Hi [[ session.user.profile.firstName ]]

AppSec: Pushing Left, Like A Boss

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.

“Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.

From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.
Recorded Jul 14 2020 58 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Tanya Janca, Security Trainer and Coach SheHacksPurple.dev
Presentation preview: AppSec: Pushing Left, Like A Boss

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Code Security: Let’s Put Fears Aside and Learn Cool Things Nov 5 2020 6:00 pm UTC 27 mins
    Nicolas Bontoux, VP Marketing at SonarSource
    Fears.. It’s like if they sometimes rule the security market.. If you don’t follow secure development practices, then your users’ personal data might get stolen… If you don’t do ‘DevSecOps’, then your app will be vulnerable and might get hacked… No doubt Application Security is an important topic, but is bringing up risks and fears really the best way to get development teams to care about secure coding practices?

    In this talk we will go through a different approach, a more powerful one: empowering developers. Developers love learning best-practices, they constantly seek to improve their code. By tightly coupling security tooling with developers’ workflow, you can get more than just mitigating risks and fears: you’re giving an opportunity for your development team to be more engaged, to truly understand the security of their code, and to continuously get better at keeping it secure.

    As you join this session, leave fears on the side, and come feel the good vibes of developer-led code security! It’s about developers learning and growing, it’s about teams maximizing their impact.
  • How LivePerson Takes Cloud-Native DevSecOps to the Next Level Oct 29 2020 5:00 pm UTC 53 mins
    Nir Koren, DevOps CI/CD Team Lead at LivePerson
    As the microservices development environment becomes more and more popular in cloud-based companies, the CI/CD volume is getting bigger and bigger and is changing the way organizations such as LivePerson can integrate DevSecOps tools into their CI/CD processes.

    Join Nir Koren, DevOps CI/CD Team Lead at LivePerson, as he discusses:

    -Why it is crucial to enforce security scans from the get-go
    -How LivePerson integrates security scans in their CI/CD for more than 300 microservices
    -The tools LivePerson rely on in order to achieve DevSecOps
  • Threat Modeling vNext Oct 27 2020 5:00 pm UTC 26 mins
    Simone Curzi, Principal Consultant, Cyber, Microsoft Consulting Services
    Threat Modeling is one of the best tools for Security and has been adopted successfully by various Companies around the globe, including Microsoft. Even if it has demonstrated to be a very effective approach, it has not shone for efficiency and has improved only so much compared to other development methodologies over the last years.

    All those problems have been reason enough to limit its adoption. It is past due time for change. It is time to make Threat Modeling the flexible, integrated, automated and customizable process you need. Please meet Threat Modeling vNext!
  • Secure Coding Best Practices Oct 19 2020 5:00 pm UTC 57 mins
    Matthew Butler, Principal Engineer
    Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won’t. The other side has the best security hardware and software systems other people’s money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.

    Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature, every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.

    In this talk we’ll see:

    -How hackers think and how they identify weaknesses in our systems.
    -How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
    -Where the most common vulnerabilities in Modern software development are and how to avoid them.
    -Why common guidelines and static analysis tools often fail to find vulnerabilities.
    -How to use Threat Modeling to analyze complex systems and built security into our systems at design time.
    -How to use Trust Boundaries to protect critical infrastructure.
    -Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
    -What the best practices for protecting our code from attack are.

    The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone writes kernel, applications, or libraries that run in the real-world and that face real-world attacks.

    In today’s world, that’s all of us.
  • Deep Dive Container Security - Policies, Access Control & Managing Sensitive Dat Recorded: Oct 13 2020 26 mins
    Michael Hausenblas, Product Developer Advocate, AWS container service team
    In this hands-on sessions we dive deep into three areas of container security that deserve special attention, namely policies and their enforcements (Kubernetes network policies and OPA), access control (RBAC and general purpose IAM), as well as options how to deal with sensitive data (Kubernetes secrets, AWS Secrets Manager, Vault).
  • Myth-busting in Application Security Recorded: Oct 5 2020 59 mins
    Jennifer Czaplewski, Director, Product Security - Target
    There are a lot of myths in application security. By partnering with developers, Target has busted several common security myths and proved that an effective security program can take a different approach. This session will describe how to successfully implement a “credit score” to security measurement practices, build an exclusive security champions program, and stop “scanning all the things.”
  • Introduction to Cloud Native Security with Containers Recorded: Sep 28 2020 31 mins
    Michael Hausenblas, Product Developer Advocate, AWS container service team
    In this session we will review the pillars of cloud native security in the context of containerized workloads. We will cover topics such as securely building container images, runtime security, authentication and access control in Kubernetes, network traffic control, and secrets.
  • How Comcast Sped Up Development Without Compromising on Security Recorded: Sep 23 2020 60 mins
    Leo Zhadanovsky, AWS, Rhys Arkins, WhiteSource, Larry Maccherone, Comcast
    Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.
    What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. DevSecOps requires empowering security specialists to become self-service toolsmiths and advisors across the software development lifecycle (SDLC).
    Learn how making the necessary mindset shift and achieving an effective DevSecOps culture enabled Comcast to speed up development without having to compromise on security.

    In This Webinar, You'll Learn:
    •About the characteristics of security tools compatible with DevOps
    •A process model to accomplish the necessary mindset shift and achieve an effective DevSecOps culture
    •How to shift open source security left by managing vulnerabilities earlier in the SDLC
  • Attacking and Defending Cloud Native Infrastructure Recorded: Sep 15 2020 60 mins
    Andrew Martin, CEO and Co-Founder, Control Plane
    Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
    This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
    See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
  • The Open Source Licensing World Today and Where It's Heading Recorded: Sep 8 2020 61 mins
    Matt Asay, Head of Open Source Strategy and Marketing at AWS
    The known open source core model had many challenges which led several companies to try and find a better licensing model.

    Join Matt Asay, Head of Open Source Strategy and Marketing at AWS, as he discusses innovative companies like Cloudera, Redis Labs, MongoDB and RackN, and their solutions to problems like competing with cloud providers on add-on service selling and increasing their code contribution.

    Matt Asay will also be discussing the future of open source licensing models and why this doesn't need to be a zero sum game.
  • How Secure is Secure Enough? Driving Security Value with Threat Modeling Recorded: Aug 27 2020 31 mins
    Avi Douglen, Founder and CEO at Bounce Security
    We’ve all been there – we’ve each spent too much time and resources on security, but 3 months later we still get breached anyway. “But we followed all the ‘Best Practices’!” your developers cry.

    In this flash intro to secure software design, AviD will show why every software development process should start with Threat Modeling, and how to efficiently get security to contribute to the bottom line.
  • The Evil Internet: Vulnerability Prioritization Through the Eyes of Hackers Recorded: Aug 20 2020 58 mins
    David Habusha, VP Product at WhiteSource & Paulo Shakarian, CEO at CYR3CON
    It’s a fact: software development teams are constantly bombarded with an increasingly high number of security alerts. Since fixing all vulnerabilities is unrealistic, it’s imperative that teams find a method to zero in on the security vulnerabilities that matter.
    The key: prioritization.
    But, there’s a big question: Which is the best way to prioritize? There are certainly multiple ways teams can determine what to remediate first, but which are the best practices? And how does this correlate with the hacker community’s choices?
    We’ve looked at the data - and it’s certainly not what you think.
    Join David Habusha, VP Product at WhiteSource & Paulo Shakarian, CEO at CYR3CON, as they discuss:
    - The top 5 most common ways organizations prioritize security vulnerabilities
    - How each approach correlates with the perspective of the hacker community
    - The 2 best vulnerability prioritization approaches
  • Dependency Health: Removing the Barriers to Keeping Projects in Shape Recorded: Aug 13 2020 57 mins
    David Habusha, VP Product and Rhys Arkins, Director of Product Management
    Enterprises and Developers already know the importance of managing vulnerabilities and dependencies, so why do so many still fall behind? Like maintaining good physical health, software projects require more than just good intentions - there needs to be sensible and achievable process that developers want to follow, and the rewards must outweigh the demands.
    In this webinar, David Habusha and Rhys Arkins from WhiteSource will discuss some of today's challenges that hold enterprises back from having great Open Source dependency management, and identify what the missing pieces are for a future in which updates and vulnerability patches can be applied intelligently, safely, and in many cases even automatically.
  • The Security Phoenix: A Modern Approach to DevSecOps Focus on People Recorded: Jul 28 2020 58 mins
    Francesco Cipollone, Head of Cloud Security Alliance, Director of NSC42
    DevSecOps is usually a tool or fast speed approach to the organization. This talk, however, will take you through a different approach.

    With a holistic view of the organization, the security phoenix methodology takes into account a large organization with assessment, maturity matrix, scoring system and measurement options. We will walk through the problem of Build and Test (DEV/TEST) and how they relate to Design and Operate in a modern approach to SDLC.

    Why is the metric important and how to measure progress? The talk is aimed at specialists that want a holistic approach of DevSecOps, a practitioner that wonders where an architect or ops guy fits in this brave new world.

    The talk will give a real-life example, stories, as well as use cases to take the fluff talk out of the DevSecOps phrase! We talk real numbers and cases here, so tune in.
  • What Going All-Remote Taught Us About AppSec and Testing Shortfalls Recorded: Jul 23 2020 49 mins
    Rhys Arkins, Director of Product Management at WhiteSource and Gleb Bahmutov, VP of Engineering at Cypress
    The Covid-19 pandemic led to a lot of tech companies converting to remote teams almost overnight, and for some this may even become the norm.

    While conferencing such as Zoom are widely known for substituting for face-to-face meetings, it's much less appreciated how the disruption has increased asynchronous communication approaches as people are not always available online at the same time.

    Shifting to asynchronous communication has shown up some weaknesses companies may have had, particularly when it came to security and testing.

    If a company's approach to these had been more manual and revolved around the relevant people being co-located or in constant direct communication, then this lack of process or automation can result in increased risk.

    So as we adjust to new ways of working, how do you ensure that your appsec procedures are designed to withstand any changes in your team dynamics ?

    Join this session and leave with insights on:
    -What did going involuntarily remote reveal to us about existing security and testing weaknesses?
    -Practical examples of ad-hoc or manual security vs automation
    -What should change forever even if/once we go back to "normal"?
  • AppSec: Pushing Left, Like A Boss Recorded: Jul 14 2020 58 mins
    Tanya Janca, Security Trainer and Coach SheHacksPurple.dev
    With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.

    “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.

    From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left', like a boss.
  • From Zero to DevSecOps: How to Implement Security at the Speed of DevOps Recorded: Jun 25 2020 59 mins
    Jeffrey Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at CloudBees
    Your organization has already embraced the DevOps methodology? That’s a great start. But what about security?
    It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case.
    Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss:
    - Why traditional DevOps has shifted, and what this will mean
    - Who should own security in the age of DevOps
    - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline
  • Harnessing development to scale AppSec Recorded: Jun 4 2020 37 mins
    Jeffrey Martin, Senior Director of Product at WhiteSource and Fernando Diaz, Technical Marketing Manager at GitLab
    GitLab helps you to scale security across your Continuous Integration (CI) process enabling developers to test their code with every code change, right in their existing workflow.

    By seamlessly integrating WhiteSource’s security application testing solution in GitLab CI, we further reduce context switching and increase developer productivity. This enables developers and InfoSec professionals to work together to enhance application security in one integrated platform and continue shifting left.

    Join us in learning how to leverage the GitLab developer’s workflow and the value of integrating WhiteSource’s security testing solution directly into that workflow.

    We will share some best practices around shifting security left and demonstrate how to integrate WhiteSource into GitLab’s merge request pipeline and security dashboard.
  • The State of Open Source Security Vulnerabilities in 2020 Recorded: May 26 2020 56 mins
    Jeffrey Martin, Senior Director of Product and Sharon Sharlin, Product Marketing Manager
    WhiteSource’s Annual Report on The State of Open Source Security Vulnerabilities in 2020 found that a record-breaking number of new open source security vulnerabilities in was published in 2019.

    In our research, we focused on open source security’s weakest and strongest points in the hopes of bringing some clarity to the fast-paced and complex space of known open source security vulnerabilities.

    Join Jeffrey Martin, Senior Director of Product and Sharon Sharlin, Product Marketing Manager at WhiteSource as they discuss:
    •How the open source community is evolving when it comes to security research and what to expect in 2020.
    •Ways software development outfits can implement secure coding from the earliest stages of the DevOps pipeline.
    •Best practices for development, DevOps, and Security teams to make sure they address the most critical issues to their software products’ security.
  • Innocent Vulnerabilities vs Malicious Backdoors: How to Manage Your Risk Recorded: May 21 2020 56 mins
    Rhys Arkins, Director of Product Management
    Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.

    Join Rhys Arkins, Director of Product, as he will discuss:

    1. The key differences between accidental vulnerabilities and malicious releases

    2. How to manage the risk for each type of vulnerability

    3. Lessons learned from the most interesting malicious packages spotted during 2019
An open source security and licenses management solution
WhiteSource allows engineering, security and compliance officers to effortlessly secure and manage the use of open source components in their software, allowing developers to focus on building great products. WhiteSource fully automates all open source management processes: component detection; security vulnerability alerts and fixes; license risk and compliance analysis along with policy enforcement; quality review, and new version alerts. It offers a complete suite of control, reporting and management to help software teams manage open source truly effortlessly. For more information about WhiteSource, visit http://www.whitesourcesoftware.com or follow us on twitter: @whitesourcesoft

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: AppSec: Pushing Left, Like A Boss
  • Live at: Jul 14 2020 5:00 pm
  • Presented by: Tanya Janca, Security Trainer and Coach SheHacksPurple.dev
  • From:
Your email has been sent.
or close