.

Reduce Complexity & Improve TCO with AST Vendor Consolidation

Security is the result of implementing the tools, personnel, and insight necessary to make informed decisions to mitigate risks within the software you create and the assets you consume through the software supply chain. While this process can be elaborate, rapid releases and CI/CD methodologies require that AppSec move at the speed of DevOps.

Achieving this is only possible with integrated controls and mechanisms to detect, prioritize, and address security issues at every stage in the SDLC and CI/CD pipelines. But how do you get there?

Join us as we recommend ways to establish security within DevOps without sacrificing efficiency. We’ll discuss:
- Pitfalls that can derail an organization’s AppSec initiative
- Strategies for overcoming obstacles to efficient, effective DevSecOps
- Recommendations for realizing integrated DevSecOps at scale

Security at Every Stage: Integrating AppSec for Efficient DevSecOps

APIs are the heart of many modern applications. They enable organizations to create new business models and methods of engagement. Yet, security breaches have increased due to the proliferation of unprotected APls and API endpoints. A survey conducted by Salt Security in 2022(¹) found API attacks increased by 681%.

A comprehensive API protection strategy can help address these challenges, but it must include discovery, detection and protection. In this webinar you will learn about:

- The importance of conducting a thorough API inventory
- Implementing testing techniques to find problems throughout the SDLC
- Protecting your API by building in API-specific logging, monitoring and alerting at the application layer

(1) https://salt.security/blog/api-security-fundamentals

How to Address API Security in 2023?

Is it any wonder why developers have embraced containers. Containers reduce friction when it comes to moving code from testing to production. Containers also make it possible to run code anywhere. The level of flexibility is undeniable. With 92% of companies using containers in production* attackers are taking notice. Are you confident in your container security strategy?

Container security is important for the same reasons all application security is important: Without a comprehensive strategy and tooling in place, you risk exposing your sensitive data. Whether you’re new to container security or a battle tested veteran this webinar has something for you.

Zero to Hero: Improving Your Container Security Strategy

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out.

Automagic API Security Testing

The purpose of software due diligence is to identify risks in software. Understanding how software is developed and what kinds of issues can lurk in that software gives you a head start.  

Join this Synopsys webinar to learn how shortcuts in the software development process creates design quality, code quality, security and open source/3rd party code problems in software – and what you can do about it.  We’ll cover: 

• How mistakes and shortcuts can lead to problems in software
• What to look for in each of the categories of risk
• Best practices for software due diligence

Software Construction & Business Risk: Best Practices for Software Due Diligence

If you’re involved in software due diligence, you understand that acquiring software assets can bring any number of risks. By learning how software is built, and the choices and tradeoffs developers make during construction, you’ll better understand the risks that can impact a deal. As the saying goes, “forewarned is forearmed.”

Join this Synopsys webinar to learn how the software design and development process inherently creates quality and security risks in a transaction. We’ll cover:

• How software engineers do what they do
• How mistakes and shortcuts can lead to particular problems in the software
• The facets and implications of technical debt that can build up through the accumulation of such issues

Software Construction & Business Risk: A Crash Course for Investors and Lawyers

As you start down the path of using generative artificial intelligence (GAI) in software development to improve efficiency, reduce costs, and increase revenue, you must also be aware of the associated legal issues. How can you leverage AI and minimize the risk it presents?

Join this live Synopsys webinar in which a panel of legal experts and practitioners will answer your questions about the rise of AI in software development, and how you can responsibly leverage this new technology. We’ll cover:

• The benefits and risks for using AI in software development 
• The evolving legal and regulatory landscape 
• Practical advice for using AI today and into the future

Ask the Experts: AI and Software Development

Achieving DevSecOps: Ways to reduce AppSec noise at scale

Engineering teams in many industries are embracing cloud-native development and rapidly adopting open source software, increasing both the frequency and complexity of software releases. The automotive industry’s shift to software-defined vehicles is a great example of retooling to leverage modern development practices while maintaining focus on reducing application risk.

In order to understand and address application risk, engineering teams often use software composition analysis (SCA) to discover vulnerable libraries and dependencies. Augmenting SCA scans with dynamic, contextual analysis of the running application can prevent engineering teams from being overwhelmed with vulnerability alerts, reducing the potential impact of security on development. This is particularly true in Kubernetes, where applications utilize several languages and can be spread across dozens if not hundreds of containers and systems. Although identifying the vulnerable containers is step one, determining impact and affected code will help determine priority.

To address these challenges, Deepfactor announced a partnership with Synopsys, a leader in application security testing, at KubeCon + CloudNativeCon Europe 2022. 

The Deepfactor Developer Security integration with Synopsys Black Duck® provides developers with access to enhanced, well-researched Black Duck Security Advisories and runtime security insights such as usage information and method tracing in a single platform, purpose-built to reduce alert volume and prioritize remediation in cloud-native applications.

Reduce Alert Volume and Prioritize Remediation with Deepfactor

Open Source

Application Security

Cyber Security

Cyber Attacks

Cloud Security

Cloud

IT Security

Threat Detection

Risk Management

Information Security

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Internal audit and compliance professionals are facing increasingly stringent regulatory requirements when it comes to compliance reporting and internal control procedures. Join the audit and compliance community to learn best practices from thought leaders on topics such as regulatory compliance, internal audit checklists and audit program strategies.

Audit and Compliance

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Reduce Alert Volume and Prioritize Remediation with Deepfactor

Presented by

About this talk

More from this channel