Name: SBOMs and SPDX: Now and in the Future
Start: 2024-02-08T06:00:00Z
End: 2024-02-08T06:00:58.000Z
Location: BrightTALK
Rating: 3.7

Black Duck is now defining the next frontier of application security. With the avalanche of AI-generated code plus expanding regulatory pressure, you need solutions that can scale, adapt, and keep pace with the demands of your business.

Black Duck meets the demands of modern software development with True Scale Application Security. In the cloud or on-prem, 100,000 lines of code or 100 million. For safety-critical systems with stringent compliance requirements or modern web apps deploying 100 times per day. Our flexible, scalable, high-precision solutions enable you to code with confidence.

AI coding assistants and open source AI models are revolutionizing productivity and innovation. But these new resources introduce a systemic challenge that impacts the entire pipeline. How do we embrace innovation without introducing invisible risk at astonishing scale? Does AI-enabled development threaten the value of the assets that drive your business? This session shows the results of a new study on this shared reality. It shows a way to get security and compliance done that doesn’t stop development teams.
We’ll address the main worries of technology executives and effective approaches to handling risks caused by AI. It's time to align development and security teams. You may ask how? Through integrated tools that make secure coding a natural part of daily workflows.
What’s in it for you?
• Gain exclusive insights from new research on AI adoption and its security implications
• Learn practical strategies to manage AI-generated risks in development pipelines
• Discover how to align Security and Development for frictionless, secure innovation

Secure or Sorry? What AppSec Leaders Must Know About AI Adoption

Open source software powers modern development—but it also introduces risks. From direct and transitive dependencies to container images, these risks can enter your applications in many ways, often without full visibility. 

Join this webinar to learn

• The common entry points for open source in your applications
• The risks of unmanaged open source, including vulnerabilities and license issues
• Best practices for securing and governing open source usage
• Tools and strategies for maintaining compliance and visibility

Whether you're a developer, security professional, or compliance lead, this session will help you build safer, more resilient software.

The Open Source Wildcard: Don't Roll the Dice on Risk

The tech M&A landscape is rapidly evolving with the pervasive integration of AI into target company applications. As machine learning, Generative AI, and other intelligent technologies become central to innovation, traditional software due diligence is no longer enough. This session addresses the critical new dimensions of risk and opportunity that AI introduces to acquisitions.

Join us for a practical framework designed to equip M&A principals and legal counsel with the tools to thoroughly assess AI-driven targets. We’ll dive into the essential areas you must explore, from evaluating model provenance and performance to navigating complex data governance and ethical considerations.

Key takeaways will include how-to effectively assess:

• AI Footprint: Understanding the strategic implementation and problem-solving capabilities of AI.
• Security Risks: Comprehensive data protection, access control, and penetration testing for AI systems.
• Legal & IP Risks: Clarifying model and training data ownership, alongside API terms.
• Quality & Reliability Risks: Ensuring performance, effective retraining, and model explainability.
• Regulatory & Compliance Risks: Navigating emerging regulations like the EU AI Act and critical data privacy concerns.

M&A's New Frontier: Assessing AI Software Risk in Your Next Deal

AI-enabled development tools and coding assistants are pushing CI pipelines, fueling innovation, and iterating business-critical software faster than ever before. Security teams are now forced to catch up. The burden to remedy AI tools often weak coding practices and to overcome their ignorance to third-party vulnerabilities and licenses is further complicated by developers' implicit trust in their output and an intrinsic incompatibility between AppSec and Dev teams' primary role: to ship functional code quickly.  

Enterprises can no longer treat development and AppSec workflows as separate entities. To unify them, however, requires fast, reliable, automated ways to evaluate every line of code that flows through the pipeline and to provide immediate access to fix methods. This only manifests with integrated security gates across CI/CD pipelines, aligned to risk-tolerance standards and optimized to maintain the speed benefits of AI-enabled development.  

Join us as we analyze DevSecOps in the age of AI and structure a viable strategy that accounts for:  

- Software security and license compliance issues introduced, at speed, by AI coding assistants  
- The dissonance between the adoption of AI-enabled dev tools and AppSec's preparedness to secure their output  
- Business priorities that span development, security, legal, and executive requirements

AI's IOU: Maximizing value from AI without paying for it later

With software development accelerating in the AI era, there are even more sources of vulnerabilities to track. Managing this is an enormously complex task, as organizations are already struggling to unify data across disparate tools for testing, SCM, and reporting. As more organizations adopt AI-assisted development, existing issues with fragmented risk visibility will only get bigger. 
 
In this webinar, you will learn about capabilities for achieving a high-fidelity, organizational view of risk posture to better streamline auditing, visualize AppSec gaps, and identify your most vulnerable software. We will talk about necessary capabilities for aggregating key sources of data, standardizing risk scoring, and how you can set up the right technical foundations for success.

Contextualizing Risk in the Age of AI Development

AppSec teams are being stretched to the limit trying to keep up with the pace, volume and complexity of modern application development. Current trends in software development – the transformative role AI, the increasingly complex and vulnerable software supply chain, and the mounting requirement to both scale and focus security issue remediation – help shed light on what measures organizations need to put in place to stay ahead.     

In this session we will outline these trends and provide data and insights from our research into them. We will also outline practical steps you can take now to position yourselves to manage the evolving requirements of Application Security.

The State of AppSec & Beyond

Join two of our cybersecurity experts for a lightning round that cuts through the hype and addresses the immediate challenges of AI in software development. We'll explore the paradigm shift that is reshaping creativity and problem-solving in development, the new frontier of AI-influenced software risk, and discuss ways in which AI coding assistants and open source AI models form the next evolution of the software supply chain crisis.
 
This session charts a course from high-level business concerns directly to the developer experience, examining:
- The business and contractual liabilities that arise when AI-generated code enters your products.
- New, instinct-driven "vibe programming" and the debate over whether this emerging methodology is a sustainable path to innovation or a source of unpredictable risk.
- How AI coding assistance alters hiring strategies and the critical role of code review by security-capable developers in an AI-driven workflow.
- Emerging attack vectors tied to the growing use of open-source AI models.
- Viable paths forward to harness the power of AI, manage its inherent risks, and minimize organizational disruption by establishing resilient and scalable safety nets within your pipeline.

AI-Assisted Disruption: How Change Impacts Dev and Sec as Organizations Pivot to AI

Application security hasn’t gotten any simpler—especially as AI accelerates the way software is built. More code, more complexity, and more fragmented tooling make it harder to answer a basic question: Where are we exposed?  

This session explores how teams can regain clarity at the first step of any risk management program. That means identifying what’s running, what’s been tested, and what needs attention. We’ll look at how automation, speed, and policy can work together to improve visibility without slowing delivery.  

As part of Black Duck’s broader approach to application risk management, we’ll also show how solutions like Black Duck Polaris™ Platform scales with the way modern teams build software.

Identifying Risk in the Age of AI-Assisted Development

Security is the result of implementing the tools, personnel, and insight necessary to make informed decisions to mitigate risks within the software you create and the assets you consume through the software supply chain. While this process can be elaborate, rapid releases and CI/CD methodologies require that AppSec move at the speed of DevOps.

Achieving this is only possible with integrated controls and mechanisms to detect, prioritize, and address security issues at every stage in the SDLC and CI/CD pipelines. But how do you get there?

Join us as we recommend ways to establish security within DevOps without sacrificing efficiency. We’ll discuss:
- Pitfalls that can derail an organization’s AppSec initiative
- Strategies for overcoming obstacles to efficient, effective DevSecOps
- Recommendations for realizing integrated DevSecOps at scale

Integrating AppSec for Efficient DevSecOps

AI technologies are compelling teams to accelerate software development and to explore innovations previously regarded as unattainable. While 67% of organizations use AI coding assistants at least weekly to realize these goals, 57% feel that using AI coding assistants has introduced new security risks or has made it harder to detect issues in their codebase. AppSec teams are scrambling to keep pace.  

Join us for an in-depth exploration of today's DevSecOps landscape based on our yearly Global State of DevSecOps report and findings from independent research institute, SANS. We'll examine the delicate balance between AI-assisted development and modern DevSecOps strategies, focusing on: 
* The impact of AI coding assistants on development pipelines and security workflows 
* How AI-ready organizations maximize AppSec coverage and agility 
* The evolution of traditional application security testing (AST) to AI-enabled AST 
* Prerequisites for a scalable, robust DevSecOps program purpose-built for AI-enabled development

From Code to Security: The DevSecOps Frontier

Securing your software supply chain begins with knowing what’s in your code. With AI-generated code and ubiquitous open source software use, it’s never been more critical to understand what risks your software may contain. In fact, last year alone we found that 81% of codebases contained a high-/critical risk vulnerability.
 
Join this webinar as we explore the findings from the 2025 “Open Source Security and Risk Analysis” report. We’ll cover:
 
• The state of open source software security
• Tips for mitigating risks and keeping vulnerabilities out of your supply chain
• How to protect against security and IP risks from AI coding tools

The 2025 Guide to Open Source Security and Risk

Evaluating a target’s software development process, software architecture, and code quality are becoming a must do in M&A software due diligence. Acquiring poorly designed software or buggy code could derail your post-close plans. 

Join this webinar to learn how to sidestep the tech debt trap. We’ll cover: 

      - The dimensions of software quality 
     - Norms for typical tech M&A targets 
     - How to uncover and mitigate tech debt and post-close “gotchas” 
     - Software due diligence best practices around software quality

Avoid Buggy Deals: Evaluating Software Quality in M&A Due Diligence

There are three regulations that every software development team should be aware of: NIST Secure Software Development Framework (SSDF), the EU Cyber Resilience Act (CRA), and the FDA Cybersecurity Requirements for Medical Devices. What’s your regulation IQ? 

Join this webinar to learn how to navigate these regulations to secure your software supply chain. We’ll cover:  

- Key requirements, commonalities, and differences across the three regulations  
- The importance of an SBOM in dependency tracking and risk management 
- Best practices for complying with these cybersecurity standards  

Register now.

How to Navigate NIST, CRA, and FDA Regulations

Software is essential in everyday products like cars, medical devices, airplanes, and IoT devices. Bugs and security flaws can have serious impacts on safety, the environment, and your reputation. As AI speeds up software development, it's more important than ever to keep your policies, coding standards, and testing up to date.

In this webinar, we’ll discuss:
- Trends that offer innovation but also increase the risk of costly errors
- Updates to functional safety standards that improve software reliability
- How to reduce supply chain risks by getting a full view of your software
- Strengthening software with thorough testing techniques

Register now to learn practical tips for creating secure, reliable functional safety software in 2025 and beyond.

Building Safe and Reliable Software in 2025

Developers have utilized source code management (SCM) tools since the 1980s to track, control, and manage changes across the software development life cycle. But the use of SCM tools is even more widespread now due to the emergence of distributed version control systems such as Git.

For DevSecOps though, it is essential to seamlessly integrate application security testing (AST) into the SCM environment, without compromising on fidelity and scalability. This gives organizations complete control over AST in their CI/CD pipelines.

What you'll learn:
- Onboard new projects easily from GitHub
- Get a centralized view of all your projects
- Orchestrate AST within GitHub actions & workflows
- Monitor all of your GitHub organizations continuously

Getting high fidelity AppSec results within your SCM environment

The Bridge CLI, Coverity CLI, and cov-build offer different ways to run your Coverity Static Analysis.  Join us as we explore how these tools complement each other and help you discover the right one for your CI/CD pipelines, pull request workflows, and ad-hoc scans. This session will include a live demonstration followed by a brief Q&A.  This webinar is targeted for developers, DevOps, or anyone responsible for configuring Coverity Analysis.

The CI/CD Plugin Playbook: How Bridge CLI, Coverity CLI, and cov-build Fit Together

Any tech acquisition target worth its salt is not only using generative AI tools to write code, but also incorporating AI technology into its products. As AI transforms these companies’ applications, and how they develop them, potential investors and acquirers face a new set of risks and questions. 

Join our panel of tech lawyer/AI experts for sage advice on how-to up your software due diligence game. Whether you’re an acquirer, an investor, or expect to be on the sell-side one of these days, learn about:

• The evolving state of risks associated with non-human written code
• Important considerations for integrators of AI models, evaluating the chain of custody and legal hygiene of datasets
• How due diligence is evolving to help investors and acquirers assess and plan for risks
• Market reps and warranties to complement derisking through due diligence 

Register today.

Intelligent Software Due Diligence in the Age of Artificial Intelligence

Join us for an exclusive insider session! We’ll explore the latest trends and challenges in embedded software development. “The State of Embedded Software Quality and Safety” report uncovers key issues in the industry. It highlights the fast rise of AI, potential new risks to software quality, and a shift in what’s driving Software Bill of Materials (SBOMs) requirements.

Here's what you can expect to learn
• How “shadow AI” introduces new risks to governance, security, and IP
• The evolving skillset required for modern embedded developers
• The rising demand for SBOMs as a commercial requirement
• Strategies for balancing speed and quality in software development
• How leading organizations are managing the risks associated with AI and open source software

Get key insights into embedded software development. You'll learn to handle quality, safety, and security in an AI-driven world.

The Rise of AI and New Risks to Embedded Software Development

As the popularity of cloud-native applications continues to surge, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they deliver. According to Gartner, “by 2022, more than 90% of global organizations will be running containerized applications in production by 2026 or 2027,up from less than 40% in 2021.”

The popularity of containers has also attracted the attention of hackers who are constantly looking for new ways to exploit them. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive approach for container security is required to mitigate the risk to containerized applications and infrastructure.

In this webinar, we’ll outline the essential elements required to secure your container environments, including:
• Understanding what containers are (and aren’t)
• How to look at container security holistically
• The top threats to container landscapes
• Relevant case studies

Container Security Essentials

Legislation requiring stringent software security practices by software producers is being passed around the globe. This requires organizations to rethink their approach to software security, which industry standards they follow, and the best practices for their software development teams.

NIST has produced guidance known as the Secure Software Development Framework (SSDF). The SSDF is a series of practices and associated tasks that serve as a baseline for teams seeking to securely develop software in a standardized way. Attestation to conformance with a subset of the SSDF has been signaled by the U.S.

In this webinar, you will learn the best practices for performing an SSDF readiness assessment including:

• Whether your organization’s software development practices align with the SSDF
• How to determine which controls are lacking for conformance with guidelines
• How to perform associated corrective recommendations on time
• Case studies of successful U.S. government attestations

Best Practices for Leveraging the SSDF

As far as the Cybersecurity and Infrastructure Security Agency (CISA) is concerned, there are six types of SBOMs that can be created for a single application or piece of software; neither of which will be identical. While CISA doesn’t have a favorite type of SBOM, you may find that your organization, vendors, or customers prefer some over others. As such, it’s important to understand what to expect from each type, how to generate them, and be prepared to reconcile the differences across them.

Learning objectives:
• Become familiar with the six types of SBOM
• Understand the benefits and limitations of each type
• Know the methods and tools required to generate each type

How Many Types of SBOM Are There?

DevSecOps and cloud services are driving container adoption in software. As container architectures get complex, they're increasingly exploited. This talk aims to clarify containerization and infrastructure-as-code (IaC) for beginners. We'll cover container technologies, key terms, their value, popularity, challenges, and security issues. We'll discuss common threats, vulnerabilities, attack vectors, and provide real-world attack examples. We'll reference standards and resources like OWASP Docker Top 10, Container Security Verification Standard, NIST Application Container Security guide, and CIS Benchmarks. Finally, we'll provide guidelines and best practices for securing containers.

Finding Your Way in Container Security

Organizations face a variety of threats from malicious actors. With the proliferation of web services, APIs are the fastest-growing attack surface in the industry. It's time to act. Join this webinar to get answers to some of the most pressing questions, such as

• What are the current industry trends on API usage?
• What are the challenges in dealing with application and API security?
• What are the solutions to API security challenges?
• What is an example of a firm that has adopted an IAST tool for API security?

Addressing API Security in Your DevSecOps Life Cycle

Generative artificial intelligence (GAI) will fundamentally change the way that software is built. Whether they are developing or using AI tools, organizations must understand the opportunities and risks involved, and evolve governance, policies and processes to address those risks.

Join this webinar for a deep dive into the issues that arise when using GAI in software development. We’ll cover:

• Open source data and software licenses and risks with AI
• Licensing and clearance considerations for materials used to train AI models
• Licensing considerations in building, training, and using AI models
• A deep dive on GitHub Copilot, including implications of the class action suit

Generative AI, Training Data, Open Source, and GitHub Copilot, Oh My!

In February 2024, the NIST Cybersecurity Framework (CSF) 2.0 update was released, featuring the latest advancements. This update brings a host of transformative changes, expanding the framework's scope. It also provides stronger governance and supply chain risk management. There are also refining metrics for assessing cybersecurity effectiveness.

Join this webinar to learn about
• The long-anticipated CSF 2.0 update
• The implications of the changes in the 2.0 update
• Leveraging these changes to improve current cybersecurity programs

Embracing the Future of Cybersecurity with NIST CSF 2.0

Join us for a webinar discussing the challenges organizations face in transitioning to PCI-DSS 4.0 and implementing new security measures. We will explore the updates to the security framework and the critical need to secure APIs to protect sensitive payment information. Don't miss this opportunity to learn about the latest in PCI-DSS 4.0 and how to effectively adapt to these new standards.

PCI-DSS 4.0 Explained: Enhancements, Challenges, and APIs

The Board and C-Suite are starting to take notice of the opportunities and risks inherent with powerful new generative artificial intelligence (GAI) tools that can quickly create text, code, images, and other media. Product Development and Engineering teams want to use such tools to increase productivity by at least one order of magnitude. In response, the Security, Legal, and Compliance teams typically raise legitimate concerns about the risks involved. What role can the Board and C-Suite play in this situation?
 
Join this live Synopsys webinar to get a jump start on what AI strategy, security, and governance looks like from the Board-level and C-suite. We’ll cover:
 
• Fundamentals of AI, types of models, and data used to inform them
• Expanding existing processes and procedures to address the security risks of GAI
• The top three questions the Board and C-Suite should be asking about GAI
• How to navigate the existing and evolving legal and regulatory landscape

AI Strategy, Security, and Governance: The View from the Top

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore: 
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

What the EU Cyber Resilience Act Means for AppSec

Log4Shell, SolarWinds, CodeCov, and the npm package repository are all associated with some type of software supply chain risk or incident, but each represents completely different attack vectors. As we depend more on build and release automation and third- party dependencies, we need to better understand how threat actors exploit them to attack the consumers of software.  In this session, you’ll learn
• The riskiest points of your software development life cycle
• The four most common supply chain attacks, with real-world examples
• How to create a firewall around the software supply chain to protect your software and your customers

Four Types of Supply Chain Attacks Development Teams Should Worry About

Securing your software supply chain begins with knowing what’s in your code. With AI-generated code and ubiquitous open source software use, it’s never been more critical to understand what risks your software may contain. In fact, last year alone we found that 84% of codebases contained at least one open source vulnerability.
 
Join this live webinar as we explore the findings from the 2024 “Open Source Security and Risk Analysis” report. We’ll cover:
 
• The state of open source software security
• Tips for mitigating risks and keeping vulnerabilities out of your supply chain
• How to protect against security and IP risks from AI coding tools

The 2024 Guide to Open Source Security and Risk

Open source software has emerged as a primary target for cyberattacks. In fact, 9 out of 10 companies have detected software supply chain threats, with 70% admitting that their current solutions are inadequate. While open source attacks are the “path of least resistance” for many threat actors, attacks on commercial and proprietary software are on the rise.

Join this live webinar with Black Duck and ReversingLabs to explore a forward-looking security strategy for areas of concern for development teams – the software both within and lying beyond their control. We’ll cover: 

• Critical considerations for managing and securing open source usage
• How to distinguish between opportunistic and malicious software supply chain risks
• The correlation between inadequate application security management and security risks
• How attackers inject malicious packages into the software ecosystem
• Actionable steps to reduce software supply chain risks

Deep Dive: Software Supply Chain Threats

Join us for an insightful webinar that explores the dynamic landscape of application security. Learn about the alarming rise of supply chain attacks and the shifting tide of high-severity vulnerabilities, as well as the impact of these trends on organizations worldwide. Discover actionable strategies to combat these threats, including the importance of tool consolidation and fostering security champions within your teams. We'll cover
 
• The implications of supply chain attacks
• Effective tool consolidation strategies
• Empowering security champions to strengthen your defense

Securing Tomorrow - Navigating Trends in Application Security

Explore the current hype around software Bills of Materials (SBOMs), driven by new and upcoming legislation in the EU and elsewhere mandating their use across vendors, suppliers, and customers. Delve into the diverse capabilities required for SBOMs, varying by sector, jurisdiction, and supply chain position. This presentation will highlight key aspects of SBOM compliance, featuring crucial insights and a roundtable discussion with industry leaders IBM and Continental.

Together, we’ll address

- How to decipher legislative implication for SBOMs
- Streamlining effective SBOM processes
- Strategic insights for successful implementation

Demystifying SBOMs: Navigating Legislation and Processes

Although AI has been around for decades, recent advances, including the development of generative AI tools, mean that AI-related stories are hitting the headlines on an almost-daily basis. This includes the copyright infringement proceedings brought by a group of American novelists against OpenAI in relation to use of their novels as training data, the ban by Samsung on using generative AI tools on its internal networks and company-owned devices, and the Hollywood writers’ strike over the use of AI in the film industry. 

More than half of organisations (52%) recently polled by Gartner reported that risk factors are a critical consideration when evaluating new AI use cases. So before spending time and money on the development of software by using AI, it is important for a company to understand the potential risks of doing so and how to mitigate such risks. Companies will need to rethink how development gets done, with the focus needing to be on evolving operations and training people as much as on technology. In addition, if looking to be acquired later down the line, that company will need to be ready to answer questions from prospective buyers.

Join this webinar, in which a panel of legal experts from CMS UK  will focus on two hot topics in relation to AI: intellectual property and governance. They will cover:

•         IP issues relating to the use of third party content to train AI tools
•         questions around subsistence, authorship/inventorship and ownership of any IP
•         the risk of the output infringing third party IP rights
•         key IP considerations in the context of a potential acquisition
•         how to manage development of software with the help of AI through effective governance
•         how ISO Standards and standardisation can play a significant role in mitigating the risks associated with AI and establishing robust governance frameworks

AI and Software Development: IP and Governance

Companies and individuals alike are concerned about their software supply chain security. To be honest, who isn't?

Threat actors are looking for new ways to exploit software weaknesses. Beyond the application layer. They are taking advantage of the inherent trust associated with open-source software. And we all know OS software is only as secure as its weakest link.

In this session, security expert Boris Cipot will discuss:
- How to use AI generated code without opening yourself up to IP violations
- The increase in malicious software and how to avoid being another statistic
- How to satisfy all supply chain motivations, whether they're customer requirements or industry regulations

Join Boris to learn about software supply chain risks. And what you can do to prevent them.

Your Software Supply Chain is Only as Secure as its Weakest Link

Malicious code has been making headlines over the past years. The type of attacks may vary, but the consequences are real. We’ve seen a spate of malicious open source components identified within the NPM repository, or an ethical hacker gaining access to the systems of several notable tech companies using publicly hosted packages. 

Today, threat actors are looking beyond exploiting weaknesses in the application layer. Now they have started taking advantage of the inherent trust associated with open source software. Inadvertently building code with these weaknesses into applications leaves businesses and their customers prime targets of supply chain attacks.  

Join us as we discuss

• What can be classified as malicious code or malware 
• Some of the techniques that attackers use to inject malicious code into the supply chain 
• Methods for identifying malicious code and open source components

How Does Malicious Code Enter Applications?

Is it any wonder why developers have embraced containers. Containers reduce friction when it comes to moving code from testing to production. Containers also make it possible to run code anywhere. The level of flexibility is undeniable. With 92% of companies using containers in production* attackers are taking notice. Are you confident in your container security strategy?

Container security is important for the same reasons all application security is important: Without a comprehensive strategy and tooling in place, you risk exposing your sensitive data. Whether you’re new to container security or a battle tested veteran this webinar has something for you.

Zero to Hero: Improving Your Container Security Strategy

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out.

Automagic API Security Testing

APIs are the heart of many modern applications. They enable organizations to create new business models and methods of engagement. Yet, security breaches have increased due to the proliferation of unprotected APls and API endpoints. A survey conducted by Salt Security in 2022(¹) found API attacks increased by 681%.

A comprehensive API protection strategy can help address these challenges, but it must include discovery, detection and protection. In this webinar you will learn about:

- The importance of conducting a thorough API inventory
- Implementing testing techniques to find problems throughout the SDLC
- Protecting your API by building in API-specific logging, monitoring and alerting at the application layer

(1) https://salt.security/blog/api-security-fundamentals

How to Address API Security in 2023?

There is no shortage of buzz around generative artificial intelligence (GAI). GAI can be used in software development to generate and augment code which saves times and reduces development cycles. But using AI in software development comes with its own set of risks.

Join this webinar to get an introduction to GAI and how you can minimize risk when using it in your organization. We’ll cover:

• What GAI is and how machines learn
• Legal issues with AI including copyright, web scraping, and more
• Overview of current litigation
• Practical approaches to using GAI while minimizing risk

Best Practices for Using AI in Software Development

Securing your Software Supply Chain

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).

Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project).

With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format.

SPDX is a standard format for SBOMs.  Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models.

In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification.  We will touch on what goes into making a quality SBOM.

At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).

SBOMs and SPDX: Now and in the Future

Open Source

spdx

sbom

software bill of materials

security vulnerabilities

software supply chain

Software Development

Application Development

Cyber Security

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Internal audit and compliance professionals are facing increasingly stringent regulatory requirements when it comes to compliance reporting and internal control procedures. Join the audit and compliance community to learn best practices from thought leaders on topics such as regulatory compliance, internal audit checklists and audit program strategies.

Audit and Compliance

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

SBOMs and SPDX: Now and in the Future

Presented by

About this talk

Black Duck