Name: Threat Modeling: Finding the Worst Vulnerabilities You'll Never Write
Start: 2021-08-03T17:00:00Z
End: 2021-08-03T17:00:57.000Z
Location: BrightTALK
Rating: 3

Mend, formerly known as WhiteSource, effortlessly secures what developers create. Mend uniquely removes the burden of application security, allowing development teams to deliver quality, secure code, faster. With a proven track record of successfully meeting complex and large-scale application security needs, the world’s most demanding software developers rely on Mend. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, link here, the open-source automated dependency update project.  For more information, visit www.mend.io, the Mend blog, and Mend on LinkedIn and Twitter. 

Struggling to optimize your security tools for web application security? Finding it tough to balance security integrity with rapid updates? 

In this session, our experts will delve into the intricacies of building a robust application security program. From understanding the diverse range of available security solutions to implementing comprehensive scanning strategies, they'll explore the key elements that contribute to a mature AppSec program. 

Join us as we navigate through the world of web app security solutions and uncover practical insights to enhance your application security posture.

Key Topics:
* Unveiling the benefits of a comprehensive scanning approach, encompassing SAST, SCA, DAST, IAST, and API Security, to bolster your security posture.
* Understanding the core components of a resilient application security program, including evaluating coverage and ensuring app and API security from the ground up.
* Gaining practical tips for navigating security hurdles, such as deploying hotfixes seamlessly within your pipeline while maintaining security integrity.

Secure your spot now to gain valuable insights and optimize your application security!

Maturing your Application Security Program

Do you know which vulnerabilities in your applications are exploitable? How confident are you in your organization's ability to thwart potential security threats? 

Approximately 70% of organizations have encountered at least one serious security incident from software vulnerabilities in the last year. Don't let your organization be next!

To effectively tackle critical vulnerabilities in their applications, developers need accurate insights. EPSS scores play a crucial role, providing a proactive approach for prioritizing security risks.

In this session, experts will delve into:
* What EPSS scores tell you about your security risk
* How you can use EPSS to address your most critical vulnerabilities
* Why CVSS scores are not enough

Don't miss your opportunity to learn from the EPSS expert team.

Harnessing Exploitability Information for Effective Prioritization

Today’s threat landscape is increasingly unmanageable for many companies as they struggle with an application security approach built to react rather than take charge. 
Take one example: vulnerability alerts. A reactive program is built to scan and alert, often overwhelming DevSecOps teams with red flags that are often false positives. Not only do real alerts get lost in the noise, but teams often have no way to prioritize the highest-risk flaws.  

Taking charge of the process requires an aligned approach that leverages agile learning techniques and SAST programs. This equips developers with the tools they need to eliminate vulnerable code writing and mitigate future risks. 

Join our interactive panel of experts to learn take-charge tactics, including the following: 
* Managing risk through a repo-centric SAST approach
* Innovative techniques to distill noise into actionable priorities aligned with business goals.
* Secure code training programs that deliver quantifiable value by integrating with SAST and training content

Don't miss out on the opportunity to cultivate a mindset for enhancing your application security.

Taking charge of vulnerability alerts

In 2023, 71% of enterprises admitted their AppSec programs were reactive, playing catch-up with vulnerability alerts -– while at the same time, applications remain the top target for threat ctors. That adds up to increased business risk for a lot of companies and fuels an urgent need to improve application security strategies. But how?

The key is to move from a compliance-based approach to managing application risk. 

Join Chris Lindsey, Application Security Evangelist, for an in-depth discussion of what it takes to stop playing defense when it comes to application security. He'll wrangle over topics like:
* The tell-tale signs of reactive mode 
* The value of preventative best practices 
* How to build security actions into the developer experience
* The need for a holistic view and effective prioritization 
* Arming the security team with instant control at scale

Securing the Future - A Shift from Reactive to Proactive AppSec

How do you know your container security program is effective? Can you balance large-scale operational needs with the granularity required to allow specific engineers to remove critical security risks? Can containers' runtime context help engineers prioritize security risks? 

Join experts from AWS and Mend.io in an enlightening webinar where we'll introduce innovative techniques to uncover critical risks, prioritize them effectively within the AWS cloud environment, and efficiently address them with the right stakeholders.

Key topics include:
* Identifying and addressing the most pertinent security risks for resolution
* Leveraging insights from AWS within the ESK framework to enhance triaging processes
* Streamlining the closure of identified vulnerabilities, to ensure efficient communication within developers workflows across the organization at scale

Don't miss this opportunity to gain valuable insights and optimize your container security strategy. Register now to secure your spot!

Quick Wins for EKS Containers Security

Properly managing dependency updates can effectively reduce vulnerabilities by up to 70% and provide access to new features and bug fixes that improve application performance. But too often, teams must manually update dependencies — a tedious and time-consuming process that is often neglected and increases technical debt.

Join us to learn how automating your dependency updates helps you:
* Improve developer efficiency: How automated dependency updates frees developers from routine tasks and allows them to focus on more strategic and creative aspects of software development.
* Update with confidence: How to avoid causing breaking changes with your dependency updates
* Continuous improvement: How automated dependency updates ensure applications remain competitive, perform optimally and stay aligned with evolving industry standards.
* Reduce technical debt: How proper management of dependency updates contributes to a reduction of technical debt.

Don’t miss out on your chance to hear valuable insights from our Mend Renovate experts!

Transformative Benefits of Automated Dependency Updates for Your Applications

In an era where the digital landscape is constantly evolving, application security has become paramount for business success.
Please join us as we unveil essential best practices for establishing robust application security programs from our recently released custom survey with TechTarget’s Enterprise Strategy Group.
During this webinar, you will learn:
* The critical components of an effective application security strategy.
* Strategies to identify and mitigate security vulnerabilities within your applications.
* Practical insights for building a strong security culture within your organization.
* Real-world examples and case studies highlighting successful application security implementation.
* Key takeaways from the latest research report to bolster your cybersecurity efforts.
Don't miss this opportunity to stay ahead in the ever-changing world of cybersecurity.

Best Practices to Secure and Protect Modern Software Applications

Cloud-native applications open a new frontier for application risk from multiple sources. Risk reduction approaches for cloud-native applications need to take a holistic approach to the software development lifecycle to be effective. In this webinar, learn:
* Why this involves finding and remediating risks as they are introduced, from coding with secure practices to evaluating risks with runtime scanning post-deployment.
* How to apply security and risk reduction techniques at each stage of the SDLC
* Why automating risk reduction is the only way to reduce cloud-native application risk at an enterprise scale

AWS & Mend.io: Securing Cloud-Native Applications Across the SDLC

AppSec and software supply chain security require more than a loose collection of tools and a vulnerability remediation process. A holistic approach covers risk assessment, a secure software development life cycle, software composition analysis (SCA), SBOMs, static and dynamic application security testing (SAST/DAST), workflow automation, automated remediation, runtime protections, compliance reporting and more. Successful implementation of this holistic approach enables companies to shrink their overall attack surface and reduce technical and security debt. Our panel of software security experts will discuss practical steps to building a sustainable application and software supply chain security strategy that meets today’s business demands and those that may arise in the future.

Holistic AppSec and Software Supply Chain Security

Learn more about identifying open-source code and the license types being used. And, why you need to identify not just direct dependencies but also transitive dependencies.

This discussion also includes:

Why failure to ensure visibility over open-source software use can be costly
How the problem encompasses both your existing code base and new code in development
How automating software competence enables you to choose which license types you want to allow, decline or examine more

Handling Open Source Context Licensing: Wrong Answers Only

Malicious packages are a growing threat, and they may already have infiltrated your applications. Like any malware, malicious packages can inflict significant damage.

Malicious Packages Special Report Overview

Software supply chain threats and increasing regulatory pressures make supply chain security a top priority for software organizations. While building secure applications is a must for any organization, the path to creating secure software is anything but clear. Software bills of materials (SBOMs) have emerged as an essential  tool and a roadmap for organizations on their secure software journey.

While most of today’s SBOM efforts revolve around tracking software components, versions and licenses, as SBOM technologies and regulations evolve, organizations should be ready to capitalize on new SBOM-related opportunities. Organizations should start building strategies to leverage SBOM data through a process that identifies applications, creates SBOMs and makes them available for the business to deliver repeatable and ongoing value.

- How to create a sustainable software supply chain security strategy,
- How to identify processes and tools for creating SBOMs
- Automating SBOM creation as part of DevOps and application security workflows,
- Keeping up with the latest advances in SBOMs, application and software supply chain security.

SBOMs: A Roadmap for a Secure Software Journey

The ongoing rise in cyberattacks across the software supply chain and a shifting regulatory landscape are forging an unlikely alliance between CISOs, software leaders and legal experts. Privacy, the shifting and diverse regulatory landscape, liability and new AI/ML use cases all present unique challenges and opportunities for risk management, but to best navigate these challenges, legal teams must be involved, too. Why? Because today, software vulnerabilities can represent not just a business risk but a legal risk.

During this live panel roundtable, experts from security, software and legal disciplines discuss some of the top cyberlaw and legal topics affecting software supply chain security, including:
    -  The impact of shifting liability for insecure software onto software developers and away from consumers as proposed in the National Cybersecurity Strategy
    -  How these changes will affect the open source community
    -  Managing open source license risk
    -  The increasing need for technical due diligence in M & A activity
    -  Ensuring the security of third-party software supply chains

Strange Bedfellows: Software, Security and the Law

It might seem obvious that regularly upgrading software and dependencies means your software is inherently more secure, but in practice, this is hard to achieve. Choice Hotels struggled to manually maintain their codebase and remediate all the transitive vulnerabilities lurking in the code. Today’s compositional applications created a complex archeological exploration challenge for developers trying to resolve security issues across a codebase. It was time-consuming, tedious, and imperfect.

In this program, Choice Hotels explains how they overcame these challenges for their development teams with Moderne’s remediation automation. With this solution, they applied the principles and practices of continuous software modernization and kept their code in a more secure state.

You will learn about:

- Choice Hotels' challenges and solutions on the path to continuous modernization
- How automating code remediation can dramatically change the security posture and productivity balance within an organization
- What it takes to automatically remediate vulnerabilities with high accuracy at the enterprise scale
- How Moderne’s next-generation alternative to current SAST tooling is dramatically improving developer velocity

Malicious Package Trend Analysis

Cybersecurity teams and developers continually struggle to reconcile what can seem like two competing priorities. Delivering new capabilities and addressing existing security technical debt. But what if they can do both at the same time? Forward-leaning AppSec programs are finding smart ways to reduce security debt by instituting a strategic approach to managing security vulnerabilities. This approach starts by reducing the attack surface early on and throughout development.

In this webinar, you will learn the following:
- How to automate dependency management so that it runs on autopilot
- Why you should assign a confidence level to updates
- How to mass-update group dependencies given a high confidence rating
- How to prioritize vulnerability remediation and update within the repo

Two Birds, One Stone: Shrinking Security Debt and Attack Surfaces

Security is an increasingly critical aspect of application development. As the volume of applications rapidly expands, so does the volume of source code, components, and dependencies used to create them. With them comes a growth in the potential attack surface and an escalation in the variety of threats to your application security.

Mend.io CEO Rami Sass, Jeff Martin, VP of product management, and CMO Arabella Hallawell recently sat down for a panel discussion on AppSec today to discuss the growing significance of AppSec, why traditional approaches fall short, and how to create a modern, effective AppSec program.

The Importance of Adopting Modern AppSec Practices

Threat actors are after our sensitive data. In 2023, the number of malicious packages published to Node Package Manager (npm) and RubyGems ballooned 315% compared to 2021, and 85% of malicious packages discovered in existing applications were capable of exfiltration – meaning they could cause an unauthorized transmission of information. Software packages containing malicious code are a growing threat, and they may have unknowingly infiltrated your applications.
Join VP of Product Management, Jeff Martin and Principal Product Architect, Maciej Mensfeld as they dig into the findings from the Mend Malicious Packages Special Report and discuss how  Mend.io’s 360-degree malicious package protection can help defend against this insidious threat.

Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities

Spoiler alert: In 2022, audits found open source in 100% of our customer engagements.

Since open source usages are now so pervasive, companies are increasingly concerned about the security of applications built on the foundation of open source components. Consequently, open source security and license compliance are primary concerns of acquirers and targets involved in tech merger and acquisition (M&A) transactions. Acquiring companies must be aware of the potential open source risks they may be inheriting along with the intellectual property in their targets’ codebases, identifying open source in the target’s code base is essential to M&A transactions involving software.

Join this webinar to learn more about:

What’s the risk of not evaluating open source in M&A?
How can companies prepare to avoid legal risks of non-compliance
What is the role of open source license compliance?

What You Don't Know Can Hurt You-Open Source License Compliance and M&A Activity

Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in an strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that's exactly where our systems operate. In this talk, we'll see how to use threat modeling to find the worste vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can't code your way out of a bad architecture but you can threat model your way out.

Threat Modeling: Finding the Worst Vulnerabilities You'll Never Write

appsec

attack surface

Security Awareness

Threat Modelling

Vulnerabilities

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Threat Modeling: Finding the Worst Vulnerabilities You'll Never Write

Presented by

About this talk

More from this channel