Name: Tools to Perform a Security Review on Unknown Code with Imagix
Start: 2021-01-20T21:30:00Z
End: 2021-01-20T21:30:46.000Z
Location: BrightTALK
Rating: 0

CodeSecure is a global provider of application security testing solutions including static analysis (SAST) and software composition (SCA) products. Our products, CodeSonar and CodeSentry, help organizations develop and release higher quality and more secure software – free of harmful defects and exploitable weaknesses that cause system failures, enable data breaches, and increase corporate liability.

Dmitry Raidman’s foray into SBOM management started with a vulnerable baby monitor when he was a new father in 2015. An SBOM – Software Bill of Materials – is like an ingredient list of all the pieces of code that go into an embedded application, he explains.

With hundreds to thousands of SBOMs applied to each software product, he founded Cybeats and built the SBOM Studio. More than just a repository, SBOM studio automates and orchestrates SBOM management and visualization across a large variety of SBOM types to provide lifetime management of SBOM information, and greatly enhance visibility in the software supply chain. 

He explains the many types of SBOMs, starting with a design SBOM to understand if you’re bringing reputable sources of code into the application before development starts. He points to the repository SBOM, the build SBOM, the binary SBOM, the runtime SBOM and more. An SBOM repository must handle any type of SBOM, he adds, regardless of competing standards.

“There are different companies generating different SBOMs, but you want a company that really does it well by actually identifying every single component properly,” he explains. “A quality SBOM can provide analytics around the SBOMs to add value for product builders and customers.”

In this show, he also demonstrates how builders and buyers can use SBOM Studio to generate a SBOM from an open-source application using CodeSecure’s CodeSentry binary composition analysis. This is the result of a partnership between CodeSecure and Cybeats announced in October. In the demonstration, the O/S, version, format, license warnings, and other meta data are analyzed against a data lake of known vulnerability and supply chain intelligence data. It is then further narrowed down to actionable vulnerabilities through application of the Known Exploitable Vulnerabilities (KEV) catalog and other information sources to prioritize and analyze “breachability,” as he says.

Managing the Lifecycle of Your Software Bills of Materials (SBOMs)

In this show, Joshua Corman talks about the nine-year journey to get medical device manufacturers to follow best practices and shift left in their DevOps practices, starting with secure by design and throughout the product lifecycle. And, since medical device software utilizes up to 90 percent of open-source components, SBOMs (software bill of materials) play a huge part in managing the risks associated with third-party code.

FDA Laws and Submission Guidance Catches up with Cyber Risks in Medical Devices

In this 25-minute talk, learn how to utilize SBOMs in pre-development stages, reduce tech waste in products, and improve software integrity to win over customers now and into the future.

Advancements with Software Bills of Materials

As director of training and competencies at Knowit, Kari Kakkonen, who’s based in Helsinki, specializes in software testing, quality, Agile, DevOps and artificial intelligence (AI). Now, he’s poured his more than 20 years of software testing experience into an interactive book, ‘Dragons Out’ to train kids ten years old and up about the importance of testing and remediating bugs in software. 

In it, “bugs are dragons, and they want dragons out of their villages and their lives,” Kakkonen says. The book has been translated into 21 languages and is popular with IT people who share the stories and lessons with their children. It is also being used in classrooms with easy-to-follow instructional guides. 

In this show, Kakkonen explains how his background in testing led to writing this book, and how the stories and exercises are helping bring up the next generation of software testers and secure coders. “I wanted to share my experiences in testing, and I realized there are no testing books that are meant for children. And I love dragons and fantasy, so dragons were a nice analogy when describing bugs and hunting bugs.” 

The stories are chock full of different kinds of dragons (for example, a red dragon represents a memory leak), along with knights, villages, castles, and weapons. He adds, “Fun is a great element in any type of education—and not only for children. Adults learn this way, too.”

In this interview, Kakkonen also talks about his experiences testing electric cars and their increasing reliance on artificial intelligence (AI). “Safety is the key in electric cars, especially in self-driving cars with AI elements. You need to think of how you can test the AI for security, starting with threat modeling, testing simulations, virtual testing. Repeat them again and again in virtual environments, then in the parking lot, and then on the street.”

When Software Bugs are Dragons and Kids are Vanquishers

For human transport drones, low-earth orbiters, vertical take-off and landing (VTOL) aircraft, and autonomous planes, safety and integrity are mission critical. The same is true for today’s high-tech automotive systems supporting vision, autonomous driving, braking and more. 

Antoine Colin is a pioneer in safety-critical embedded systems. More than 20 years ago, he set his focus on critical timing analysis systems for his PhD and PostDoc, ultimately utilizing this knowledge to design Rapita’s RVS Aero security standards verification platform for Ada, C, & C++. It is used by engineers to develop compliant DO-178B/C and ED-12C certifiable multicore systems or equivalent military standards. He’s also behind Rapita’s RVS Auto verification platform that enables engineers to meet AUTOSAR and OSEK standards verification requirements laid out in ISO 26262 functional safety standards.

“Safety critical systems include anything where failure is likely to result in death, injuries, loss of equipment or any catastrophic outcome you’d like to avoid,” Colin explains. And, he says, we need to shift the needle left to address increasingly complex code components embedded in these systems. This is especially true in Avionics, where engineers traditionally use a waterfall approach and verification is done on the right, or at the end of product development, he adds.

“The cost of software has gone up massively in new airplanes, and the cost of verification is a large proportion of the cost of software,” Colin continues. “Finding defects late in the process is extremely costly. And in some cases, it would be impossible to update and fix code post deployment, for example, if that system is on Mars.”

Join us and learn how to shift left on security testing and verification to build safe, reliable, and resilient safety-critical embedded systems.

Verifying Safety Assurance in High Risk Embedded Systems

A quick look at the OWASP Embedded Application Security Project Best Practice Guide reveals numerous vulnerabilities in code developed for OT and embedded systems, including but not limited to buffer and stack overflows, injection attacks, cryptographic signatures and firmware updates, third party code components, and lax authentication and access controls.

To understand how these other vulnerabilities could result in serious risk to society, three red team hackers share some of their most chilling findings in critical infrastructure systems, and provide advice for shifting left on OT and embedded DevOps practices.

These experts explain why embedded and OT systems are more difficult to code to because of their small footprint, how microservices can be riddled with buffer overflows and other issues that can’t be fixed, how attackers can exploit the web servers, APIs, terminal sessions, and radio signals used to connect these devices, and how IoT and small devices often contain hard-coded passwords, and lack encryption to prevent man in the middle attacks.

Hacking Embedded Devices

In this video-cast, Deb hosts two experts—one focused on Artificial Intelligence (AI) in commercial products and the other focused on AI in DevOps: Diana Kelley is CISO at Protect AI, which is focused on machine learning lifecycle security; and Tracy Bannon, senior principal/software architect and DevOps advisor for MITRE. 

“Arguably AI easily goes back to the 1960’s when the Eliza solution was introduced at MIT. It was essentially an early chatbot,” Kelley explains. As such, Machine Learning (ML) and AI is widely used in many different systems today, but with the explosion of ChatGPT, generative AI is being productized at a rapid pace.

For developers of commercial products AI and ML open layers of issues that they should be preparing for today. For example, faulty assumptions and output used in decisions—say a medical scanner output is incorrect and the patient truly does have cancer. 

As product developers are focusing on supply chain and open source, they should consider the layers of decisions and data the AI and ML models are trained on, Bannon advises. “Who made the ML model in the first place? How is it controlled and contained? And how do I make sure that those models are the right ones that are getting into production?”

Kelley adds that security scanning and testing must become part of the ML lifecycle, including special MLBOMS to identify open source in the ML pipeline. Bannon adds that product developers need to ask questions about the lineage. “Where was it trained on? What was the lineage of the data it was trained on in the repositories of the world? Do I have the bug that is in that flawed open-source package?” Bannon asks. “We’re looking at turtles on top of turtles on top of turtles.”

AI Embedded in Code: Do’s & Don’ts for Commercial Developers

Shift Left Editor Deb Radcliff interviews Kelly Shortridge, author of Security Chaos Engineering: Sustaining Resilience in Software and Systems. 


Kelly Shortridge is Senior Principal Engineer at Fastly, a cloud services platform that helps developers extend their core cloud infrastructure to the network edge. We met at the RSA Conference where she was signing her recently-published book about software resilience through security chaos engineering.

In this twenty-minute video interview, we talk about why she wrote this book, how she defines security chaos engineering, how it compares to security platform engineering, and how to use these concepts to nurture developer productivity while not killing their souls with overly prescriptive security checklists.  

She wrote the book because she feels the cybersecurity sector doesn’t understand software development very well or the constraints developers are under. And because security has an almost imperialist approach focused on stopping anything bad from happening, which she feels is impossible for developers to maintain. On the development side, she believes security needs to be demystified by embracing and extending practices software engineers already use.  

“Chaos engineering is based on the foundation of resilience, preparing for failure, moving quickly, and cultivating a feedback loop,” Shortridge says. “How can we transform the way we approach security across the software delivery lifecycle in a way that aligns with software goals?” 

The book is packed with information, charts, tables, and advice that is presented in easy to digest bytes  for developers, their managers and product security officers. “To borrow from Dune, fear is the mind killer,” she adds. “Start small. A lot of the practices you already use for software quality can be adopted and adapted to sustain resilience against attacks.”

Building Resilience in Software Through Security Chaos Engineering

One of the attributes of strong development teams is that they are always on the lookout for improvements in their tools and processes. Static application security testing (SAST) is a critical capability, especially for code that is safety and security critical. This presentation will provide 10 easy rules that you can use to evaluate if there is room for improvement in how you use SAST in your current DevSecOps process.

10 Easy Rules To Improve Your SAST ROI

Static Application Security Testing (SAST) is one of the most important software best practices to put in place. SAST, done well, helps software engineers remove defects from their code that they never thought of existed, or simply overlooked.
 
The reason for this is simple: good SAST tools calculate through all available execution paths of a piece of software in a technique called abstract execution. This, of course, takes time to do well. And this is one of the tasks that SAST users struggle with when introducing SAST into a running project, especially when introducing it into a large project: How to get results to the software developer quickly.

This presentation, part of GrammaTech’s SAST Practitioner series, will look into various different ways to perform software builds, with SAST enabled and how to speed up delivery of results to the software engineers.

Delivering SAST results with the speed of relevance

Static Application Security Testing (SAST) tools are powerful tools, they provide feedback on the quality of the software that developers are writing. Good SAST tools provide a lot of information in their feedback. From a score, which helps to understand how dangerous a warning is, to a filename and line-number, to a path through the source code to help in remediation.
 
Managing all this power requires a dedicated approach, especially when introducing a SAST solution into a running development process. Not all warnings are worth fixing, sometimes a tool can be too pedantic, or a there are other controls that prevent a warning from requiring source code modification. A static analysis warning is not always directly an error like a compiler error, or a runtime crash.
 
This presentation, part of GrammaTech’s SAST Practitioner series, will look into SAST tool output and will outline an convenient way to use the output of SAST tools to improve software quality early in the development process without overloading developers with too much information and allowing them to focus on the work-at-hand.

How to best handle SAST results in your software development process

Making Sense of SBOMs...

SBOMs have been front and center in the national cybersecurity dialogue, particularly in the US, EU, and among key industries where safety and security are priorities. And while SBOMs are not new and have become a best practice those software factories within several industries, we should all expect regulations to become increasingly directive. We’ve seen this with regulatory guidance to self-attest and verify prior to shipping and deploying software. And emerging strategies forecast new levels of accountability and expanded liability for any negative consequences.  

 

So, all this raises the question- what are our SBOM obligations, what is our SBOM process, and how can we demonstrate compliance to mitigate our own risks associated with software?  

 

In this session we’ll discuss and demo an SBOM, and key factors in managing these artifacts, including: 

- How to generate both Source and Binary SBOMs 
- What critical data to look for in your SBOMs 
- How to automate SBOM creation? 
- How to manage your SBOMs- store, add, change, etc? 
- How do you share and communicate your SBOMs?

You’ve Created an SBOM- Now What?

Join Grammatech and Codee to understand how static analysis can improve safety, security and performance in application development. Mark (Vp of sales engineering GrammaTech) and Manuel Arenaz (CEO of Codee) Will discuss how our partnership can help you shift left and adopt a DevSecOps approach to embedded systems where no compromises can be made between safety, security and performance.

Static Analysis: Safety, Security, Performance

What You Need to Know About SBOMs and Your Software.
 
Emerging regulations and increasing reliance on 3rd party and open-source software are driving the need for SBOMs (Software Bills of Materials). The September memo from the U. S. Office of Management and Budget (OMB), and the EU’s proposed Cyber Resilience Act, continue to influence the future of software release and acceptance. GrammaTech presents a brief history of SBOMs, and the challenges, barriers, and requirements shaping this artifact impacting software component inventory, security & risk management, and incident response.

The Fed Wants Your SBOM!

As software producers and publishers become increasingly accountable for the safety and security of their software, there’s an increasing focus on protecting their software applications from the inside out. This begins in the earliest stages of the software development life cycle (SDLC) as security shifts left and continue through production and release.

This video presents a four-step process for SDLC security that can be achieved with minimal friction. Program planning that covers how the application will be used, what sensitive data will be processed, and mapping application interdependencies, code components, and libraries. Use SAST (static application security testing) to build security into the SDLC at the code layer. Apply SCA (software composition analysis) to analyze third-party and open-source software components in binaries for N-day or Zero-day vulnerabilities, and improper versioning and licensing. Create an SBOM (software bill of materials) that identifies the use of open-source components. This should be done in both the custom code as well any third-party code in the software. Run a final vulnerability analysis to check for any vulnerabilities that may be hiding in open-source components or the application functions, and remediate them, to ensure that the software being released into production does not contain hidden exploitable vulnerabilities.

Please join GrammaTech’s Chip Epps, head of product marketing, to learn more about this 4-step AppSec playbook:

· Source integrity through SAST
· Binary integrity through SCA
· Component risk visibility through an SBOM
· Release assessment through vulnerability analysis

A Four-Step Process for SDLC Security

Performing a deep security review on third party code is hard. You typically receive a bunch of source code, no design documents, very little comments in the source code. Still, you have to do an assessment of the code and provide a risk score. Where do you get started?

In this broadcast we show you how GrammaTech and Imagix can help. GrammaTech CodeSonar can perform deep static application security testing on the source code. The result is a set of warnings of things that may be risky. Still, to understand whether a problem, say a buffer overrun, is externally triggerable, you would need to understand the design of the application. This is where Imagix comes in, it can overlay the path of the static analysis warning over a design that is reverse engineered from the source code. And that is just one of the many tricks.

Tools to Perform a Security Review on Unknown Code with Imagix

Security Analysis

Third Party Code

Security Review

Static Analysis Security Testing

SAST

Risk Assessment

Risk Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Join this new, vibrant community to learn and connect with top thought leaders, startups and banks who are disrupting the financial services industry. Keep up with the latest news and trends in Fintech and take part in lively debates on topical issues and challenges.

Fintech

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Tools to Perform a Security Review on Unknown Code with Imagix

Presented by

About this talk

More from this channel