Hi [[ session.user.profile.firstName ]]

Harnessing development to scale AppSec

GitLab helps you to scale security across your Continuous Integration (CI) process enabling developers to test their code with every code change, right in their existing workflow.

By seamlessly integrating WhiteSource’s security application testing solution in GitLab CI, we further reduce context switching and increase developer productivity. This enables developers and InfoSec professionals to work together to enhance application security in one integrated platform and continue shifting left.

Join us in learning how to leverage the GitLab developer’s workflow and the value of integrating WhiteSource’s security testing solution directly into that workflow.

We will share some best practices around shifting security left and demonstrate how to integrate WhiteSource into GitLab’s merge request pipeline and security dashboard.
Recorded Jun 4 2020 37 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Jeffrey Martin, Senior Director of Product at WhiteSource and Fernando Diaz, Technical Marketing Manager at GitLab
Presentation preview: Harnessing development to scale AppSec

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • How to Reduce Enterprise Application Security Risks Mar 17 2021 5:00 pm UTC 59 mins
    Jeffrey Martin, Associate VP product & Lilach Aviad Director of Product Marketing
    WhiteSource, in conjunction with Ponemon Institute, recently surveyed over 600 IT and IT security practitioners who are familiar with their organizations’ approach to securing applications – and here’s a spoiler: the highest level of security risk is considered by many organizations to be in the application layer. So what can Enterprise organizations do to reduce their application security risks? Join Jeffrey Martin, Associate VP Product at WhiteSource and Lilach Aviad, Director of Product Marketing, as they present:
     Why applications are more vulnerable to attack than other areas of vulnerabilities.
     Addressing vulnerabilities in enterprise applications
     Best practices of high-performing organizations in reducing the application security risk.
  • Best Practices for Developers to Master Security Mar 8 2021 6:00 pm UTC 44 mins
    Shiri Arad Ivtsan, Director of Product & Anna Rozin, Director of R&D at WhiteSource
    When you ask developers what they think of security, they will likely go into the situation without much enthusiasm as in their mind - security is slowing them down and holding them back from doing their ""actual"" job. But – it doesn't necessarily have to be that way. The friction between developers and security teams can be reduced if the right tools and processes are in place.
    Want to learn how handling security can be quick, efficient, and integrate into daily workflows?
    Join Anna Rozin, Director of R&D at WhiteSource, and Shiri Arad Ivtsan, Director of Product at WhiteSource, who will share their hands-on experience in managing open source components with WhiteSource tools. In this webinar, you'll learn:
    - Practical advice on testing, managing and fixing vulnerabilities in open source code packages
    - The tools and processes to handle security in a fast and effective way
    - How to empower developers with security data through prioritization and remediation tips
  • Early Warning Signs For Open Source Breakages Recorded: Feb 25 2021 22 mins
    Rhys Arkins, Director of Product Management
    Despite best intentions, Open Source releases with regression errors are published every day.
    In the best case scenario, a downstream user detects it early thanks to good tests, files an issue, and the maintainer can fix it before too many people have upgraded.
    Other scenarios involve various degrees of brokenness and games of "is it broken for everyone or just me?".

    Renovate Bot is an open source dependency automation tool but which also is run as a free app on github.com, where it is installed into almost 200,000 repositories.
    A feature called "Merge Confidence" helps downstream users know if a release is likely good or not based on automatically sourced crowd data (tests, deployments, rollbacks). Now we are planning to turn the focus upstream to help open source maintainers get an early indication of accidentally breaking releases and even provide a mechanism for downstream users to opt into silent pre-release testing so that major features can be smoke tested downstream before release.
  • AppSec 2021: What’s Next? Recorded: Feb 23 2021 20 mins
    Shiri Arad Ivtsan, Director of Product Management at WhiteSource
    2020 has been an interesting year to say the least! So how can we go into 2021 prepared for what's to come? Looking at the AppSec world, we can surely say that application security is an essential part of the software development lifecycle, and making sure it is secured should be our top priority in today’s ever-evolving and expanding digital ecosystem.

    Organizations today invest a lot of time and money in tools and processes that help them secure their applications and they will continue on doing that in 2021.

    But are they putting their money in the right place? How can software development organizations make sure that they have all the tools and processes in place to effectively address the many threats to application security?

    Join Shiri Arad Ivtsan, Director of Product Management at WhiteSource as she discusses:

    1. The most common external attack methods in the year to come and the main AppSec technologies we will use in 2021

    2. The maturity model of application security and the importance of DevSecOps

    3. How to keep up in order to protect against current threats to your applications.
  • The State of Open Source Security & Compliance: Best Practices Recorded: Feb 16 2021 51 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Open Source components have become a fundamental part of modern software applications. With the massive growth of the open source vulnerabilities over the past few years, the overall landscape of ensuring security, quality, and compliance might seem complex and challenging.

    There are ways to gain visibility and control over the open source components that make up the products that we release, but we must first address the risks so we can take the proper measures to avoid them.

    In this session you’ll discover:
    * How to address the needs of the entire organization, gain visibility and control, and prevent risk.
    * Where a vulnerable functionality is referenced within the code, so you can address and remediate the most critical issues and reduce security alerts by 85%
    * Learn how to automate the process of identifying all licenses that are attached to the dependencies whenever a new open source component is added to the build.
  • Open Source Security & Compliance for Containers and Serverless Functions Recorded: Feb 9 2021 44 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Nearly all cloud providers offer serverless capabilities and support containerized deployment of their customers’ applications. As organizations begin or continue to integrate serverless functions and containerized deployment into their operations, they will need to take the necessary precautions to ensure that their serverless functions and container images are secure.

    In this session you will learn why it is important to scan container images and serverless computing environments for open source libraries, and best practices for doing so, including:

    * Continuous scanning and monitoring of open source use in container images and serverless functions
    * Building a comprehensive inventory of open source libraries used in containers and serverless functions
    * Policy-driven management of security vulnerabilities and license compliance in container images and serverless functions
  • Financial Services: Building Agility and Security Recorded: Jan 27 2021 49 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Technology is rapidly reshaping the financial services workforce. In 2004 the Federal Financial Institutions Examination Council (FFIEC) has released the "Risk Management for the Use of Free and Open Source Software" guidance. This guidance reviews the risks and controls associated with the use of free and open source software (FOSS).

    Since open source components are an integral part of any software solution, their use must be carefully managed, documented and reported. However, many organizations still face security and compliance issues, that if not addressed, could cost them millions and even billions of dollars.

    Discover how financial service organizations can enhance operational risk management while ensuring speed and agility.

    In this webcast, we'll cover:
    - How to increase confidence in your development process with the ability to audit, review and automate security scans as a core part of the development lifecycle.
    - Best practices when incorporating security early in the developer's workflow
    - How to create a trusted pipeline
  • Tackling The Risks of Open Source Usage While Working Remotely Recorded: Jan 20 2021 47 mins
    Tamir Verthim and Dennis Zolotovski from WhiteSource, and Eray Ayduran from Microsoft
    Our current environment requires unprecedented social-distancing measures, which introduce a new set of security challenges. Working from home can lead to many distractions, especially when it comes to writing code. A distraction may unknowingly cause mistakes, which can introduce vulnerabilities and slow down development cycles. In addition, a developer may not have the time available to adequately investigate security vulnerabilities in the open source libraries they use in their code.

    Teams are struggling to manage the demands of the business while effectively managing security issues throughout the development process due to these challenges. This is resulting in an increased demand for open source governance and security management solutions.

    Join Microsoft and WhiteSource to learn more about the challenges and risks of working remotely. We will introduce you to our leading Software Composition Analysis (SCA) technology that integrates into your SDLC and makes it easy to develop secure and compliant software without having to compromise on speed or agility.

    In this session we will cover:
    - The challenges and risks of coding securely while working remotely
    - Breaking down the essential capabilities that you will need in order to use open source technology effectively
    - A demonstration of open source security and management tools which find and fix open source vulnerabilities within Microsoft Azure DevOps and GitHub build pipelines
  • Remote Diligence & Open Source Security During Uncertain Times Recorded: Jan 14 2021 68 mins
    Tom Laszewski (AWS), AJ Watson (Thinktiv), Ryan Kennedy (Kickdrum) and Jason Hammond (WhiteSource)
    Social-distancing creates new challenges for investment professionals conducting private equity due diligence. Acquiring firms still require high quality insights, but without face-to-face meetings, it can be more difficult for diligence teams to properly assess risk or build trust with a target.

    Physical meetings can no longer be used as a tool to expedite diligence inquiry and negotiations. There are new limitations on the accessibility of physical documentation. Many existing tools and processes break down when they are forced to execute remotely.

    Insightful and actionable transaction diligence requires a more focused approach. The current climate has created distress and exposed weaknesses in many companies, so it is even more important for diligence teams to be able to identify opportunities and detect risks that require mitigation. And they need to be able to do it all remotely.

    Learn about techniques and tools used by diligence professionals, open source experts, and AWS cloud analysts to make remote diligence successful. Discover how to optimize M&A due diligence during these challenging times.

    We will discuss:
    - Why remote diligence is not only possible, but may be preferable
    - How the best diligence must consider market, product, and technical strategy
    - De-risking source code with a 3-step open source process
    - The fastest cost reduction strategies for infrastructure and cloud

    Tom Laszewski
    Private Equity Transformation Strategist (Amazon Web Services)

    AJ Watson
    General Manager, Chief Growth Officer (Thinktiv)

    Ryan Kennedy
    Founder & Principal, (Kickdrum)

    Jason Hammond
    Director of Solutions Engineering, (WhiteSource)
  • Unsolved Problems in Open Source Security Recorded: Jan 12 2021 60 mins
    Rhys Arkins, Director of Product Management
    Very few people today doubt the principles and benefits of Open Source, but you can definitely be forgiven for having concerns about its security.
    Some of the ways we rely on Open Source today are fundamentally flawed, yet almost never discussed - from registries hosting unsigned artifacts of unreproducible source to package managers which propagate new versions of dependencies at the earliest opportunity.
    It's time to identify these unsolved - and mostly undiscussed - risks, evaluate their potential impact, and determine what can be done in the Open Source community to address them.
    In This webinar, Rhys Arkins, Director of Product Management at WhiteSource will discuss why we need reproducible builds in open source, verified artifacts, and why the majority of package managers may need a substantial change, while one in particular got it right.
    He will also provide some recommendations on defensive use of open source particularly for products and industries at the highest risk of software supply chain attacks.
  • DevSecOps: Best Practices for Enterprises Recorded: Dec 17 2020 59 mins
    Shiri Arad Ivtsan, Director of Product Management at WhiteSource, and Brian Dawson, Director, DevOps Evangelist at CloudBees
    The benefits of DevSecOps make a compelling case for its adoption. However, for many enterprise organizations, progressing from adoption to scale continues to be a challenge - which in turn, impacts their chances of success.

    So how can you implement DevSecOps to date and ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?

    Join Shiri Arad Ivtsan, Director of Product Management at WhiteSource, and Brian Dawson, Director, DevOps Evangelist at CloudBees as they discuss:
    1. Why traditional DevOps has shifted, and what this will mean
    2. Who should own security in the age of DevOps
    3. Best practices to integrate continuous security across the DevOps framework
  • Shifting Compliance & Security Left - Into the Hands of The Developers Recorded: Dec 15 2020 58 mins
    Shiri Ivtsan, Director of Product Management at WhiteSource & Reza Alavi, Cyber Security Managing Consultant at Wipro
    The software world is alive with talk of shifting left - but what does it really mean? Theoretically, it means shifting responsibility for security & compliance to developers. In practice, it largely means enriching CI/CD processes to detect problematic licenses & vulnerabilities before they reach the main branch or production.
    Shiri Ivtsan, Senior Product Manager at WhiteSource & Reza Alavi, Cyber Security Managing Consultant at Wipro will discuss how shift-left security capabilities rely heavily on an organization's ability to rapidly test and deliver to adopt a developer-friendly approach to continuous compliance & security.
  • The DevSecOps Showdown: How to Bridge the Gap Between Security & Developers Recorded: Dec 10 2020 59 mins
    Jeff Martin, Associate VP Product Management and Rhys Arkins, Director of Product Management at WhiteSource
    DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well - they believe they are in the process of adopting DevSecOps tools and practices. But - are they?
    In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
    Join Jeff Martin, Associate VP Product Management and Rhys Arkins, Director of Product Management at WhiteSource and learn:

    -The current challenges of the security and development teams when it comes to AppSec
    -The contradicting views & gaps between the teams on DevSecOps maturity
    -How to break the silos and advance towards DevSecOps maturity
  • The Developer’s New Normal: Quality and Security by Design Recorded: Nov 19 2020 60 mins
    Jeff Martin, AVP of Product Management @ WhiteSource and Marcus Merrell, Senior Director of Field Services @ Sauce Lab
    The shift left revolution is upon us. Developers’ roles are evolving as responsibility for application security expands into their domains so organizations can accelerate release velocity, increase productivity, and improve customer experience. The market is full of products offering to support these changes.

    How can digital leaders navigate through all of the noise and empower developers to level up their skills and embrace paradigm shifts?

    In this webinar, leading voices in the open source testing and security industries discuss strategies that DevOps leaders can use to help developers adopt the shift left movement.
    Join Jeffrey Martin, AVP of Product Management at WhiteSource, and Marcus Merrell, Senior Director of Field Services at Sauce Lab, as they discuss:

    -The importance of the cultural shift in modern DevOps teams and how to create systems that embrace these changes
    -Tips for breaking down traditional barriers between development and other teams in your organization to improve productivity, unify communication, and mitigate risk
    -How open source management technologies provide critical solutions and why digital organizations must not only leverage these tools, but also contribute to them
  • Application Modernization The Journey To The Cloud Using Open Source Recorded: Nov 17 2020 63 mins
    Mark Harrison, from Microsoft, Martin Callinan, from Source Code Control and Jason Hammond from WhiteSource
    Application modernization is a necessary part of cloud-centric business transformation. As Cloud adoption continues to grow, with migration to both public and private cloud infrastructure, enterprises need IT environments that enable them to drive product innovation. With the adoption of DevOps transformation it enables to leverage microservices, kubernetes, and containers, which helps remove huge dependencies within products and create smaller and independently deployable components. Organizations must simultaneously develop modernization strategies and adopt cloud native methods for application development.

    Successful application modernization is essential to digital transformation. In order to empower business agility and maintain competitive advantage, organizations must focus on adopting cloud native tools to improve their customer experiences. To start your modernization journey, you must understand the approaches and goals that are right for you organization

    We will discuss:
    - The business benefits of application modernization
    - Why open source software is an essential tool for organizations to modernize legacy application
    - Industry best practices and standards for continuous management of security and compliance of applications as they are moved to the cloud
  • How To Ship Secure Code With Confidence Recorded: Nov 11 2020 38 mins
    Matias Madou, CTO, Secure Code Warrior
    It is estimated that, globally, 111 billion lines of code is produced every single year. In a rapidly digitizing world, that number is only set to grow larger… along with the potential for more security issues. We are facing an uphill battle against a general AppSec skills shortage, the need for production at the speed of company innovation, and siloed teams not working to the same application security goals. With over 4 billion records stolen as a result of data breaches in 2019 alone, this has to change.

    Security awareness programmes remain a powerful, yet underutilised tool to inspire organizations to stay security-focused and engage teams to do their part in the fight against vulnerable code. With the right security awareness programme, you can effectively bridge the gap between the AppSec and dev cohorts, fostering a positive and collaborative culture to achieve common goals and create a better standard of software.
  • Code Security: Let’s Put Fears Aside and Learn Cool Things Recorded: Nov 5 2020 27 mins
    Nicolas Bontoux, VP Marketing at SonarSource
    Fears.. It’s like if they sometimes rule the security market.. If you don’t follow secure development practices, then your users’ personal data might get stolen… If you don’t do ‘DevSecOps’, then your app will be vulnerable and might get hacked… No doubt Application Security is an important topic, but is bringing up risks and fears really the best way to get development teams to care about secure coding practices?

    In this talk we will go through a different approach, a more powerful one: empowering developers. Developers love learning best-practices, they constantly seek to improve their code. By tightly coupling security tooling with developers’ workflow, you can get more than just mitigating risks and fears: you’re giving an opportunity for your development team to be more engaged, to truly understand the security of their code, and to continuously get better at keeping it secure.

    As you join this session, leave fears on the side, and come feel the good vibes of developer-led code security! It’s about developers learning and growing, it’s about teams maximizing their impact.
  • Taking Cloud-Native DevSecOps to the Next Level: A Case Study Recorded: Oct 29 2020 53 mins
    Nir Koren, DevOps CI/CD Team Lead at LivePerson
    As the microservices development environment becomes more and more popular in cloud-based companies, the CI/CD volume is getting bigger and bigger and is changing the way organizations such as LivePerson can integrate DevSecOps tools into their CI/CD processes.

    Join Nir Koren, DevOps CI/CD Team Lead at LivePerson, as he discusses:

    -Why it is crucial to enforce security scans from the get-go
    -How LivePerson integrates security scans in their CI/CD for more than 300 microservices
    -The tools LivePerson rely on in order to achieve DevSecOps
  • Optimising Threat Modeling to Meet Your Business Needs Recorded: Oct 27 2020 26 mins
    Simone Curzi, Principal Consultant, Cyber, Microsoft Consulting Services
    Threat Modeling is one of the best tools for Security and has been adopted successfully by various Companies around the globe, including Microsoft. Even if it has demonstrated to be a very effective approach, it has not shone for efficiency and has improved only so much compared to other development methodologies over the last years.

    All those problems have been reason enough to limit its adoption. It is past due time for change. It is time to make Threat Modeling the flexible, integrated, automated and customizable process you need. Please meet Threat Modeling vNext!
  • Secure Coding Best Practices Recorded: Oct 19 2020 57 mins
    Matthew Butler, Principal Engineer
    Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won’t. The other side has the best security hardware and software systems other people’s money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.

    Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature, every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.

    In this talk we’ll see:

    -How hackers think and how they identify weaknesses in our systems.
    -How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
    -Where the most common vulnerabilities in Modern software development are and how to avoid them.
    -Why common guidelines and static analysis tools often fail to find vulnerabilities.
    -How to use Threat Modeling to analyze complex systems and built security into our systems at design time.
    -How to use Trust Boundaries to protect critical infrastructure.
    -Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
    -What the best practices for protecting our code from attack are.

    The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone writes kernel, applications, or libraries that run in the real-world and that face real-world attacks.

    In today’s world, that’s all of us.
An open source security and licenses management solution
WhiteSource allows engineering, security and compliance officers to effortlessly secure and manage the use of open source components in their software, allowing developers to focus on building great products. WhiteSource fully automates all open source management processes: component detection; security vulnerability alerts and fixes; license risk and compliance analysis along with policy enforcement; quality review, and new version alerts. It offers a complete suite of control, reporting and management to help software teams manage open source truly effortlessly. For more information about WhiteSource, visit http://www.whitesourcesoftware.com or follow us on twitter: @whitesourcesoft

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Harnessing development to scale AppSec
  • Live at: Jun 4 2020 2:00 pm
  • Presented by: Jeffrey Martin, Senior Director of Product at WhiteSource and Fernando Diaz, Technical Marketing Manager at GitLab
  • From:
Your email has been sent.
or close