Hi [[ session.user.profile.firstName ]]

Secure Coding Best Practices

Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won’t. The other side has the best security hardware and software systems other people’s money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.

Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature, every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.

In this talk we’ll see:

-How hackers think and how they identify weaknesses in our systems.
-How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
-Where the most common vulnerabilities in Modern software development are and how to avoid them.
-Why common guidelines and static analysis tools often fail to find vulnerabilities.
-How to use Threat Modeling to analyze complex systems and built security into our systems at design time.
-How to use Trust Boundaries to protect critical infrastructure.
-Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
-What the best practices for protecting our code from attack are.


The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone writes kernel, applications, or libraries that run in the real-world and that face real-world attacks.

In today’s world, that’s all of us.
Recorded May 25 2021 58 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Matthew Butler, Principal Engineer
Presentation preview: Secure Coding Best Practices

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Threat Modeling: Finding the Worst Vulnerabilities You'll Never Write Aug 3 2021 5:00 pm UTC 58 mins
    Matthew Butler
    Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in an strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that's exactly where our systems operate. In this talk, we'll see how to use threat modeling to find the worste vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can't code your way out of a bad architecture but you can threat model your way out.
  • Cyber Attacks from an Open Source perspective Jul 27 2021 5:00 pm UTC 41 mins
    Sam Quakenbush, Sales Engineer Manager at WhiteSource & Zvika Ronen, CTO at FOSSAware
    From SolarWind to “Dependency confusion”, 2021 will be the year of open-source supply chain attacks, with an ever-growing number of hackers leveraging the increasing use of open source during software development to distribute malicious packages and exploit known vulnerabilities.
    Due to recent events, the software industry gained a deeper understanding about the potential risk of supply-chain attacks. Although this problem is complex with many aspects, solutions come faster when the problem is well-framed.
    In this webinar, we will suggest a simple framework to the open source vulnerability management challenge and few ways to secure your software supply chain and reduce potential risk.
  • Embarking on Digital Transformation with DevSecOps Recorded: Jul 20 2021 61 mins
    Erik Larson, R.Director and lead Cloud Practitioner Crosslake, Brian Rogers, S.Engineer Global Channels whiteSource
    Digital transformation has become a key foundational change in how organizations deliver value to their customers. Especially in the wake of the coronavirus pandemic, IT organizations have been embarking on Agile and DevOps transformations at scale to achieve Digital Transformations. However, too often, a key component is left behind - the subject of security. Organizations must reassess their security strategies and infrastructure especially when moving to the cloud which requires security tools that enable secure coding and vulnerability remediation.
    Join Erik Larson, Regional Director and Lead Cloud Practitioner from Crosslake, and Brian Rogers, Solutions Engineer Global Channels and Alliances from WhiteSource, as they discuss:
    How IT Organizations should embark on DevOps Transformation journeys to improve their chances of success
    What are the application security technologies that are important to implement in order to face modern threats
    Best practices of high performing organizations in reducing the application security risk
  • The Main Application Security Technologies to adopt in 2021 Recorded: Jul 13 2021 49 mins
    Shiri Arad Ivtsan, Director of Product at WhiteSource
    It's no secret that 2020 was a difficult year. The pandemic, and as a result, the lockdowns and quarantines sent tens of millions of global workers home, and the remote work caused a dramatic increase in the number of ransomware, phishing attacks, and accidental breaches by employees working at home.
    Despite the increases in these exploits, the application layer continues to be the most attacked and the hardest to defend.

    Join Shiri Arad Ivtsan, Director of Product at WhiteSource, as she shows:
    -What are the three AppSec technologies organizations should implement in the next year
    -How to keep organizations’ application security posture up to date and resistant to modern threats
    -Best practices when implementing each technology.
  • why-empowering-developers is a game changer for application security Recorded: Jun 30 2021 59 mins
    Maciej Mansfield S.Prodct Manager WhiteSource,Nicolas Bontoux PMM & Kirti Joshi PMM at SonarSource
    The 'Shift Left' mindset is a major game changer for Application Security. Not only is it a paradigm shift in the way developers (not just security teams) use these tools, but also how they are built and integrated into workflows.
    In this webinar, SonarSource and WhiteSource will share real-life insights and learnings on how empowering developers with the right tools positively impacts application security. Through the lens of different technologies (SAST & SCA) you will discover the foundations of developer adoption of security tooling, how it pairs with workflows already in place, and how teams can directly benefit from them. Join us to hear more from our Product Teams in person!
  • How Vonage USA uses to Automate Open Source Security & Complaine Recorded: Jun 29 2021 49 mins
    Brian Rogers,Channel SE,WhiteSource,Chris Wallas, P. Security Architect,Valentine Weidel Srategics Partner Aliiance M., AWS
    With the growing adoption of software composition analysis (SCA), a technology that provides both developer-focused tools and governance solutions, more companies place developers, IT, security, and legal on the same page. This is the case of global cloud communications provider Vonage, which needed a SCA solution that could integrate both open source security and license compliance checks automatically throughout their SDLC.
    Join this webinar as Chris Wallace, Principal Security Architect from Vonage and Brian Rogers, Channel Sales Engineer from WhiteSource discuss:
    Best practices to manage open source risks throughout the SDLC
    How to reduce friction between security, development and compliance teams
    Vonage’s best tips and insights of how they gained full visibility and control regarding their open source libraries
  • Shifting Priorities of Digital Native Security Recorded: Jun 22 2021 57 mins
    Rhys A.,Director PM at WhiteSource,Michiel P.,CO.F&PL at HackerOne,Scott W.,PSA at AWS,Dragan P. S.Director AppSecurity,IGT
    When shifting to or even starting out as a Digital Native company, there naturally comes new security topics which companies need to be aware of, including access control, auditing and disclosure.
    But there has also been a shift in older security topics as well, including some being less of a concern. As a result, there’s a need to enable security teams with higher visibility, scalability and expertise to adapt to an evolving digital ecosystem.
    For example, should a modern security strategy be based on the assumptions that source code will never be leaked, or that "internal" networks will never be breached?
    In this Roundtable, our experts will discuss:
    1. The challenge for cybersecurity teams is finding effective ways to deliver and maintain security at the speed of digital transformation.
    2. How can modern security platforms can help organizations stay ahead of potential threats?
    3. How have the relative importance of security threats changed as companies and products shift to being digital natives?
  • API Security: When Failure looks like Success Recorded: Jun 15 2021 25 mins
    Keith Casey
    APIs have become fundamental to our teams. While we’d like to believe it was a carefully executed plan, let’s be honest - there’s as much luck as foresight in the mix. Luckily, success drives success so it's worked. Unfortunately, that success has cost us. APIs have become a devastating attack vector for apps that store everything from financial records to passport information to your dating interests. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.
  • How to Transform Developers into Security People Recorded: Jun 8 2021 34 mins
    Chris Romeo CEO and co-founder of Security Journey and is a builder of security culture influencing education
    Developers are everywhere because software is everywhere. The challenge with developers is that most do not have a foundation in application security. To effectively engage them requires a four-phase process of application security connection - open their eyes, fill their brains, task their hands, and embrace the gathering. In this session, Chris provides guidance on each phase of this process so that organizations can launch an application security program with developers who understand the foundational lessons of application security and how to apply those lessons in their code.
  • The State of Open Source Security Vulnerabilities 2021 Recorded: Jun 2 2021 25 mins
    Shiri Arad Ivtsan, Director of Product & Lena Kleyner, Product Manager at WhiteSource
    The pandemic in 2020 raised a lot of uncertainty in the software development industry and the overnight shift to work from home introduced new security threats.
    WhiteSource ran a research and took a deep dive into its extensive vulnerabilities database to gain valuable insights into the state of open source security and learn how to keep up with the rapid pace of software development without leaving security behind.
    Join Shiri IvtsanDirector of Product & Lena Kleyner, Product Manager, as they discuss:
    The reasons behind the 50% rise in the number of reported open source vulnerabilities in 2020.
    The importance of implementing secure coding from the earliest stages of the DevOps pipeline
    Why it’s crucial for security and development teams to prioritize security alerts
  • Secure Coding Best Practices Recorded: May 25 2021 58 mins
    Matthew Butler, Principal Engineer
    Computer systems are under siege 24 hours a day, day in and day out. The critical security infrastructure designed to protect those systems, won’t. The other side has the best security hardware and software systems other people’s money can buy and they have all the time in the world to find creative ways to defeat them. Meltdown and Spectre are prime examples of security vulnerabilities that have lurked dormant for decades. Or have they? If your systems are in any way connected to the outside world, the other side will get inside the wire on you. Know that going in.

    Whether you write applications, libraries or work in kernel code, the line of code you write today may very well be the vulnerability someone else finds tomorrow. By nature, every code base contains hundreds of attack surfaces and it only takes one serious vulnerability to compromise your system.

    In this talk we’ll see:

    -How hackers think and how they identify weaknesses in our systems.
    -How to identify hidden attack surfaces, attack vectors and vulnerabilities in critical systems.
    -Where the most common vulnerabilities in Modern software development are and how to avoid them.
    -Why common guidelines and static analysis tools often fail to find vulnerabilities.
    -How to use Threat Modeling to analyze complex systems and built security into our systems at design time.
    -How to use Trust Boundaries to protect critical infrastructure.
    -Why open source and third-party libraries are fast becoming hidden liabilities in our software and how to protect ourselves against their vulnerabilities.
    -What the best practices for protecting our code from attack are.


    The critical security infrastructure designed to protect your systems is largely out of your control. The one thing you can control is the next line of code you write. This talk is for anyone writes kernel, applications, or libraries that run in the real-world and that face real-world attacks.

    In today’s world, that’s all of us.
  • Open Source Security: How to Lay the Groundwork for a Secure Culture Recorded: May 18 2021 46 mins
    Guy Bar Gil, Product Manager
    Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases.

    This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
  • The State of Open Source Security Vulnerabilities 2021 Recorded: May 15 2021 25 mins
    Shiri Arad Ivtsan, Director of Product & Lena Kleyner, Product Manager at WhiteSource
    The pandemic in 2020 raised a lot of uncertainty in the software development industry and the overnight shift to work from home introduced new security threats.
    WhiteSource ran a research and took a deep dive into its extensive vulnerabilities database to gain valuable insights into the state of open source security and learn how to keep up with the rapid pace of software development without leaving security behind.
    Join Shiri IvtsanDirector of Product & Lena Kleyner, Product Manager, as they discuss:
    The reasons behind the 50% rise in the number of reported open source vulnerabilities in 2020.
    The importance of implementing secure coding from the earliest stages of the DevOps pipeline
    Why it’s crucial for security and development teams to prioritize security alerts
  • DevSecOps: Closing the Loop from Detection to Remediation Recorded: May 11 2021 60 mins
    Shiri Ivtsan, Senior Product Manager
    DevSecOps sets out to relieve the costly and stressful delays that can occur when security testing is performed late in the game, by setting up processes and tools for "shifting left" so security testing can happen early and often. As organizations continue to embrace this DevSecOps approach, testing tools and practices are integrated even further left in the development pipeline.

    Join Senior Product Manager, Shiri Ivtsan, as she discusses:

    Where and how developers are implementing DevSecOps in the SDLC;
    Best practices for developers to adopt DevSecOps and more efficiently handle vulnerabilities;
    Necessary steps for implementing a process for detection, prioritization, and remediation of open source vulnerabilities.
  • From Zero to Hero: Continuous Container Security in 4 Simple Steps Recorded: May 4 2021 58 mins
    Shiri Ivtsan, Product Manager at WhiteSource
    Containers are shaping the way organizations are developing and managing applications nowadays. However, many are not always fully aware of the measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security aspects. The mindset of securing our applications needs to be shifted – to continuous security. In this session, Shiri Ivstan, Product Manager at WhiteSource, will discuss:

    1) the main security challenges organizations face when using containers;

    2) the most common layers in a typical container deployment; and

    3) 4 simple steps to build security into each layer.
  • Cyber Attacks from Open Source perspective Recorded: May 2 2021 41 mins
    Sam Quakenbush, Sales Engineer Manager at WhiteSource & Zvika Ronen, CTO at FOSSAware
    From SolarWind to “Dependency confusion”, 2021 will be the year of open-source supply chain attacks, with an ever-growing number of hackers leveraging the increasing use of open source during software development to distribute malicious packages and exploit known vulnerabilities.
    Due to recent events, the software industry gained a deeper understanding about the potential risk of supply-chain attacks. Although this problem is complex with many aspects, solutions come faster when the problem is well-framed.
    In this webinar, we will suggest a simple framework to the open source vulnerability management challenge and few ways to secure your software supply chain and reduce potential risk.
  • AWS Oil and Gas Roundtable Recorded: Apr 27 2021 52 mins
    Jason Hammond,Head SE WhiteSource,Paco Hope,CSS Amazon,WS,Vivek Wandile, SA Wipro,Adam Jordan,Capability Center Lead ,Shell
    As part of their journey to Digital Transformation, Oil & Gas enterprises are shifting their focus on becoming agile through DevOps in order to provide efficiency and productivity. Because there is no single standard DevOps methodology, many companies are finding it challenging to manage security requirements, which contributes to a slow start, slow delivery, and overall difficulty to scale.

    In this roundtable, we will discuss the challenges, the risks, and the different methodologies available to enforce security and compliance throughout the Software Development Lifecycle (SDLC) without having to compromise on security or agility while addressing the objectives of The Open Group Open Subsurface Data Universe (OSDU) Forum.

    Key outcomes from the session: Identify key application security requirements and learn how to deliver secure code at the speed of DevOps Learn how to achieve compliance with OSS licenses according to company policies and industry regulations Learn how to increase developer agility and decrease capital expenses
  • Automate AppSec in Your CI/CD With SCA & DAST Recorded: Apr 20 2021 59 mins
    Shiri Arad Ivtsan, Director of Product & Scott Gerlach Co-founder and Chief Security Officer at StackHawk
    "We live in the age of DevOps. For organizations, this means speed and automation. AppSec, on the other hand, is often seen as slow and manual. This poses the question: how can organizations keep up with the speed, without having to leave AppSec behind?Join Shiri Arad & Ivtsan, Director of Product at WhiteSource and Scott Gerlach Co-founder and Chief Security Officer at StackHawk, as they discuss: The current challenges & pitfalls with Application security management today
    · Best practices for infusing automated, continuous security into your
    DevOps pipeline
    · The best AppSec tools to use in order to develop quickly and
    securely"
  • AWS Oil and Gas Roundtable Recorded: Apr 19 2021 52 mins
    Jason Hammond,Head SE WhiteSource,Paco Hope,CSS Amazon,WS,Vivek Wandile, SA Wipro,Adam Jordan,Capability Center Lead ,Shell
    As part of their journey to Digital Transformation, Oil & Gas enterprises are shifting their focus on becoming agile through DevOps in order to provide efficiency and productivity. Because there is no single standard DevOps methodology, many companies are finding it challenging to manage security requirements, which contributes to a slow start, slow delivery, and overall difficulty to scale.

    In this roundtable, we will discuss the challenges, the risks, and the different methodologies available to enforce security and compliance throughout the Software Development Lifecycle (SDLC) without having to compromise on security or agility while addressing the objectives of The Open Group Open Subsurface Data Universe (OSDU) Forum.

    Key outcomes from the session: Identify key application security requirements and learn how to deliver secure code at the speed of DevOps Learn how to achieve compliance with OSS licenses according to company policies and industry regulations Learn how to increase developer agility and decrease capital expenses
  • The Main Application Security Technologies to adopt in 2021 Recorded: Apr 13 2021 48 mins
    Shiri Arad Ivtsan, Director of Product at WhiteSource
    It's no secret that 2020 was a difficult year. The pandemic, and as a result, the lockdowns and quarantines sent tens of millions of global workers home, and the remote work caused a dramatic increase in the number of ransomware, phishing attacks, and accidental breaches by employees working at home.
    Despite the increases in these exploits, the application layer continues to be the most attacked and the hardest to defend.
    Join Shiri Arad Ivtsan, Director of Product at WhiteSource, as she shows:
    -What are the three AppSec technologies organizations should implement in the next year
    -How to keep organizations’ application security posture up to date and resistant to modern threats
    -Best practices when implementing each technology.
An open source security and licenses management solution
WhiteSource allows engineering, security and compliance officers to effortlessly secure and manage the use of open source components in their software, allowing developers to focus on building great products. WhiteSource fully automates all open source management processes: component detection; security vulnerability alerts and fixes; license risk and compliance analysis along with policy enforcement; quality review, and new version alerts. It offers a complete suite of control, reporting and management to help software teams manage open source truly effortlessly. For more information about WhiteSource, visit http://www.whitesourcesoftware.com or follow us on twitter: @whitesourcesoft

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Secure Coding Best Practices
  • Live at: May 25 2021 5:00 pm
  • Presented by: Matthew Butler, Principal Engineer
  • From:
Your email has been sent.
or close