Name: Exposing Software Supply Chain Security Blind Spots
Start: 2021-09-15T18:00:00Z
End: 2021-09-15T18:50:58.000Z
Location: BrightTALK
Rating: 0

GrammaTech is a leading global provider of software analysis and testing solutions used by the world's most security conscious organizations to detect, measure, analyze and resolve security and safety vulnerabilities. The company is also a trusted cybersecurity research partner for the nation’s civil, defense, and intelligence communities.

Making Sense of SBOMs...

SBOMs have been front and center in the national cybersecurity dialogue, particularly in the US, EU, and among key industries where safety and security are priorities. And while SBOMs are not new and have become a best practice those software factories within several industries, we should all expect regulations to become increasingly directive. We’ve seen this with regulatory guidance to self-attest and verify prior to shipping and deploying software. And emerging strategies forecast new levels of accountability and expanded liability for any negative consequences.  

 

So, all this raises the question- what are our SBOM obligations, what is our SBOM process, and how can we demonstrate compliance to mitigate our own risks associated with software?  

 

In this session we’ll discuss and demo an SBOM, and key factors in managing these artifacts, including: 

- How to generate both Source and Binary SBOMs 
- What critical data to look for in your SBOMs 
- How to automate SBOM creation? 
- How to manage your SBOMs- store, add, change, etc? 
- How do you share and communicate your SBOMs?

You’ve Created an SBOM- Now What?

What You Need to Know About SBOMs and Your Software.
 
Emerging regulations and increasing reliance on 3rd party and open-source software are driving the need for SBOMs (Software Bills of Materials). The September memo from the U. S. Office of Management and Budget (OMB), and the EU’s proposed Cyber Resilience Act, continue to influence the future of software release and acceptance. GrammaTech presents a brief history of SBOMs, and the challenges, barriers, and requirements shaping this artifact impacting software component inventory, security & risk management, and incident response.

The Fed Wants Your SBOM!

As software producers and publishers become increasingly accountable for the safety and security of their software, there’s an increasing focus on protecting their software applications from the inside out. This begins in the earliest stages of the software development life cycle (SDLC) as security shifts left and continue through production and release.

This video presents a four-step process for SDLC security that can be achieved with minimal friction. Program planning that covers how the application will be used, what sensitive data will be processed, and mapping application interdependencies, code components, and libraries. Use SAST (static application security testing) to build security into the SDLC at the code layer. Apply SCA (software composition analysis) to analyze third-party and open-source software components in binaries for N-day or Zero-day vulnerabilities, and improper versioning and licensing. Create an SBOM (software bill of materials) that identifies the use of open-source components. This should be done in both the custom code as well any third-party code in the software. Run a final vulnerability analysis to check for any vulnerabilities that may be hiding in open-source components or the application functions, and remediate them, to ensure that the software being released into production does not contain hidden exploitable vulnerabilities.

Please join GrammaTech’s Chip Epps, head of product marketing, to learn more about this 4-step AppSec playbook:

· Source integrity through SAST
· Binary integrity through SCA
· Component risk visibility through an SBOM
· Release assessment through vulnerability analysis

A Four-Step Process for SDLC Security

One of the attributes of strong development teams is that they are always on the lookout for improvements in their tools and processes. Static application security testing (SAST) is a critical capability, especially for code that is safety and security critical. This presentation will provide 10 easy rules that you can use to evaluate if there is room for improvement in how you use SAST in your current DevSecOps process.

Advice from the Trenches: 10 Easy Ways To Improve Your SAST ROI

Static Application Security Testing (SAST) tools are powerful tools, they provide feedback on the quality of the software that developers are writing. Good SAST tools provide a lot of information in their feedback. From a score, which helps to understand how dangerous a warning is, to a filename and line-number, to a path through the source code to help in remediation.
 
Managing all this power requires a dedicated approach, especially when introducing a SAST solution into a running development process. Not all warnings are worth fixing, sometimes a tool can be too pedantic, or a there are other controls that prevent a warning from requiring source code modification. A static analysis warning is not always directly an error like a compiler error, or a runtime crash.
 
This presentation, part of GrammaTech’s SAST Practitioner series, will look into SAST tool output and will outline an convenient way to use the output of SAST tools to improve software quality early in the development process without overloading developers with too much information and allowing them to focus on the work-at-hand.

How to best handle SAST results in your software development process

Static Application Security Testing (SAST) is one of the most important software best practices to put in place. SAST, done well, helps software engineers remove defects from their code that they never thought of existed, or simply overlooked.
 
The reason for this is simple: good SAST tools calculate through all available execution paths of a piece of software in a technique called abstract execution. This, of course, takes time to do well. And this is one of the tasks that SAST users struggle with when introducing SAST into a running project, especially when introducing it into a large project: How to get results to the software developer quickly.

This presentation, part of GrammaTech’s SAST Practitioner series, will look into various different ways to perform software builds, with SAST enabled and how to speed up delivery of results to the software engineers.

Delivering SAST results with the speed of relevance

GrammaTech CodeSonar is a static application security testing (SAST) solution that enables software development teams to ensure quality, safe and secure code throughout the software development life cycle. With the CodeSonar 7.0 release, developers can accelerate DevSecOps adoption and gain greater efficiencies as they seamlessly integrate SAST into CI/CD, IDE and other tools. Come join us for a quick, 30-minute session where we will show you how the new CodeSonar features can help: 

- Implement quality, safety and security testing at every step of the SDLC   
- Integrate SAST into CI/CD pipelines to achieve DevSecOps success   
- Apply industry standards for critical safety and security requirements 
- Accelerate development projects by analyzing code and fixing defects early

Accelerating DevSecOps with GrammaTech CodeSonar

Our number one commitment to our customers is continually updating CodeSonar to enable you to gain efficiencies while developing higher quality, safer and more secure software code. Additionally, with every release, we listen to your requests and deliver features that make your development processes better. Please join our CodeSonar 6.2 release announcement webinar as our product manager, Sean Evoy, presents the new features, the benefits and the value they offer to you. The new CodeSonar 6.2 features are focused on the following three categories:

• Usability and Experience Improvements
• Increased Coverage for Secure Coding Standards
• Enhanced Language and ISA Support

GrammaTech CodeSonar 6.2 Exclusive Release Announcement:

Your software supply chain is increasingly coming under attack - straining your existing cybersecurity measures to detect attacks. Can you exclusively rely on this reactive technology, such as antivirus, firewalls, etc., to keep up with the threats and breaches? We all intuitively know that the software deployed to the employee base is vulnerable and susceptible to attack, but until now there hasn’t been a way to proactively prevent these threats. Jim Routh, a former CISO and CSO at MassMutual, Aetna and CVSHealth, will discuss a risk-based management approach to proactively reduce this threat in your organization.

Software supply chain exploits are exploding–How to proactively prevent threats

Ensuring security and safety from inception to delivery.

Embedded software supports many critical functions in systems (i.e. industrial, automotive, aerospace, military and defense controls) where failure is not an option. Ensuring quality, security and safety of these systems starts in software development. Establishing a DevSecOps process by integrating and automating static application security testing (SAST) into your software development life cycle (SDLC) is essential to success. With the latest release of CodeSonar, GrammaTech helps development teams as they strive to release code with zero defects. 

In this webinar, you will learn:
•	Why ensuring security and safety must start in code development
•	How to integrate SAST into your CI/CD pipeline to achieve DevSecOps success
•	What new features of CodeSonar will help you:
      o	Single unified SAST platform for C, C++, C# and Java
      o	Seamless integrations with CI/CD tools – New GitHub and GitLab integration
      o	Added security standards mapping for CERT and OWASP
      o	Deepest analysis with less false positives
      o	New built-in reports for safety critical (i.e. AUTOSAR, MISRA, BSA, JPL, etc.) and security

DevSecOps for Embedded Software Development

The New Cybersecurity Executive Order Explained.

The recent Cybersecurity Executive Order puts a strong emphasis on improving software supply chain security. With vulnerabilities increasing in software and attack surfaces growing, the new mandate will now require a software bill of materials (SBOM) of all application components including open-source and third-party. Together VDC Research and GrammaTech will discuss the complexities and the growing importance of the software supply chain, explain the Executive Order and provide recommendations and actions you can take today to better address security concerns.
 
In this webinar, you will learn about:
- The current state of the software supply chain and why is software increasingly vulnerable
- Details of Cybersecurity Executive Order and how to address software supply chain security
- A solution for producing a software bill of materials (SBOM) including for third party (binary) code while understanding the vulnerabilities they introduce

Software Supply Chain Security – Ignorance Is No Longer Bliss

Tuesday, June 8 @ 10am ET

It is clear that in the next few years, we will start to see a range of new autonomous and eVTOL flying craft, both commercial and military, supporting applications such as passenger transport, package delivery and infrastructure inspection. The tight space, cost and power constraints place significant challenges on system architects to create platforms which are safe, secure and certifiable. These mission-critical systems must work deterministically as intended all the time. This webinar, supported by AFuzion, GrammaTech and Lynx Software Technologies, will focus on delivering that determinism for the development process, the software being deployed and how that software executes. 
 
System architects will learn about  
- Critical aspects for software determinism; Ensuring software performs as intended while meeting adherence to software standards, with emphasis on cyber security and static code analysis 
- Determinism of software execution; Reviewing time/space partitioning techniques to avoid multicore processor interference 
- Best practices for a deterministic development process; Meeting certification standards for Cyber and Software Engineering optimally with evidence

Failure is Not an Option: Best Practices in Mission-Critical System Development

The software development industry is in the midst of a shift to integrating security into the software development process - this is often referred to as DevSecOps, the combination of Development, Security and Operations.

DevSecOps – Detecting 0-day and N-day Vulnerabilities, Everyday.

Analysts are predicting that throughout 2021, we will continue to see the human element of DevOps shining through. Other predictions forecast that the role of AI and AIOps in DevOps teams will become more prominent and that DevOps will take a larger role in enterprise Digital Transformation efforts. 

As DevOps teams continue to grow and adapt to trends and changes that have emerged from the pandemic, it’s important to take a closer look at these changes and trends.

Join this panel to learn what the emerging trends around DevOps are, and to hear best practices about how DevOps teams can continue to collaborate and thrive when dealing with new and increased pressures. 
Topics of discussion will include:
-  Key learnings DevOps team have experienced from the events of 2021
-  What the future for DevOps teams may look like, and how it can help businesses innovate
-  The most prominent trends impacting DevOps team and ways of working in 2021, from AIOps to new toolchains
-  And more

Diving Into DevOps in 2021

Research highlights hidden vulnerabilities in commonly used commercial off-the-shelf software applications

Commercial off-the-shelf (COTS) software includes prevalent use of third-party and open-source components creating a software supply chain security blind spot. The findings in a recent Osterman Research report present a serious weakness in the software supply chain of many widely used COTS software applications. This webinar will share results of the research report and discuss how organizations can take a more proactive approach to ensuring a stronger enterprise-wide cybersecurity posture.

In this webinar, you will learn:
• Why vulnerabilities in COTS software applications are a cybersecurity threat
•	100% of all analyzed applications with open-source components in five common software categories (web browsers, email, file sharing, online meetings and messaging) contained vulnerable open-source components 
•	Applications in the meeting and email client categories were the most vulnerable
•	Critical vulnerabilities (CVSS 10.0) were found in 85% of these applications
•	New ways of analyzing COTS software applications to better reduce your attack surface and potential for compromise

Exposing Software Supply Chain Security Blind Spots

Commercial Off-The-Shelf

Cyber Security

Enterprise Security

Open Source

SBOM

Software Bill of Materials

Software Supply Chain

Third Party Software

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Join this new, vibrant community to learn and connect with top thought leaders, startups and banks who are disrupting the financial services industry. Keep up with the latest news and trends in Fintech and take part in lively debates on topical issues and challenges.

Fintech

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Exposing Software Supply Chain Security Blind Spots

Presented by

About this talk

More from this channel