The 4 Levels of Open Source Risk Management

•

1 like•2,551 views

The document describes different levels of open source risk management from manual tracking using spreadsheets to fully automated identification and inventory of open source components. It notes that manual tracking impacts developer productivity and accuracy is difficult to maintain. The highest level of automated risk management allows open source to be automatically identified, inventoried, and mapped to vulnerabilities and licenses without disrupting the software development lifecycle. Black Duck Software offers products to help organizations automate open source security and license compliance management.

Technology

LEVEL 3 – TRACKING OPEN SOURCE BY SPREADSHEET
Making Progress (Issues Remain). Developers complain
that manual tracking is impacting their productivity.
Accuracy is difficult to maintain. Provides limited insight
into security vulnerabilities.
DO YOU KNOW WHAT LICENSE OR SECURITY ISSUES
MIGHT ARISE FROM YOUR USE OF OPEN SOURCE?
BLACK DUCK CAN HELP YOU:
Automatically identify and inventory open source software used to build applications and
Docker containers
Map open source components to known vulnerabilities and license requirements with Black
Duck’s comprehensive KnowledgeBase™ of more than 1.5 million open source projects and
75,000 vulnerabilities
Streamline and secure continuous integration/deployment activities with integration with the
most popular DevOps and security tools, including IBM AppScan, HP Fortify, Docker, Red Hat
Atomic, Jenkins, and Atlassian
Help your teams set policies to govern open source security, license, and code quality risks,
enforce policies through build-tool integrations, and manage remediation efforts through IT
workflow support.
Continuously monitor for and provide alerts for new open source vulnerabilities
For more information, visit www.blackducksoftware.com
LEVEL 1 – IGNORING RISK
Code Red. You’re unaware of open source used in
your code. No policies in place to manage open
source security and licensing risks.
LEVEL 2 – MANUAL DISCOVERY OF OPEN SOURCE
Significant Trouble. Inaccurate open source invento-
ries. Processes to manage open source are incon-
sistent. No controls over open source use.
Where does your organization stand with open source risk management?
How are you identifying and securing open source used in your code?
Measure your organization against these four levels to find out…
LEVEL 4 –AUTOMATED OS RISK MANAGEMENT
Way Cool. Open source is automatically identified,
inventoried, and mapped to known vulnerabilities and
license requirements without impacting your SDLC.
Organizations worldwide use Black Duck Software’s industry-leading products to automate
the processes of securing and managing open source software, eliminating the pain related
to security vulnerabilities, open source license compliance and operational risk. Black Duck
is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong
Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com

What's hot

Customer Case Study: ScienceLogic - Many Paths to Compliance

Black Duck by Synopsys

Secure application deployment in Apache CloudStack

Tim Mackey

Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

Contain your risk: Deploy secure containers with trust and confidence

Black Duck by Synopsys

Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.

Integrating Black Duck into Your Environment with Hub APIs

Black Duck by Synopsys

Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.

Securing Docker Containers

Black Duck by Synopsys

Compliance in the 2016 Future of Open Source

Black Duck by Synopsys

Open Source and Cyber Security: Open Source Software's Role in Government Cyb...

Great Wide Open

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Black Duck by Synopsys

Application Security in the Age of Open Source

Black Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Open Source Security

Sander Temme

Open Source in Application Security

Black Duck by Synopsys

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Tim Mackey

Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.

Empowering Application Security Protection in the World of DevOps

IBM Security

Fortify dev ops (002)

Madhavan Marimuthu

Devops security-An Insight into Secure-SDLC

Suman Sourav

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.

Shift Risk Left: Security Considerations When Migrating Apps to the Cloud

Black Duck by Synopsys

What's hot (19)

Customer Case Study: ScienceLogic - Many Paths to Compliance

Secure application deployment in Apache CloudStack

Contain your risk: Deploy secure containers with trust and confidence

Integrating Black Duck into Your Environment with Hub APIs

Securing Docker Containers

Compliance in the 2016 Future of Open Source

Open Source and Cyber Security: Open Source Software's Role in Government Cyb...

PCI and Vulnerability Assessments - What’s Missing

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Application Security in the Age of Open Source

Software Security Assurance for DevOps

Open Source Security

Open Source in Application Security

Secure application deployment in the age of continuous delivery

Empowering Application Security Protection in the World of DevOps

Fortify dev ops (002)

Devops security-An Insight into Secure-SDLC

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

Shift Risk Left: Security Considerations When Migrating Apps to the Cloud

Viewers also liked

Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.

Don't Let Open Source be the Deal Breaker In Your M&A

Black Duck by Synopsys

With a record-breaking 1,300 respondents, the 2015 Future of Open Source Survey results highlight record levels of corporate participation in open source, as well as the greater impact OSS is having on technology and security. Yet, this year's results also reveal a reported lack of formal company policies and processes for consuming and managing open source and its associated legal, operational, and security risks. Learn more at www.blackducksoftware.com/future-of-open-source

2016 Future of Open Source Survey Results

Black Duck by Synopsys

Open Source By The Numbers

Black Duck by Synopsys

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

Black Duck by Synopsys

The 2016 North Bridge & Black Duck Future of Open Source Study marks the 10th Anniversary of this survey. The study examines open source software trends on an annual basis. Notably, the 2016 survey findings position open source as today’s preeminent architecture, the foundation for nearly all applications, operating systems, cloud computing, databases, and big data. In terms of the strategic influence open source has on their business, respondents see it as an engine for innovation, with 90% reporting they rely on open source for improved efficiency, innovation and interoperability. The most compelling reasons cited in the survey for use of open source included flexibility and freedom from vendor lock-in; competitive features and technical capabilities; ability to customize; and overall quality. The 2016 results also show that the rapid adoption of open source has outpaced the implementation of effective open source management and security practices. Nearly half of respondents report they have no formal processes to track their open source, and half reporting that no one has responsibility for identifying known vulnerabilities and tracking remediation. Key 2016 Insights: Open Source Is The Modern Architecture. Open Source is the foundation now for nearly all applications, operating systems, cloud computing, databases, big data and more. Open Source IS the Engine of Innovation. Open Source is driving business because it facilitates faster, more agile development. This translates into quicker builds, accelerated time to market and vastly superior interoperability. There is a new generation of companies and business models emerging. Respondents report that in the next two or three years, the business models that will generate the most revenue for open source vendors are SaaS (46%); Custom Development (42%) and Services/Support (41%). Challenges remain: Open Source security and management practices have not kept pace with rapid adoption. In the wake of high profile breaches, there is likely to be more emphasis on security. Participation and contribution will secure the future of open source. Investing in the open source community spurs innovation, delivers exponential value and most of all, it’s fun. It continues to grow as a key hiring and retention tool in IT shops of enterprises, governments, and startups alike.

2016 Future of Open Source Study

North Bridge

Learn about the winners of the sixth annual Black Duck Open Source Rookies of the Year awards, recognizing the top new open source projects initiated in 2013. This year's Open Source Rookies honorees span cloud and software virtualization, privacy, social media and Internet of Things projects addressing needs in the enterprise, government, gaming and consumer applications, among others, and reflect important trends in the open source community.

2013 Open Source Rookies of the Year

Black Duck by Synopsys

Black Duck Software’s 2014 Review

Black Duck by Synopsys

BlackDuck Suite

jeff cheng

The AppSec Path to Enlightenment

Black Duck by Synopsys

Containers for Lawyers Richard Fontana

Black Duck by Synopsys

Presented by Mark Radcliffe on October 12, 2016 This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.

Litigation and Compliance in the Open Source Ecosystem

Black Duck by Synopsys

2015 Future of Open Source Survey Results

Black Duck by Synopsys

OPEN SOURCE SEMINAR PRESENTATION

Ritwick Halder

Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...

Black Duck by Synopsys

All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.

PCI and Vulnerability Assessments - What’s Missing?

Black Duck by Synopsys

Viewers also liked (15)

Don't Let Open Source be the Deal Breaker In Your M&A

2016 Future of Open Source Survey Results

Open Source By The Numbers

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

2016 Future of Open Source Study

2013 Open Source Rookies of the Year

Black Duck Software’s 2014 Review

BlackDuck Suite

The AppSec Path to Enlightenment

Containers for Lawyers Richard Fontana

Litigation and Compliance in the Open Source Ecosystem

2015 Future of Open Source Survey Results

OPEN SOURCE SEMINAR PRESENTATION

Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...

PCI and Vulnerability Assessments - What’s Missing?

Similar to The 4 Levels of Open Source Risk Management

Software Security Assurance for DevOps

Black Duck by Synopsys

Software Security Assurance for Devops

Jerika Phelps

10 Tips to Keep Your Software a Step Ahead of the Hackers

Checkmarx

When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective. In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions. Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception

Shifting the conversation from active interception to proactive neutralization

Rogue Wave Software

Open Source software is the foundation for application development today. Open source use is growing rapidly worldwide because of the development cost reductions and innovation it enables. Black Duck discovers open source in nearly every application it analyzes and finds that 35% of the average commercial software application is open source. Home-grown applications typically contain 50% or more open source. The dramatic growth in open source use has been accompanied by an array of security and management challenges related to a lack of visibility into and control of the open source in use. Leading organizations are aggressively pursuing ways to increase their use of open source and do so without compromising effective security or management.

Welcome & The State of Open Source Security

Jerika Phelps

Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't

Sonatype

You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.

Lawyers and Licenses in Open Source-based Development: How to Protect Your So...

Sonatype

DeepContentInspection Lato

Brian Stoner

BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...

Mobodexter

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.

How to Build and Validate Ransomware Attack Detections (Secure360)

Scott Sutherland

The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you: - Understand latest trends in open source security threats and what it means to your organization in 2016 - Simple steps to quickly find and protect yourself from newly reported threats - Prepare your organization to respond to new vulnerabilities in open source projects

Q1 2016 Open Source Security Report: Glibc and Beyond

Black Duck by Synopsys

As delivered at Interop ITX 2017. The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.

Security in the age of open source - Myths and misperceptions

Tim Mackey

Aliens in Your Apps!

All Things Open

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...

PaloAltoNetworks

Managing Security in External Software Dependencies

thariyarox

Managing Security in External Software Dependencies

Tharindu Edirisinghe

Ransomware Prevention Guide

Brian Honan

Bug Bounty Guide | Tools and Resource What is Bug Bounty? A bug bounty is a program offered by organizations, typically websites, software developers, and technology companies, to incentivize ethical hackers and security researchers to identify and report security vulnerabilities or bugs in their systems or products. These programs are designed to encourage responsible disclosure of security issues, and typically offer rewards or bounties to individuals who identify and report such issues. Rewards may range from monetary compensation to recognition, swag or even a job offer. Bug bounties are a way for organizations to crowdsource security testing, identify and address security vulnerabilities in their systems and products, and ultimately enhance the security of their technology. Additionally, bug bounty programs provide a way for security researchers to earn money while helping to improve the security of online systems and applications. How to Start Bug Bounty? 1. Learn the basics: Familiarize yourself with the fundamentals of web application security and the common vulnerabilities that exist. Some good resources for learning include the OWASP Top 10, web application security blogs, and online courses or tutorials. 2. Choose a bug bounty platform: There are many different bug bounty platforms available, such as HackerOne, Bugcrowd, and Synack. Choose a platform that aligns with your interests and skill level, and create an account. 3. Familiarize yourself with the platform’s rules and policies: Before you start testing, make sure you understand the rules and policies of the platform you’re using. This will help ensure that you don’t accidentally violate any terms and conditions. 4. Select a target: Choose a target that you’re interested in testing, such as a website or application. Make sure it’s within the scope of the bug bounty program you’re participating in. 5. Start testing: Use a combination of manual and automated testing techniques to identify potential vulnerabilities. Some common testing techniques include scanning for open ports, fuzzing parameters, and testing for injection vulnerabilities. 6. Submit vulnerabilities: Once you’ve identified a vulnerability, submit it to the bug bounty program for verification and reward. Make sure to follow the platform’s guidelines for submitting vulnerabilities, and provide clear and detailed information about the issue. 7. Stay engaged: Participate in the bug bounty community, ask questions, and learn from other researchers. This will help you improve your skills and stay up to date with the latest trends and techniques in bug bounty hunting. Top 10 Vulnerabilities 1. Injection: Injection flaws occur when untrusted data is passed to an interpreter as part of a command or query. This can lead to a range of attacks, such as SQL injection, OS command injection, and LDAP injection. 2. Broken Authentication and Session Management: This vulnerability arises when authentication and session mana

Bug Bounty Guide Tools and Resource.pdf

hacktube5

Secure SDLC in mobile software development.

Mykhailo Antonishyn

Similar to The 4 Levels of Open Source Risk Management (20)

Software Security Assurance for DevOps

Software Security Assurance for Devops

10 Tips to Keep Your Software a Step Ahead of the Hackers

Shifting the conversation from active interception to proactive neutralization

Welcome & The State of Open Source Security

Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't

Lawyers and Licenses in Open Source-based Development: How to Protect Your So...

DeepContentInspection Lato

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...

Secure application deployment in the age of continuous delivery

How to Build and Validate Ransomware Attack Detections (Secure360)

Q1 2016 Open Source Security Report: Glibc and Beyond

Security in the age of open source - Myths and misperceptions

Aliens in Your Apps!

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...

Managing Security in External Software Dependencies

Ransomware Prevention Guide

Bug Bounty Guide Tools and Resource.pdf

Secure SDLC in mobile software development.

More from Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

Black Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018

Black Duck by Synopsys

At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

Black Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub

Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Black Duck by Synopsys

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Black Duck by Synopsys

Open Source Rookies and Community

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

More from Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...

Open-Source- Sicherheits- und Risikoanalyse 2018

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

FLIGHT Amsterdam Presentation - From Protex to Hub

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Open Source Rookies and Community

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Exploring Multimodal Embeddings with Milvus

Zilliz

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

DBX First Quarter 2024 Investor Presentation

Dropbox

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Cyberprint. Dark Pink Apt Group [EN].pdf

Why Teams call analytics are critical to your entire business

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Strategies for Landing an Oracle DBA Job as a Fresher

AWS Community Day CPH - Three problems of Terraform

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

MS Copilot expands with MS Graph connectors

Exploring Multimodal Embeddings with Milvus

How to Troubleshoot Apps for the Modern Connected Worker

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Boost Fertility New Invention Ups Success Rates.pdf

[BuildWithAI] Introduction to Gemini.pdf

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

FWD Group - Insurer Innovation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Artificial Intelligence Chap.5 : Uncertainty

DBX First Quarter 2024 Investor Presentation

The 4 Levels of Open Source Risk Management

1. LEVEL 3 – TRACKING OPEN SOURCE BY SPREADSHEET Making Progress (Issues Remain). Developers complain that manual tracking is impacting their productivity. Accuracy is difficult to maintain. Provides limited insight into security vulnerabilities. DO YOU KNOW WHAT LICENSE OR SECURITY ISSUES MIGHT ARISE FROM YOUR USE OF OPEN SOURCE? BLACK DUCK CAN HELP YOU: Automatically identify and inventory open source software used to build applications and Docker containers Map open source components to known vulnerabilities and license requirements with Black Duck’s comprehensive KnowledgeBase™ of more than 1.5 million open source projects and 75,000 vulnerabilities Streamline and secure continuous integration/deployment activities with integration with the most popular DevOps and security tools, including IBM AppScan, HP Fortify, Docker, Red Hat Atomic, Jenkins, and Atlassian Help your teams set policies to govern open source security, license, and code quality risks, enforce policies through build-tool integrations, and manage remediation efforts through IT workflow support. Continuously monitor for and provide alerts for new open source vulnerabilities For more information, visit www.blackducksoftware.com LEVEL 1 – IGNORING RISK Code Red. You’re unaware of open source used in your code. No policies in place to manage open source security and licensing risks. LEVEL 2 – MANUAL DISCOVERY OF OPEN SOURCE Significant Trouble. Inaccurate open source invento- ries. Processes to manage open source are incon- sistent. No controls over open source use. Where does your organization stand with open source risk management? How are you identifying and securing open source used in your code? Measure your organization against these four levels to find out… LEVEL 4 –AUTOMATED OS RISK MANAGEMENT Way Cool. Open source is automatically identified, inventoried, and mapped to known vulnerabilities and license requirements without impacting your SDLC. Organizations worldwide use Black Duck Software’s industry-leading products to automate the processes of securing and managing open source software, eliminating the pain related to security vulnerabilities, open source license compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com

The 4 Levels of Open Source Risk Management

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (15)

Similar to The 4 Levels of Open Source Risk Management

Similar to The 4 Levels of Open Source Risk Management (20)

More from Black Duck by Synopsys

More from Black Duck by Synopsys (20)

Recently uploaded

Recently uploaded (20)

The 4 Levels of Open Source Risk Management