Name: Get the most out of your open source software
Start: 2022-05-05T19:48:00Z
End: 2022-05-05T19:48:15.000Z
Location: BrightTALK
Rating: 0

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that’s best for them. Only Synopsys offers everything you need to build trust in your software.

Gain insights into important legal developments from two of the leading open source legal experts, Tony Decicco, shareholder at GTC Law Group & Affiliates and Chris Stevenson, Of Counsel at DLA Piper. 

This annual review will highlight the most significant legal developments related to open source software in 2023, focusing on topics that were resolved, those that got started and what we can expect to see in coming years.

The full agenda is to come.

CLE:
DLA Piper LLP (US) has been certified by the State Bar of California, Illinois MCLE Board, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought: 
• California: 1.5 Credit (1.5 General, 0.0 Ethics)
• Illinois: 1.5 Credit (1.5 General, 0.0 Professional Responsibility)
• New Jersey: 1.8 Credits (1.8 General, 0.0 Ethics)
• New York: 1.5 Transitional & Non-Transitional Credit (1.5 Professional Practice, 0.0 Ethics)
CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, and Puerto Rico.

The 2023 Open Source Year in Review

As the popularity of cloud-native applications continues to surge, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they deliver. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.”

The popularity of containers has also attracted the attention of hackers who are constantly looking for new ways to exploit them. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive approach for container security is required to mitigate the risk to containerized applications and infrastructure.

In this webinar, we’ll outline the essential elements required to secure your container environments, including:
• Understanding what containers are (and aren’t)
• How to look at container security holistically
• The top threats to container landscapes
• Relevant case studies

Container Security Essentials

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore: 
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

What the EU Cyber Resilience Act Means for AppSec

Open source software continues to prove its staying power. It serves as the foundation for the modern applications that we depend on to run. 

Along with the significant scale of open source usage comes a decreased ability to effectively manage the associated risk. In fact, 96% of codebases we audited in 2022 contain open source, and 84% contain security vulnerabilities.  

So how can you adapt to the current scale of open source usage to mitigate software supply chain risk and secure your applications? 

Join our live webinar as we explore the findings of our 2023 “Open Source Security and Risk Analysis” report, and see what they mean to teams like yours. We’ll cover

• How our research reflects the current application development landscape 
• Open source risk including security threats 
• What leads to the build-up of risky dependencies 
• Why you need an accurate inventory of open source components 
• The core tenets of open source risk management programs

The 2023 Guide to Open Source

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).

Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project).

With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format.

SPDX is a standard format for SBOMs.  Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models.

In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification.  We will touch on what goes into making a quality SBOM.

At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).

SBOMs and SPDX: Now and in the Future

Malicious code has been making headlines over the past years. The type of attacks may vary, but the consequences are real. We’ve seen a spate of malicious open source components identified within the NPM repository, or an ethical hacker gaining access to the systems of several notable tech companies using publicly hosted packages. 

Today, threat actors are looking beyond exploiting weaknesses in the application layer. Now they have started taking advantage of the inherent trust associated with open source software. Inadvertently building code with these weaknesses into applications leaves businesses and their customers prime targets of supply chain attacks.  

Join us as we discuss

• What can be classified as malicious code or malware 
• Some of the techniques that attackers use to inject malicious code into the supply chain 
• Methods for identifying malicious code and open source components

How Does Malicious Code Enter Applications?

Most software due diligence playbooks involve peer-to-peer discussions about products, processes, and people. That’s all extremely important as investors often bet on future development. But mitigating software risk in M&A requires not only evaluating the state of the target’s processes and organization, but also understanding the dimensions of technical debt that may lurk in the code.
 
Join this Synopsys webinar to learn how your software due diligence process can uncover technical debt and reduce post-close headaches. We’ll cover best practices for evaluating: 
 
• The organization and processes 
• Quality of the architecture and code
• Application security risks
• Open source/third-party software

Software Due Diligence: Mitigating Multiple Dimensions of Risk

The Common Vulnerability Scoring System (CVSS) helps you decide which vulnerabilities you should be most concerned about. This isn’t to say that the CVSS will make prioritization decisions for you, but it will give you one piece of information you need to make informed decisions that are best for your organization.

In this session, you'll gain:
• An understanding of CVSS, its metrics, and scoring process
• Insight into CVSS's history and role in vulnerability management
• A walkthrough of scoring a vulnerability's severity
• Knowledge of how CVSS is used in vulnerability management

Vulnerability Scoring 101

Companies adopt many application security testing (AST) tools to pinpoint where critical fixes are needed and avoid costly postproduction software issues. Yet despite a lot of AppSec investment, they still fail to get an accurate view of risk, and struggle integrate testing, triage, and remediation within developer workflows. This has driven the evolution of application security posture management (ASPM). 

In this session, we’ll dive into 
- What is ASPM, and capabilities that a comprehensive solution should have
- Best practices on using ASPM to accelerate AppSec transformation and consolidate data, workflows, and visibility
- How ASPM can help your development and security teams mitigate software risk at scale

What is Application Security Posture Management (ASPM)?

Companies and individuals alike are concerned about their software supply chain security. To be honest, who isn't?

Threat actors are looking for new ways to exploit software weaknesses. Beyond the application layer. They are taking advantage of the inherent trust associated with open-source software. And we all know OS software is only as secure as its weakest link.

In this session, security expert Boris Cipot will discuss:
- How to use AI generated code without opening yourself up to IP violations
- The increase in malicious software and how to avoid being another statistic
- How to satisfy all supply chain motivations, whether they're customer requirements or industry regulations

Join Boris to learn about software supply chain risks. And what you can do to prevent them.

Your Software Supply Chain is Only as Secure as its Weakest Link

Although AI has been around for decades, recent advances, including the development of generative AI tools, mean that AI-related stories are hitting the headlines on an almost-daily basis. This includes the copyright infringement proceedings brought by a group of American novelists against OpenAI in relation to use of their novels as training data, the ban by Samsung on using generative AI tools on its internal networks and company-owned devices, and the Hollywood writers’ strike over the use of AI in the film industry. 

More than half of organisations (52%) recently polled by Gartner reported that risk factors are a critical consideration when evaluating new AI use cases. So before spending time and money on the development of software by using AI, it is important for a company to understand the potential risks of doing so and how to mitigate such risks. Companies will need to rethink how development gets done, with the focus needing to be on evolving operations and training people as much as on technology. In addition, if looking to be acquired later down the line, that company will need to be ready to answer questions from prospective buyers.

Join this live Synopsys webinar, in which a panel of legal experts from CMS UK  will focus on two hot topics in relation to AI: intellectual property and governance. They will cover:

•         IP issues relating to the use of third party content to train AI tools
•         questions around subsistence, authorship/inventorship and ownership of any IP
•         the risk of the output infringing third party IP rights
•         key IP considerations in the context of a potential acquisition
•         how to manage development of software with the help of AI through effective governance
•         how ISO Standards and standardisation can play a significant role in mitigating the risks associated with AI and establishing robust governance frameworks

AI and Software Development: IP and Governance

Modern software development has completely transformed the way organizations operate and compete in the market. With the attack surface growing exponentially and the software supply chain becoming more complex due to developments like the rise of AI and increasing regulatory pressure, organizations are struggling to keep pace. 
 
In this webinar, learn how to remove complexity and ease the resource strain associated with securing modern software through consolidation initiatives. Join us with Accenture Security and Enterprise Strategy Group for a roundtable discussion on
 
• Key trends and core challenges associated with security tool proliferation
• Blueprints for taking a consolidation initiative beyond TCO to improving overall risk management
• Key learnings from actual customer consolidation journeys

A Guide to AppSec Tool Consolidation

As you start down the path of using generative artificial intelligence (GAI) in software development to improve efficiency, reduce costs, and increase revenue, you must also be aware of the associated legal issues. How can you leverage AI and minimize the risk it presents?

Join this live Synopsys webinar in which a panel of legal experts and practitioners will answer your questions about the rise of AI in software development, and how you can responsibly leverage this new technology. We’ll cover:

• The benefits and risks for using AI in software development 
• The evolving legal and regulatory landscape 
• Practical advice for using AI today and into the future

Ask the Experts: AI and Software Development

This year’s DevSecOps Report defines a vivid image of organizations’ journey to secure their software development pipelines, with intriguing conclusions about challenges, success factors, and risk exposure across industries and maturities. Integrating security controls across the development lifecycle and CI pipelines establishes mechanisms for rapid risk detection, accelerated remediation, and automated security gates. But aligning development, AppSec, and DevOps teams to realize a vision for secure DevOps requires a clear strategy. 

Join us as we examine the key findings from the Synopsys 2023 DevSecOps Survey and discuss: 

• The state of DevSecOps across roles and technologies
• What a maturing DevSecOps program looks like and which tools and practices foster growth
• Recommendations for how to integrate application security without impeding DevOps

Register today.

DevSecOps in the Wild: Examining Global Security Factors in 2023

In the realm of secure software supply chains, it's evident that each one possesses its unique characteristics. Consequently, the strategies for ensuring their security are equally diverse. This variance often contributes to the widespread confusion surrounding the subject. But what if we could pinpoint the shared elements among all supply chain security endeavors? 

Join us for a discussion on four fundamental truths observed across every secure software supply chain. Discover how these principles can propel your security initiatives forward.

Prepare to gain insights into:
- The impact of open source software on contemporary supply chains
- The significance of consistent and reliable risk assessment
- The role of automation in facilitating effective governance
- Establishing consumer trust through vendor practices

The Four Truths of Securing Your Software Supply Chain

The proliferation of software across every industry poses significant challenges for teams that must both keep up with the fast pace of innovation and ensure that the software they build is secure. This has led to security tool sprawl, unnecessary complexity, increased operational costs and in many cases, a decreased ability to quickly assess risk. As a result, many organizations are looking to consolidate the number of security tools and vendors they manage to improve resource efficiency and overall risk posture.
 
In this webinar, we will discuss the key things necessary to capitalize on consolidation initiatives beyond a simple reduction of tools, and provide a roadmap for how organizations can realize these benefits rapidly.

Reduce Complexity & Improve TCO with AST Vendor Consolidation

The economic downturn is impacting organizations, and application security is not exempt from budget pressures. You may need to make some difficult choices on application security spending that doesn’t add risk to the business. Do you have a plan in place today?
 
Join us for this Synopsys webinar to get insight into the latest application security risks and where budget trade-offs can be made. We’ll cover:
 
• Trends in AppSec in challenging times
• Factors when considering cloud vs on-prem solutions
• Trade-offs between platform and best-of-breed AppSec approaches

Transforming DevSecOps in Turbulent Times

随着5G、云计算、大数据、人工智能等新兴技术的迅猛发展与深入应用，各行各业的数字化转型也在不断加速。企业通过数字化转型提高了生产效率、加快了响应速度、改善了用户体验、增强了沟通协作、缩短了发布时间……，从而赢得了高速发展的巨大机遇。

然而，事物总有两面性。在数字化转型的进程中，企业应用安全（即构建安全可信的软件应用）所带来的压力和挑战日益凸显。为兼顾效率与安全，DevSecOps受到企业的普遍青睐，成为主流的软件开发模式之一。

为了解DevSecOps现状、识别DevSecOps的关键实践、发现实施DevSecOps的障碍并探讨解决建议，新思科技将开展以“聚焦DevSecOps，增强企业应用安全”为主题的《2023年全球DevSecOps现状调查》线上发布会。届时，新思科技中国区应用安全技术总监付红勋将为您解读DevSecOps的现状、挑战与建议。

聚焦DevSecOps，增强企业应用安全

Creating an Attack Model in Threat Modeling

Raising the security bar in DevSecOps

The evolution of application security

Creating a System Model in Threat Modeling

Risks vs. beneﬁts of AI-generated code

Tanya Janca discusses the worst DevSecOps practices

Addressing software liability in the public sector

Breaking down the United States National Cybersecurity Strategy

Scoping and Data Gathering in Threat Modeling

Achieving security simplicity amongst application chaos

Talking AI with Bruce Schneier Part 3

Talking AI with Bruce Schneier Part 2

Talking AI with Bruce Schneier Part 1

Improving the Sec in DevSecOps

Don’t let your software supply chain poison your apps

Achieve frictionless AppSec for developers with Polaris

Scale application security cost-effectively with Polaris

Easy deployment with Polaris

Managing your open source risks

Open source trends uncovered in the 2023 OSSRA

Continuous AppSec testing in DevSecOps with IAST

Part 2: 2022 Software Vulnerability Snapshot Takeaways

Part 1: 2022 Software Vulnerability Snapshot Explained

Get actionable solutions with DAST

Security at the speed of DevOps

Is an SBOM a silver bullet for software supply chain security?

Managing software supply chain risks

Methods and tools for SBOM generation

A holistic approach to your AppSec program

DevSecOps in a post-pandemic world

Application security orchestration and correlation

An introduction to the Synopsys Cybersecurity Research Center

The NIST guidance on supply chain risk management

Addressing NIST guidelines begins with understanding your risk profile

2022 Open Source Security and Risk Analysis (OSSRA) trends

Building security into DevOps

A proactive approach to building trust in your software supply chain

Why Biden's executive order should be on your radar

Cyber security measures for technology buyers and suppliers

New executive order changes dynamic of software security standards

Manufacturing more secure IoT devices

Manufacturers should build security into their IoT devices

The future of IoT devices and what it means for security & privacy

AppSec Decoded

Listen as Tim Mackey and Taylor Armerding discuss the value of Black Duck® by Synopsys audit services in the M&A world, and ways to reap the benefits of your open source software without falling victim to the risks.

Get the most out of your open source software

Open Source

Cyber Security

Application Security

Mergers and Acquisitions

license compliance

Legal Review

Risk Management

Acquisition

Intellectual Property

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Internal audit and compliance professionals are facing increasingly stringent regulatory requirements when it comes to compliance reporting and internal control procedures. Join the audit and compliance community to learn best practices from thought leaders on topics such as regulatory compliance, internal audit checklists and audit program strategies.

Audit and Compliance

Get powerful market trends insights that are shaping the M

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Get the most out of your open source software

Presented by

About this talk

More from this channel