AppSec 2021: What’s Next?

It's no secret that 2020 was a difficult year. The pandemic, and as a result, the lockdowns and quarantines sent tens of millions of global workers home, and the remote work caused a dramatic increase in the number of ransomware, phishing attacks, and accidental breaches by employees working at home.
Despite the increases in these exploits, the application layer continues to be the most attacked and the hardest to defend.
Join Shiri Arad Ivtsan, Director of Product at WhiteSource, as she shows:
-What are the three AppSec technologies organizations should implement in the next year
-How to keep organizations’ application security posture up to date and resistant to modern threats
-Best practices when implementing each technology.

The growing scale of Open Source adoption requires organizations to invest in implementing the right toolsets and processes to govern an increasingly complex Open Source licensing landscape, as well as minimize the potential legal risks.
The application of these policies and processes can be collectively referred to as an Open Source Governance framework.
Investing in industry proven tools & leveraging the correct tools during the appropriate phases of the SDLC will allow an organization to implement a scalable and reliable open source governance framework to reduce risk and potential for compliance related issues across the enterprise.
In this webinar, our experts will discuss how to build a strong Open source governance framework and review the appropriate tools that can benefit organizations to ensure Open Source compliance and risk mitigation.

OpenChain ISO/IEC 5230 is the International Standard for open source license compliance. Its relevance to modern software development is growing, and it allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program.
The need to manage the software supply chain has never been more important given the ever-increasing dependence on third party open source to deliver software solutions at speed.
In order to reach that standard, it is vital to have the right Software Composition Analysis tool that performs automated scans of an application’s code base, including related artifacts such as containers and registries, to identify all open source components as well as their license compliance data.

In this webinar, our experts will present how the OpenChain Specification evolved to become an ISO standard, and will discuss the importance of choosing the right SCA tool for organizations to adopt, so they can focus on value-added activities that drive the success of their businesses.

Encompassing over two-thirds of the average commercial software, open-source has become an essential part of modern software development. Undermanaging the consumption and redistribution of Open source expose the enterprise to extensive legal and security risks and is no longer a viable option. Having an effective Open Source compliance program is a key differentiator marking industry-leading enterprise companies such as Google, Microsoft, and others. With over 450 Open Source components in the average application, choosing the right Software Composition Analysis (SCA) application is a key decision to minimize Open Source associated risks.

In this webinar, our experts will discuss the importance of choosing the right SCA tools organizations must adopt as part of an effective Open Source compliance program and the new ISO standard (ISO/IEC 5230) for open source license compliance.

WhiteSource, in conjunction with Ponemon Institute, recently surveyed over 600 IT and IT security practitioners who are familiar with their organizations’ approach to securing applications – and here’s a spoiler: the highest level of security risk is considered by many organizations to be in the application layer. So what can Enterprise organizations do to reduce their application security risks? Join Jeffrey Martin, Associate VP Product at WhiteSource and Lilach Aviad, Director of Product Marketing, as they present:
 Why applications are more vulnerable to attack than other areas of vulnerabilities.
 Addressing vulnerabilities in enterprise applications
 Best practices of high-performing organizations in reducing the application security risk.

When you ask developers what they think of security, they will likely go into the situation without much enthusiasm as in their mind - security is slowing them down and holding them back from doing their ""actual"" job. But – it doesn't necessarily have to be that way. The friction between developers and security teams can be reduced if the right tools and processes are in place.
Want to learn how handling security can be quick, efficient, and integrate into daily workflows?
Join Anna Rozin, Director of R&D at WhiteSource, and Shiri Arad Ivtsan, Director of Product at WhiteSource, who will share their hands-on experience in managing open source components with WhiteSource tools. In this webinar, you'll learn:
- Practical advice on testing, managing and fixing vulnerabilities in open source code packages
- The tools and processes to handle security in a fast and effective way
- How to empower developers with security data through prioritization and remediation tips

Despite best intentions, Open Source releases with regression errors are published every day.
In the best case scenario, a downstream user detects it early thanks to good tests, files an issue, and the maintainer can fix it before too many people have upgraded.
Other scenarios involve various degrees of brokenness and games of "is it broken for everyone or just me?".

Renovate Bot is an open source dependency automation tool but which also is run as a free app on github.com, where it is installed into almost 200,000 repositories.
A feature called "Merge Confidence" helps downstream users know if a release is likely good or not based on automatically sourced crowd data (tests, deployments, rollbacks). Now we are planning to turn the focus upstream to help open source maintainers get an early indication of accidentally breaking releases and even provide a mechanism for downstream users to opt into silent pre-release testing so that major features can be smoke tested downstream before release.

2020 has been an interesting year to say the least! So how can we go into 2021 prepared for what's to come? Looking at the AppSec world, we can surely say that application security is an essential part of the software development lifecycle, and making sure it is secured should be our top priority in today’s ever-evolving and expanding digital ecosystem.

Organizations today invest a lot of time and money in tools and processes that help them secure their applications and they will continue on doing that in 2021.

But are they putting their money in the right place? How can software development organizations make sure that they have all the tools and processes in place to effectively address the many threats to application security?

Join Shiri Arad Ivtsan, Director of Product Management at WhiteSource as she discusses:

1. The most common external attack methods in the year to come and the main AppSec technologies we will use in 2021

2. The maturity model of application security and the importance of DevSecOps

3. How to keep up in order to protect against current threats to your applications.

Open Source components have become a fundamental part of modern software applications. With the massive growth of the open source vulnerabilities over the past few years, the overall landscape of ensuring security, quality, and compliance might seem complex and challenging.

There are ways to gain visibility and control over the open source components that make up the products that we release, but we must first address the risks so we can take the proper measures to avoid them.

In this session you’ll discover:
* How to address the needs of the entire organization, gain visibility and control, and prevent risk.
* Where a vulnerable functionality is referenced within the code, so you can address and remediate the most critical issues and reduce security alerts by 85%
* Learn how to automate the process of identifying all licenses that are attached to the dependencies whenever a new open source component is added to the build.

Nearly all cloud providers offer serverless capabilities and support containerized deployment of their customers’ applications. As organizations begin or continue to integrate serverless functions and containerized deployment into their operations, they will need to take the necessary precautions to ensure that their serverless functions and container images are secure.

In this session you will learn why it is important to scan container images and serverless computing environments for open source libraries, and best practices for doing so, including:

* Continuous scanning and monitoring of open source use in container images and serverless functions
* Building a comprehensive inventory of open source libraries used in containers and serverless functions
* Policy-driven management of security vulnerabilities and license compliance in container images and serverless functions

Technology is rapidly reshaping the financial services workforce. In 2004 the Federal Financial Institutions Examination Council (FFIEC) has released the "Risk Management for the Use of Free and Open Source Software" guidance. This guidance reviews the risks and controls associated with the use of free and open source software (FOSS).

Since open source components are an integral part of any software solution, their use must be carefully managed, documented and reported. However, many organizations still face security and compliance issues, that if not addressed, could cost them millions and even billions of dollars.

Discover how financial service organizations can enhance operational risk management while ensuring speed and agility.

In this webcast, we'll cover:
- How to increase confidence in your development process with the ability to audit, review and automate security scans as a core part of the development lifecycle.
- Best practices when incorporating security early in the developer's workflow
- How to create a trusted pipeline

Our current environment requires unprecedented social-distancing measures, which introduce a new set of security challenges. Working from home can lead to many distractions, especially when it comes to writing code. A distraction may unknowingly cause mistakes, which can introduce vulnerabilities and slow down development cycles. In addition, a developer may not have the time available to adequately investigate security vulnerabilities in the open source libraries they use in their code.

Teams are struggling to manage the demands of the business while effectively managing security issues throughout the development process due to these challenges. This is resulting in an increased demand for open source governance and security management solutions.

Join Microsoft and WhiteSource to learn more about the challenges and risks of working remotely. We will introduce you to our leading Software Composition Analysis (SCA) technology that integrates into your SDLC and makes it easy to develop secure and compliant software without having to compromise on speed or agility.

In this session we will cover:
- The challenges and risks of coding securely while working remotely
- Breaking down the essential capabilities that you will need in order to use open source technology effectively
- A demonstration of open source security and management tools which find and fix open source vulnerabilities within Microsoft Azure DevOps and GitHub build pipelines

Social-distancing creates new challenges for investment professionals conducting private equity due diligence. Acquiring firms still require high quality insights, but without face-to-face meetings, it can be more difficult for diligence teams to properly assess risk or build trust with a target.

Physical meetings can no longer be used as a tool to expedite diligence inquiry and negotiations. There are new limitations on the accessibility of physical documentation. Many existing tools and processes break down when they are forced to execute remotely.

Insightful and actionable transaction diligence requires a more focused approach. The current climate has created distress and exposed weaknesses in many companies, so it is even more important for diligence teams to be able to identify opportunities and detect risks that require mitigation. And they need to be able to do it all remotely.

Learn about techniques and tools used by diligence professionals, open source experts, and AWS cloud analysts to make remote diligence successful. Discover how to optimize M&A due diligence during these challenging times.

We will discuss:
- Why remote diligence is not only possible, but may be preferable
- How the best diligence must consider market, product, and technical strategy
- De-risking source code with a 3-step open source process
- The fastest cost reduction strategies for infrastructure and cloud

Speakers:
Tom Laszewski
Private Equity Transformation Strategist (Amazon Web Services)

AJ Watson
General Manager, Chief Growth Officer (Thinktiv)

Ryan Kennedy
Founder & Principal, (Kickdrum)

Jason Hammond
Director of Solutions Engineering, (WhiteSource)

Very few people today doubt the principles and benefits of Open Source, but you can definitely be forgiven for having concerns about its security.
Some of the ways we rely on Open Source today are fundamentally flawed, yet almost never discussed - from registries hosting unsigned artifacts of unreproducible source to package managers which propagate new versions of dependencies at the earliest opportunity.
It's time to identify these unsolved - and mostly undiscussed - risks, evaluate their potential impact, and determine what can be done in the Open Source community to address them.
In This webinar, Rhys Arkins, Director of Product Management at WhiteSource will discuss why we need reproducible builds in open source, verified artifacts, and why the majority of package managers may need a substantial change, while one in particular got it right.
He will also provide some recommendations on defensive use of open source particularly for products and industries at the highest risk of software supply chain attacks.

The benefits of DevSecOps make a compelling case for its adoption. However, for many enterprise organizations, progressing from adoption to scale continues to be a challenge - which in turn, impacts their chances of success.

So how can you implement DevSecOps to date and ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?

Join Shiri Arad Ivtsan, Director of Product Management at WhiteSource, and Brian Dawson, Director, DevOps Evangelist at CloudBees as they discuss:
1. Why traditional DevOps has shifted, and what this will mean
2. Who should own security in the age of DevOps
3. Best practices to integrate continuous security across the DevOps framework

The software world is alive with talk of shifting left - but what does it really mean? Theoretically, it means shifting responsibility for security & compliance to developers. In practice, it largely means enriching CI/CD processes to detect problematic licenses & vulnerabilities before they reach the main branch or production.
Shiri Ivtsan, Senior Product Manager at WhiteSource & Reza Alavi, Cyber Security Managing Consultant at Wipro will discuss how shift-left security capabilities rely heavily on an organization's ability to rapidly test and deliver to adopt a developer-friendly approach to continuous compliance & security.

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well - they believe they are in the process of adopting DevSecOps tools and practices. But - are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, Associate VP Product Management and Rhys Arkins, Director of Product Management at WhiteSource and learn:

-The current challenges of the security and development teams when it comes to AppSec
-The contradicting views & gaps between the teams on DevSecOps maturity
-How to break the silos and advance towards DevSecOps maturity

The shift left revolution is upon us. Developers’ roles are evolving as responsibility for application security expands into their domains so organizations can accelerate release velocity, increase productivity, and improve customer experience. The market is full of products offering to support these changes.

How can digital leaders navigate through all of the noise and empower developers to level up their skills and embrace paradigm shifts?

In this webinar, leading voices in the open source testing and security industries discuss strategies that DevOps leaders can use to help developers adopt the shift left movement.
Join Jeffrey Martin, AVP of Product Management at WhiteSource, and Marcus Merrell, Senior Director of Field Services at Sauce Lab, as they discuss:

-The importance of the cultural shift in modern DevOps teams and how to create systems that embrace these changes
-Tips for breaking down traditional barriers between development and other teams in your organization to improve productivity, unify communication, and mitigate risk
-How open source management technologies provide critical solutions and why digital organizations must not only leverage these tools, but also contribute to them

Application modernization is a necessary part of cloud-centric business transformation. As Cloud adoption continues to grow, with migration to both public and private cloud infrastructure, enterprises need IT environments that enable them to drive product innovation. With the adoption of DevOps transformation it enables to leverage microservices, kubernetes, and containers, which helps remove huge dependencies within products and create smaller and independently deployable components. Organizations must simultaneously develop modernization strategies and adopt cloud native methods for application development.

Successful application modernization is essential to digital transformation. In order to empower business agility and maintain competitive advantage, organizations must focus on adopting cloud native tools to improve their customer experiences. To start your modernization journey, you must understand the approaches and goals that are right for you organization

We will discuss:
- The business benefits of application modernization
- Why open source software is an essential tool for organizations to modernize legacy application
- Industry best practices and standards for continuous management of security and compliance of applications as they are moved to the cloud