Hi [[ session.user.profile.firstName ]]

Myth-busting in Application Security

There are a lot of myths in application security. By partnering with developers, Target has busted several common security myths and proved that an effective security program can take a different approach. This session will describe how to successfully implement a “credit score” to security measurement practices, build an exclusive security champions program, and stop “scanning all the things.”
Recorded Oct 5 2020 59 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Jennifer Czaplewski, Director, Product Security - Target
Presentation preview: Myth-busting in Application Security

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • The State of Open Source Security & Compliance: Best Practices Feb 16 2021 6:00 pm UTC 51 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Open Source components have become a fundamental part of modern software applications. With the massive growth of the open source vulnerabilities over the past few years, the overall landscape of ensuring security, quality, and compliance might seem complex and challenging.

    There are ways to gain visibility and control over the open source components that make up the products that we release, but we must first address the risks so we can take the proper measures to avoid them.

    In this session you’ll discover:
    * How to address the needs of the entire organization, gain visibility and control, and prevent risk.
    * Where a vulnerable functionality is referenced within the code, so you can address and remediate the most critical issues and reduce security alerts by 85%
    * Learn how to automate the process of identifying all licenses that are attached to the dependencies whenever a new open source component is added to the build.
  • Open Source Security & Compliance for Containers and Serverless Functions Feb 9 2021 6:00 pm UTC 44 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Nearly all cloud providers offer serverless capabilities and support containerized deployment of their customers’ applications. As organizations begin or continue to integrate serverless functions and containerized deployment into their operations, they will need to take the necessary precautions to ensure that their serverless functions and container images are secure.

    In this session you will learn why it is important to scan container images and serverless computing environments for open source libraries, and best practices for doing so, including:

    * Continuous scanning and monitoring of open source use in container images and serverless functions
    * Building a comprehensive inventory of open source libraries used in containers and serverless functions
    * Policy-driven management of security vulnerabilities and license compliance in container images and serverless functions
  • Financial Services: Building Agility and Security Jan 27 2021 6:00 pm UTC 49 mins
    Jason Hammond, Director of Solution Engineering at WhiteSource
    Technology is rapidly reshaping the financial services workforce. In 2004 the Federal Financial Institutions Examination Council (FFIEC) has released the "Risk Management for the Use of Free and Open Source Software" guidance. This guidance reviews the risks and controls associated with the use of free and open source software (FOSS).

    Since open source components are an integral part of any software solution, their use must be carefully managed, documented and reported. However, many organizations still face security and compliance issues, that if not addressed, could cost them millions and even billions of dollars.

    Discover how financial service organizations can enhance operational risk management while ensuring speed and agility.

    In this webcast, we'll cover:
    - How to increase confidence in your development process with the ability to audit, review and automate security scans as a core part of the development lifecycle.
    - Best practices when incorporating security early in the developer's workflow
    - How to create a trusted pipeline
  • Tackling The Risks of Open Source Usage While Working Remotely Recorded: Jan 20 2021 47 mins
    Tamir Verthim and Dennis Zolotovski from WhiteSource, and Eray Ayduran from Microsoft
    Our current environment requires unprecedented social-distancing measures, which introduce a new set of security challenges. Working from home can lead to many distractions, especially when it comes to writing code. A distraction may unknowingly cause mistakes, which can introduce vulnerabilities and slow down development cycles. In addition, a developer may not have the time available to adequately investigate security vulnerabilities in the open source libraries they use in their code.

    Teams are struggling to manage the demands of the business while effectively managing security issues throughout the development process due to these challenges. This is resulting in an increased demand for open source governance and security management solutions.

    Join Microsoft and WhiteSource to learn more about the challenges and risks of working remotely. We will introduce you to our leading Software Composition Analysis (SCA) technology that integrates into your SDLC and makes it easy to develop secure and compliant software without having to compromise on speed or agility.

    In this session we will cover:
    - The challenges and risks of coding securely while working remotely
    - Breaking down the essential capabilities that you will need in order to use open source technology effectively
    - A demonstration of open source security and management tools which find and fix open source vulnerabilities within Microsoft Azure DevOps and GitHub build pipelines
  • Remote Diligence & Open Source Security During Uncertain Times Recorded: Jan 14 2021 68 mins
    Tom Laszewski (AWS), AJ Watson (Thinktiv), Ryan Kennedy (Kickdrum) and Jason Hammond (WhiteSource)
    Social-distancing creates new challenges for investment professionals conducting private equity due diligence. Acquiring firms still require high quality insights, but without face-to-face meetings, it can be more difficult for diligence teams to properly assess risk or build trust with a target.

    Physical meetings can no longer be used as a tool to expedite diligence inquiry and negotiations. There are new limitations on the accessibility of physical documentation. Many existing tools and processes break down when they are forced to execute remotely.

    Insightful and actionable transaction diligence requires a more focused approach. The current climate has created distress and exposed weaknesses in many companies, so it is even more important for diligence teams to be able to identify opportunities and detect risks that require mitigation. And they need to be able to do it all remotely.

    Learn about techniques and tools used by diligence professionals, open source experts, and AWS cloud analysts to make remote diligence successful. Discover how to optimize M&A due diligence during these challenging times.

    We will discuss:
    - Why remote diligence is not only possible, but may be preferable
    - How the best diligence must consider market, product, and technical strategy
    - De-risking source code with a 3-step open source process
    - The fastest cost reduction strategies for infrastructure and cloud

    Speakers:
    Tom Laszewski
    Private Equity Transformation Strategist (Amazon Web Services)

    AJ Watson
    General Manager, Chief Growth Officer (Thinktiv)

    Ryan Kennedy
    Founder & Principal, (Kickdrum)

    Jason Hammond
    Director of Solutions Engineering, (WhiteSource)
  • Unsolved Problems in Open Source Security Recorded: Jan 12 2021 60 mins
    Rhys Arkins, Director of Product Management
    Very few people today doubt the principles and benefits of Open Source, but you can definitely be forgiven for having concerns about its security.
    Some of the ways we rely on Open Source today are fundamentally flawed, yet almost never discussed - from registries hosting unsigned artifacts of unreproducible source to package managers which propagate new versions of dependencies at the earliest opportunity.
    It's time to identify these unsolved - and mostly undiscussed - risks, evaluate their potential impact, and determine what can be done in the Open Source community to address them.
    In This webinar, Rhys Arkins, Director of Product Management at WhiteSource will discuss why we need reproducible builds in open source, verified artifacts, and why the majority of package managers may need a substantial change, while one in particular got it right.
    He will also provide some recommendations on defensive use of open source particularly for products and industries at the highest risk of software supply chain attacks.
  • DevSecOps: Best Practices for Enterprises Recorded: Dec 17 2020 59 mins
    Shiri Arad Ivtsan, Director of Product Management at WhiteSource, and Brian Dawson, Director, DevOps Evangelist at CloudBees
    The benefits of DevSecOps make a compelling case for its adoption. However, for many enterprise organizations, progressing from adoption to scale continues to be a challenge - which in turn, impacts their chances of success.

    So how can you implement DevSecOps to date and ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?

    Join Shiri Arad Ivtsan, Director of Product Management at WhiteSource, and Brian Dawson, Director, DevOps Evangelist at CloudBees as they discuss:
    1. Why traditional DevOps has shifted, and what this will mean
    2. Who should own security in the age of DevOps
    3. Best practices to integrate continuous security across the DevOps framework
  • Shifting Compliance & Security Left - Into the Hands of The Developers Recorded: Dec 15 2020 58 mins
    Shiri Ivtsan, Director of Product Management at WhiteSource & Reza Alavi, Cyber Security Managing Consultant at Wipro
    The software world is alive with talk of shifting left - but what does it really mean? Theoretically, it means shifting responsibility for security & compliance to developers. In practice, it largely means enriching CI/CD processes to detect problematic licenses & vulnerabilities before they reach the main branch or production.
    Shiri Ivtsan, Senior Product Manager at WhiteSource & Reza Alavi, Cyber Security Managing Consultant at Wipro will discuss how shift-left security capabilities rely heavily on an organization's ability to rapidly test and deliver to adopt a developer-friendly approach to continuous compliance & security.
  • The DevSecOps Showdown: How to Bridge the Gap Between Security & Developers Recorded: Dec 10 2020 59 mins
    Jeff Martin, Associate VP Product Management and Rhys Arkins, Director of Product Management at WhiteSource
    DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well - they believe they are in the process of adopting DevSecOps tools and practices. But - are they?
    In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
    Join Jeff Martin, Associate VP Product Management and Rhys Arkins, Director of Product Management at WhiteSource and learn:

    -The current challenges of the security and development teams when it comes to AppSec
    -The contradicting views & gaps between the teams on DevSecOps maturity
    -How to break the silos and advance towards DevSecOps maturity
  • The Developer’s New Normal: Quality and Security by Design Recorded: Nov 19 2020 60 mins
    Jeff Martin, AVP of Product Management @ WhiteSource and Marcus Merrell, Senior Director of Field Services @ Sauce Lab
    The shift left revolution is upon us. Developers’ roles are evolving as responsibility for application security expands into their domains so organizations can accelerate release velocity, increase productivity, and improve customer experience. The market is full of products offering to support these changes.

    How can digital leaders navigate through all of the noise and empower developers to level up their skills and embrace paradigm shifts?

    In this webinar, leading voices in the open source testing and security industries discuss strategies that DevOps leaders can use to help developers adopt the shift left movement.
    Join Jeffrey Martin, AVP of Product Management at WhiteSource, and Marcus Merrell, Senior Director of Field Services at Sauce Lab, as they discuss:

    -The importance of the cultural shift in modern DevOps teams and how to create systems that embrace these changes
    -Tips for breaking down traditional barriers between development and other teams in your organization to improve productivity, unify communication, and mitigate risk
    -How open source management technologies provide critical solutions and why digital organizations must not only leverage these tools, but also contribute to them
  • Application Modernization The Journey To The Cloud Using Open Source Recorded: Nov 17 2020 63 mins
    Mark Harrison, from Microsoft, Martin Callinan, from Source Code Control and Jason Hammond from WhiteSource
    Application modernization is a necessary part of cloud-centric business transformation. As Cloud adoption continues to grow, with migration to both public and private cloud infrastructure, enterprises need IT environments that enable them to drive product innovation. With the adoption of DevOps transformation it enables to leverage microservices, kubernetes, and containers, which helps remove huge dependencies within products and create smaller and independently deployable components. Organizations must simultaneously develop modernization strategies and adopt cloud native methods for application development.

    Successful application modernization is essential to digital transformation. In order to empower business agility and maintain competitive advantage, organizations must focus on adopting cloud native tools to improve their customer experiences. To start your modernization journey, you must understand the approaches and goals that are right for you organization

    We will discuss:
    - The business benefits of application modernization
    - Why open source software is an essential tool for organizations to modernize legacy application
    - Industry best practices and standards for continuous management of security and compliance of applications as they are moved to the cloud
  • How To Ship Secure Code With Confidence Recorded: Nov 11 2020 38 mins
    Matias Madou, CTO, Secure Code Warrior
    It is estimated that, globally, 111 billion lines of code is produced every single year. In a rapidly digitizing world, that number is only set to grow larger… along with the potential for more security issues. We are facing an uphill battle against a general AppSec skills shortage, the need for production at the speed of company innovation, and siloed teams not working to the same application security goals. With over 4 billion records stolen as a result of data breaches in 2019 alone, this has to change.

    Security awareness programmes remain a powerful, yet underutilised tool to inspire organizations to stay security-focused and engage teams to do their part in the fight against vulnerable code. With the right security awareness programme, you can effectively bridge the gap between the AppSec and dev cohorts, fostering a positive and collaborative culture to achieve common goals and create a better standard of software.
  • Code Security: Let’s Put Fears Aside and Learn Cool Things Recorded: Nov 5 2020 27 mins
    Nicolas Bontoux, VP Marketing at SonarSource
    Fears.. It’s like if they sometimes rule the security market.. If you don’t follow secure development practices, then your users’ personal data might get stolen… If you don’t do ‘DevSecOps’, then your app will be vulnerable and might get hacked… No doubt Application Security is an important topic, but is bringing up risks and fears really the best way to get development teams to care about secure coding practices?

    In this talk we will go through a different approach, a more powerful one: empowering developers. Developers love learning best-practices, they constantly seek to improve their code. By tightly coupling security tooling with developers’ workflow, you can get more than just mitigating risks and fears: you’re giving an opportunity for your development team to be more engaged, to truly understand the security of their code, and to continuously get better at keeping it secure.

    As you join this session, leave fears on the side, and come feel the good vibes of developer-led code security! It’s about developers learning and growing, it’s about teams maximizing their impact.
  • Taking Cloud-Native DevSecOps to the Next Level: A Case Study Recorded: Oct 29 2020 53 mins
    Nir Koren, DevOps CI/CD Team Lead at LivePerson
    As the microservices development environment becomes more and more popular in cloud-based companies, the CI/CD volume is getting bigger and bigger and is changing the way organizations such as LivePerson can integrate DevSecOps tools into their CI/CD processes.

    Join Nir Koren, DevOps CI/CD Team Lead at LivePerson, as he discusses:

    -Why it is crucial to enforce security scans from the get-go
    -How LivePerson integrates security scans in their CI/CD for more than 300 microservices
    -The tools LivePerson rely on in order to achieve DevSecOps
  • Optimising Threat Modeling to Meet Your Business Needs Recorded: Oct 27 2020 26 mins
    Simone Curzi, Principal Consultant, Cyber, Microsoft Consulting Services
    Threat Modeling is one of the best tools for Security and has been adopted successfully by various Companies around the globe, including Microsoft. Even if it has demonstrated to be a very effective approach, it has not shone for efficiency and has improved only so much compared to other development methodologies over the last years.

    All those problems have been reason enough to limit its adoption. It is past due time for change. It is time to make Threat Modeling the flexible, integrated, automated and customizable process you need. Please meet Threat Modeling vNext!
  • Secure Coding Best Practices Recorded: Oct 19 2020 57 mins
    Matthew Butler, Principal Engineer
    Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won’t. The other side has the best security hardware and software systems other people’s money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.

    Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature, every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.

    In this talk we’ll see:

    -How hackers think and how they identify weaknesses in our systems.
    -How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
    -Where the most common vulnerabilities in Modern software development are and how to avoid them.
    -Why common guidelines and static analysis tools often fail to find vulnerabilities.
    -How to use Threat Modeling to analyze complex systems and built security into our systems at design time.
    -How to use Trust Boundaries to protect critical infrastructure.
    -Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
    -What the best practices for protecting our code from attack are.


    The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone writes kernel, applications, or libraries that run in the real-world and that face real-world attacks.

    In today’s world, that’s all of us.
  • Deep Dive Container Security - Policies, Access Control & Managing Sensitive Dat Recorded: Oct 13 2020 26 mins
    Michael Hausenblas, Product Developer Advocate, AWS container service team
    In this hands-on sessions we dive deep into three areas of container security that deserve special attention, namely policies and their enforcements (Kubernetes network policies and OPA), access control (RBAC and general purpose IAM), as well as options how to deal with sensitive data (Kubernetes secrets, AWS Secrets Manager, Vault).
  • Myth-busting in Application Security Recorded: Oct 5 2020 59 mins
    Jennifer Czaplewski, Director, Product Security - Target
    There are a lot of myths in application security. By partnering with developers, Target has busted several common security myths and proved that an effective security program can take a different approach. This session will describe how to successfully implement a “credit score” to security measurement practices, build an exclusive security champions program, and stop “scanning all the things.”
  • Introduction to Cloud Native Security with Containers Recorded: Sep 28 2020 31 mins
    Michael Hausenblas, Product Developer Advocate, AWS container service team
    In this session we will review the pillars of cloud native security in the context of containerized workloads. We will cover topics such as securely building container images, runtime security, authentication and access control in Kubernetes, network traffic control, and secrets.
  • How Comcast Sped Up Development Without Compromising on Security Recorded: Sep 23 2020 60 mins
    Leo Zhadanovsky, AWS, Rhys Arkins, WhiteSource, Larry Maccherone, Comcast
    Security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.
    What's needed to add security to DevOps are tools that work well with rapid-cycle CI/CD pipelines and an approach that reinforces the DevOps culture and process changes. DevSecOps requires empowering security specialists to become self-service toolsmiths and advisors across the software development lifecycle (SDLC).
    Learn how making the necessary mindset shift and achieving an effective DevSecOps culture enabled Comcast to speed up development without having to compromise on security.

    In This Webinar, You'll Learn:
    •About the characteristics of security tools compatible with DevOps
    •A process model to accomplish the necessary mindset shift and achieve an effective DevSecOps culture
    •How to shift open source security left by managing vulnerabilities earlier in the SDLC
An open source security and licenses management solution
WhiteSource allows engineering, security and compliance officers to effortlessly secure and manage the use of open source components in their software, allowing developers to focus on building great products. WhiteSource fully automates all open source management processes: component detection; security vulnerability alerts and fixes; license risk and compliance analysis along with policy enforcement; quality review, and new version alerts. It offers a complete suite of control, reporting and management to help software teams manage open source truly effortlessly. For more information about WhiteSource, visit http://www.whitesourcesoftware.com or follow us on twitter: @whitesourcesoft

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Myth-busting in Application Security
  • Live at: Oct 5 2020 5:00 pm
  • Presented by: Jennifer Czaplewski, Director, Product Security - Target
  • From:
Your email has been sent.
or close