DevSecOps: Closing the Loop from Detection to Remediation

Get a firsthand look at our new product in a webinar on Tuesday, 17 September. Many IT organizations tasked with securing infrastructure find that one of their biggest challenges is the vulnerability management process. This process is often manual and inefficient, leaving systems exposed to breaches and attacks. Our new product, Puppet Remediate, addresses common pain points in the vulnerability management workflow to better protect your infrastructure and reduce manual work. With Remediate, you can: Eliminate data handoffs between teams. Puppet Remediate integrates with the three major vulnerability scanners — Tenable, Qualys and Rapid7 — providing a single source of truth for IT Ops; Easily assess the most critical threats. The dashboard shows all vulnerabilities prioritized by relative risk, so you know what to address first; Agentless remediation. Run a task to remediate vulnerabilities directly from the dashboard. You can upload your own scripts, or make use of existing modules in the Puppet Forge.

Open Source Security: How to Lay the Groundwork for a Secure Culture

Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements. However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software. Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses: 1. The four layers of open-source security 2. How to integrate continuous security into your SDLC 3. Best practices for organizations to own and execute the security process

Do You Trust Your DevSecOps Pipeline?

DevSecOps practices help build security and quality into the software delivery process by making EVERYONE responsible for security at every stage. But, how do you make sure your process is doing the right things? Join Patrick Debois, Snyk DevOps Evangelist and co-author of “The DevOps Handbook,” along with Anders Wallgren, CloudBees Field CTO, as they share tips to allow developers and operators to increase delivery velocity and harden their pipelines.

Securing The Cloud: Top Down and Bottom Up

As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure. Additionally, attackers are automated and capable. While these attackers continuously probe and find access or vulnerabilities on many different levels, their success usually results from human error in code or infrastructure configurations, such as open admin ports and over privileged identity roles. Join DisruptOps and NetSPI for this webinar to learn how to better secure both the application layer and cloud infrastructure, using both automated tools and capable penetration testers to uncover logic flaws and other soft spots. We will share how to find and remediate your own vulnerabilities more efficiently, before the attackers do.

Fire alarms vs. Fire hoses: Keeping up with Dependencies

Today no one can claim ignorance about the need for an open source vulnerability strategy, so what is yours? Are you the fire alarm type, who prefers to sit tight unless a vulnerability alert is ringing in your inbox? Or are you the fire hose type, staying ahead of the game with a never-ending stream of open source updates to apply? Join Rhys as he discusses the pros and cons of these two approaches, as well as whether there's a magical middle ground between the two which doesn't involve a fire analogy.

Container Security: What Enterprises Need to Know

This document discusses container security and summarizes the perspectives of several industry experts on practical steps for securing containers. It notes that the container market is growing rapidly and security needs to extend to all layers of the technology stack. Panelists recommend minimizing privileges, practicing basic hygiene, treating development environments like production, and designing containers to run anywhere. The document also outlines security capabilities like automated DevSecOps, vulnerability management, and runtime defense that are purpose-built for containers and cloud-native applications.

DevSecCon KeyNote London 2015

Shannon Lietz

This document discusses the evolution of security practices to enable secure innovation at speed and scale through a DevSecOps approach. It outlines how traditional security controls can be transformed into self-aware, self-reporting components that integrate seamlessly into the DevOps pipeline. Specific examples are provided for how perimeter testing, configuration management, encrypting sensitive data, access management, and multi-factor authentication can move from annual certifications to continuous monitoring and enforcement. The document advocates for collaboration, experimentation, and a focus on simplicity and automation to evolve security practices for DevOps.

During this webinar, we’ll discuss the “how” to help you get started or unstuck, and scale DevOps success across your business. Join us to see where you are in your evolution, how to get to the next stage, and to dig deeper into key findings like these: - In a DevOps evolution, there are many paths to success, but many more to failure. - Start with the practices that are closest to production; then address processes that happen earlier in the software delivery cycle. - Automating security policy configurations is mission-critical to reaching the highest levels of DevOps evolution.

Software Supply Chain Automation Removes Roadblocks to Rugged DevOps

This document summarizes the benefits experienced by MFS after implementing Jenkins and Nexus to help manage growth in their development organization. Some key points: 1) Jenkins and Nexus helped standardize MFS's development environment, shorten onboarding times, and improve security, code quality, and traceability. 2) Their initial implementation had limited success, but replacing build servers and addressing core issues like branching strategy and artifact management led to wider adoption. 3) Benefits included managing external resources better, inventorying all artifacts, understanding open source licensing risks, and gaining visibility into dependencies and modules.

Empowering Automation for Everyone 05/29/2019

Simply, safely, everywhere and at scale. Watch this webinar to see what’s new in Puppet Enterprise 2019.1 and how we’re empowering everyone to automate simply, safely, everywhere and at scale. This webinar will cover: What’s new in Puppet Enterprise 2019.1 Bolt enhancements including YAML support and agentless networking support Extended capabilities of Continuous Delivery for Puppet Enterprise like module delivery pipelines, impact analysis and more Featured speakers: Carl Caum, Sr. Product Manager, Puppet Alexa Sevilla, Sr. Product Marketing Manager, Puppet

Safely Removing the Last Roadblock to Continuous Delivery

This document discusses how to implement DevSecOps practices to safely enable continuous delivery. It advocates shifting security left by integrating security practices into development workflows from design through deployment. This allows security issues to be identified and addressed early before they become costly problems. The document outlines DevSecOps staffing models and provides examples of how practices like automated security testing, secure baselines and templates, and monitoring can help operationalize security and reduce mean time to remediate issues from months to hours.

DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...

DevOpsDays Tel Aviv

Measuring Performance: See the Science of DevOps Measurement in Action

This webinar discusses measuring software delivery performance and improving it. Common mistakes in measuring things like lines of code, velocity, and utilization are outlined. The presentation recommends measuring outcomes like deploy frequency, lead time, mean time to recover from outages, and change fail rates. Maturity models are criticized for not accounting for constant industry changes. Research is presented showing high performing teams have significantly better outcomes. Key capabilities to focus on improving are identified in the areas of technology, processes, measurements, and culture. The presentation encourages leaders to start measuring outcomes, identify constraints, and iteratively improve capabilities to accelerate their performance journey.

Devops: Security's big opportunity by Peter Chestna

DevSecCon

This document discusses how DevOps presents both opportunities and challenges for application security. It describes how release timelines and team sizes have changed from waterfall to agile to DevOps approaches. It advocates for security teams to build relationships with developers, share accountability for security, provide training and remediation coaching. It also recommends strategies like appointing security champions, integrating right-sized security practices into the DevOps pipeline through techniques like static analysis, and adjusting security programs to the faster pace of DevOps.

Silver Lining for Miles: DevOps for Building Security Solutions

This document summarizes a presentation about how security teams can adapt to DevOps and continuous deployment models. It discusses how code deployment has shifted to near-instantaneous changes, security is no longer a gatekeeper, and workarounds will happen if security causes delays. To embrace agility, security must decentralize and provide visibility into the development process for all teams, not just security, by surfacing security data. The key lessons are that embracing DevOps actually helps rather than harms security when done with visibility across rapid iterative changes.

Security and DevOps Overview

This document discusses DevSecOps and the changing role of security in IT. It notes that IT is changing fast due to factors like cloud, DevOps, and agile methodologies while attackers are also adapting quickly. However, security tools and processes are often slow to change. The document explores what DevOps is and where security fits within modern IT approaches. It argues that security practitioners must adapt and change how they work, moving from standalone roles to being integrated within development and operations teams in order to keep up with the pace of change and help ensure security is built into systems from the start.

Making Security Agile - Oleg Gryb

This document discusses challenges with integrating security into agile development processes and proposes solutions. It notes that traditional security approaches like threat modeling and penetration testing don't work well in agile environments with short release cycles. The document recommends automating security scans and tests to run with each code change. It also suggests integrating security findings into existing bug tracking tools to streamline remediation. The overall goal is to make security practices more agile and collaborative to improve cycle times for fixing issues.

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion

Outpost24 webinar - Why security perfection is the enemy of DevSecOps

Outpost24

This document discusses how the goal of security perfection can be an enemy of DevSecOps. It argues that perfection is unattainable, can result in analysis paralysis, and does not work with an agile DevOps model. Instead, it advocates embracing a "good enough" approach where security teams focus on addressing critical risks, empower developers, shift testing left, and use compensating controls to mitigate remaining risks. The document encourages security teams to challenge whether they always require thorough vulnerability reviews, fixing of all issues, and sign-off before production to determine if they truly enable DevSecOps practices.

Scaling DevOps - delivering on the promise of business velocity and quality

This document summarizes a webinar presented by Robert Stroud and Tim Buntel on scaling DevOps practices. The webinar discussed how only 23% of enterprises deploy code monthly or faster, highlighting a need to improve release velocity. It also showed that organizations with more frequent deployments and faster lead times had significantly better outcomes. The presenters advocated for destroying silos through automation across the entire software development pipeline. They recommended transitioning from functional to product teams and packaging everything together to deploy. Metrics for success including achieving business goals and optimizing the software delivery value stream were also covered.

Ops Happens: DevOps Beyond Deployment - Damon Edwards

The document discusses how to achieve end-to-end DevOps transformations by shifting operational activities and concerns left into the development process. It argues that the systemic force behind most DevOps problems is silos between development and operations teams. To fully integrate Dev and Ops, the document recommends simplifying processes, integrating tools and platforms, enabling standard APIs, and establishing internal service providers. A key step is shifting as much operational testing, automation, security scanning and control left into development. An example case study demonstrates empowering delivery teams to automate operational procedures while maintaining security and control by operations.

Security as Code

Ed Bellis

Jason Rohwedder and Ed Bellis presented on security automation at Risk I/O. They discussed how automating security processes through DevOps principles allows for more frequent code deployments and faster response times. Risk I/O utilizes Chef for infrastructure automation and runs continuous security testing and monitoring through APIs to identify vulnerabilities. Their non-intrusive host vulnerability detection approach gathers software/version data and checks it against vulnerability definitions without requiring scanning.

Open Source Defense for Edge 2017

Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

Comprehensive plans are in place to improve our institutional cyber security

JasonTrinhNguyenTruo

Comprehensive plans are in place to improve the institution's cyber security through various measures: 1) Up-skilling all staff, students and visitors on cyber defenses and providing 24/7 online training and support. 2) Senior managers and IT staff routinely monitor internal and external cyber security events to inform best practices and risk management is conducted at central and departmental levels. 3) Clear processes define roles and responsibilities for securely handling incidents, with escalation pathways for major events, and feedback is gathered to improve support processes.

DevSecOps - The big picture

DevSecOpsSg

This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses DevSecOps in terms of culture, processes, and technologies, with a focus on secure software development lifecycles, security pipelines, requirements management, and automated testing and monitoring. The goal of DevSecOps is to enable organizations to deliver inherently secure software at DevOps speed.

Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX

Developers, operators, and corporate executives all agree that compliance with security and regulatory requirements is critical, but many find that enforcing security through manual scans and “best efforts” at the end of the cycle wastes staff time and adds days or weeks to the release schedule. Once the required environments are built, tested, and certified, today’s customer-centric product owners are already longing to push out the next set of changes, absorbing even more of IT Operations’ time to scramble for security and compliance solutions.

The Challenges of Scaling DevSecOps

Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery. Now some good news: you can easily integrate security into your existing processes to solve this challenge. In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss: - Leveraging the DevSecOps approach to help speed up security - Scaling security into your agile processes - 5 easy ways to start driving DevSecOps in your organization

SDLC & DevSecOps

Irina Kostina

The document discusses security best practices across the software development lifecycle (SDLC). It covers: - The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process. - Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered. - DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous

What's hot

On the Road to Shangri-La: Scaling CD from Teams to the Enterprise

Puppet + Diaxon: Getting to the next stage of DevOps evolution

Software Supply Chain Automation Removes Roadblocks to Rugged DevOps

Empowering Automation for Everyone 05/29/2019

Safely Removing the Last Roadblock to Continuous Delivery

DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...

DevOpsDays Tel Aviv

Measuring Performance: See the Science of DevOps Measurement in Action

Devops: Security's big opportunity by Peter Chestna

DevSecCon

Silver Lining for Miles: DevOps for Building Security Solutions

Security and DevOps Overview

Making Security Agile - Oleg Gryb

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion

Outpost24 webinar - Why security perfection is the enemy of DevSecOps

Outpost24

Scaling DevOps - delivering on the promise of business velocity and quality

Ops Happens: DevOps Beyond Deployment - Damon Edwards

Security as Code

Ed Bellis

Open Source Defense for Edge 2017

Comprehensive plans are in place to improve our institutional cyber security

JasonTrinhNguyenTruo

DevSecOps - The big picture

DevSecOpsSg

Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX

What's hot (20)

On the Road to Shangri-La: Scaling CD from Teams to the Enterprise

Puppet + Diaxon: Getting to the next stage of DevOps evolution

Software Supply Chain Automation Removes Roadblocks to Rugged DevOps

Empowering Automation for Everyone 05/29/2019

Safely Removing the Last Roadblock to Continuous Delivery

DevOps Security - Is It Really So Difficult? - Reuven Harrison - DevOpsDays T...

Measuring Performance: See the Science of DevOps Measurement in Action

Devops: Security's big opportunity by Peter Chestna

Silver Lining for Miles: DevOps for Building Security Solutions

Security and DevOps Overview

Making Security Agile - Oleg Gryb

Scaling Rugged DevOps to Thousands of Applications - Panel Discussion

Outpost24 webinar - Why security perfection is the enemy of DevSecOps

Scaling DevOps - delivering on the promise of business velocity and quality

Ops Happens: DevOps Beyond Deployment - Damon Edwards

Security as Code

Open Source Defense for Edge 2017

Comprehensive plans are in place to improve our institutional cyber security

DevSecOps - The big picture

Continuous Compliance and DevSecOps in Times of GDPR, HIPAA and SOX

Similar to DevSecOps: Closing the Loop from Detection to Remediation

The Challenges of Scaling DevSecOps

SDLC & DevSecOps

Irina Kostina

Continuous delivery

Masas Dani

This document discusses several anti-patterns related to manual software deployments including extensive documentation, reliance on manual testing, unpredictable releases, and lack of collaboration between development and operations teams. It advocates for automating deployments to make them repeatable and frequent in order to reduce risk and provide quick feedback. Continuous delivery of software through practices like blue-green deployments and canary releases is recommended to satisfy customers.

Enterprise DevOps is not an oxymoron

Lee Eason

ISACA Ireland Keynote 2015

Shannon Lietz

Succeeding-Marriage-Cybersecurity-DevOps final

rkadayam

This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.

The New Age of Enterprise DevOps

Since the trend began more than five years ago, DevOps has seen dramatic changes, including the advent of container software such as Docker, security impacts and the rise of hybrid cloud computing. Additional considerations beyond speed are also driving today's enterprise DevOps adoption, including efficiency and business value. And while large enterprises remain very interested in net-new, cloud-native applications, they are also giving more consideration to modernizing existing and legacy applications and their related processes. In this on-demand webinar, hear from Jay Lyman, Principal Researcher, 451 Research and Sunil Mavadia, Director of Customer Success, XebiaLabs as they discuss these meaningful changes in the drivers, challenges and benefits as well as their potential impact on your organization’s DevOps journey.

How to adapt the SDLC to the era of DevSecOps

Zane Lackey

This document discusses how to adapt application security practices to a DevSecOps environment where development happens much faster. It argues that security can no longer act as a gatekeeper and must instead focus on providing resources to make teams self-sufficient. Specifically, it recommends adapting controls like static analysis, dynamic scanning, security visibility and feedback to be more lightweight and continuous to keep up with the faster development cycles. The goal is to shift from exclusively preventing bugs to also obtaining continuous visibility into applications and refining security processes through real-time feedback.

Intelligent Security: Defending the Digital Business

accenture

The document discusses key business challenges related to cybersecurity and proposes an approach to intelligent security. It identifies challenges such as a missing link between business goals and security capabilities, difficulties governing extensions to the enterprise like cloud and mobile, and keeping up with persistent threats. The proposed approach involves assessing security capabilities, managing complexity through enterprise integration, becoming agile, accelerating toward security intelligence through threat understanding and detection, and developing end-to-end delivery strategies. The first step is adopting a business-aligned security strategy by assessing the current security posture.

Making security-agile matt-tesauro

Matt Tesauro

The End of Security as We Know It - Shannon Lietz

1. The document discusses how security is changing with new technologies like cloud computing, DevOps, and agile development. Traditional security practices are no longer effective. 2. It advocates migrating security left in the development process so it is designed into applications from the beginning. This allows for a faster security feedback loop. 3. Security needs to be automated and tested using tools and data platforms. Monitoring and inspecting everything is important for the new dynamic environments. Security decisions and controls are also changing to adapt to these new realities.

A collaborative approach to the quality in the agile enterprise by Jaco Viljoen

IndigoCube

The document discusses challenges with quality and collaboration in different software development systems like waterfall, water-scrum-fall, and continuous delivery. It proposes shifting user acceptance testing left to the development phase and implementing acceptance test driven development with the whole team. The solution is to prevent defects through early testing, collaborate around quality, automate acceptance and regression testing, and build a continuous delivery pipeline to enable frequent releases. The implementation involved shifting processes from "water-scrum-fall" to "continuous delivery" with a phased approach to minimize impact.

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

Amazon Web Services

"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS. We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."

DevOps drivein - Mind the Gap

Serena Software

Mind the Gap: How to bridge the gap between development and operations with release management The release management process remains challenging for large IT organizations due to the continuing disconnect between development, QA, and operations teams. The challenge faced by these large enterprises is that process maturity, methodology, and platforms vary greatly across teams, organizations and business units. These challenges often produce gaps between development and operations teams. Release management is still being done, but with very inconsistent results and at a high cost, providing minimal insight and a lack of audit compliance. Join us as Julian Fish, Director of Products at Serena Software, demonstrates how the unique integration framework and process capabilities of Serena Release Control can deliver a consistent and repeatable process that provides complete traceability, audit and compliance across Waterfall, Progressive and Agile processes, for both ITIL and DevOps approaches, and supporting Mainframe to mobile platforms.

Devops as a service

Saravanan Subburayal

2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...

Turja Narayan Chaudhuri

In many traditional enterprises, security is regarded as the responsibility of the CISO/security office. Yet most such security initiatives fail at scale when adopted by hundreds of teams across an enterprise. In today's world, the key to your enterprise is in the hands of your developers. No security initiative will succeed unless you involve the development team and ensure that the security processes and frameworks do not conflict with developer experience or productivity. Only by pure collaboration between dev and security teams can we achieve a truly secure organization, that is resilient to vulnerabilities and threats of all shapes and sizes. This session will help you to understand why security initiatives should be designed with developers in mind, not the other way around. Key takeaways: 1. Understand why developer experience should be a priority for engineering teams to scale across an enterprise 2. Understand how DevSecOps initiatives play a part in shifting security left and putting it at the hands of developers, where it belongs 3. Appreciate that security is no longer a siloed function or independent unit within the enterprise.

DevSecOps - It can change your life (cycle)

Qualitest

DevSecCon Keynote

Shannon Lietz

A journey into Application Security

Christian Martorella

The 7 Rules of IT Disaster Recovery by Acronis

Acronis

http://bit.ly/1PhdEau The ability of an organization to continue operations in the event of a natural or human-induced disaster is a critical concern for organizations of all shapes and sizes. Implementing IT Disaster Recovery may look simple, but without proper planning, it can quickly become expensive, complicated and unreliable. Experts from Acronis and Disaster Recovery Journal will share 7 best practices that IT organizations should consider when architecting and implementing Disaster Recovery Solutions. It includes 1) How to survive unplanned events 2) How to assure IT continuity through normal planned events 3) How to establish on-site and off-site protection 4) How to automate recovery procedures 5) How to proactively test your disaster recovery solution 6) How to ensure security and meet compliance requirements 7) How to select disaster recovery vendors partners

Similar to DevSecOps: Closing the Loop from Detection to Remediation (20)

The Challenges of Scaling DevSecOps

SDLC & DevSecOps

Continuous delivery

Enterprise DevOps is not an oxymoron

ISACA Ireland Keynote 2015

Succeeding-Marriage-Cybersecurity-DevOps final

The New Age of Enterprise DevOps

How to adapt the SDLC to the era of DevSecOps

Intelligent Security: Defending the Digital Business

Making security-agile matt-tesauro

The End of Security as We Know It - Shannon Lietz

A collaborative approach to the quality in the agile enterprise by Jaco Viljoen

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

DevOps drivein - Mind the Gap

Devops as a service

2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...

DevSecOps - It can change your life (cycle)

DevSecCon Keynote

A journey into Application Security

The 7 Rules of IT Disaster Recovery by Acronis

More from WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: - Why traditional DevOps has shifted, and what this will mean - Who should own security in the age of DevOps - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries. Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss: The key differences between accidental vulnerabilities and malicious releases, How to manage the risk for each type of vulnerability, Lessons learned from the most interesting malicious packages spotted during 2019.

Empowering Financial Institutions to Use Open Source With Confidence

The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution). FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly. Join FINOS and WhiteSource as they discuss: The challenges of open source usage The state of open source vulnerabilities management How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software

Tackling the Container Iceberg:How to approach security when most of your sof...

Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these? Join Codefresh and WhiteSource, as they embark on a journey to tackle: The container iceberg - learn what are your blind spots The main security challenges when using open source in containerized applications The role of automation in open source security in containers A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline

Taking Open Source Security to the Next Level

Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future. Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.

Securing Container-Based Applications at the Speed of DevOps

Thanks to containerization and automation, applications are being developed and delivered faster than ever. With tools such as AWS ECR, developers are able to store, manage and deploy Docker container images without having to worry about operating their own container repositories or scaling the underlying infrastructure. With this, however, arise challenges around managing the security and compliance aspect of your container images. With tools such as WhiteSource, developers are able to manage the security of their containers and container images with no impact on agility and speed. Join Shiri Ivtsan, Product Manager at WhiteSource and Carmen Puccio, Solutions Architect at AWS, as they discuss the following: Effectively managing and deploying your container images Gaining full visibility into your container images Building and automating security into each layer of the container environment to ensure a continuous process throughout the SDLC Demonstrating a live example using a vulnerable container image

The State of Open Source Vulnerabilities Management

The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018. Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality. It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses: - the current state of open source vulnerabilities management; - organizations' struggle to handle open source vulnerabilities; and - the key strategy for effective vulnerability management.

Open Source Security at Scale- The DevOps Challenge

It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018. The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down? Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses: - The current state of open source vulnerabilities management; - The latest innovations in the open source security world; and - The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.

Tackling the Risks of Open Source Security: 5 Things You Need to Know

This document discusses open source security risks and provides recommendations. It contains 5 sections: 1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing. 2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation. 3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities. 4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps. 5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.

Deep Dive into Container Security

"Many organizations are using containers to develop and manage their applications. Containers enable development teams work faster, deploy more easily and efficiently, and operate at a much larger scale. However, there are many security measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security. In this session, Shiri Ivtsan, Product Manager at WhiteSource, will discuss: 1) The complexity and security challenges with containers 2) The greatest risks when deploying containers 3) The three steps to take before shipping a Docker container 4) How to automate your container security process"

Barriers to Container Security and How to Overcome Them

Over the past few years, more and more companies are turning to containerized environments to scale their applications. However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools. This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely. Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses: The top challenges to security in containerized environments How DevSecOps addresses security in containerized environments Tips and tricks for successfully incorporating security into the container lifecycle

5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...

Winning open source vulnerabilities without loosing your deveopers - Azure De...

SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

This document discusses open source security challenges and recommendations for addressing them. It notes that over 96% of developers rely on open source components but open source vulnerabilities are rising. While companies prioritize fixes, over half do not do so efficiently based on real business impact. The document recommends integrating scanning for vulnerabilities into the entire software development lifecycle from code to deployment. Automating scanning, prioritization of issues, and remediation helps ensure open source security.

Automating Open Source Security: A SANS Review of WhiteSource

CI/CD pipeline security from start to finish with WhiteSource & CircleCI

This document provides an agenda for a webinar on securing CI/CD pipelines from start to finish with CircleCI and WhiteSource. The agenda includes brief introductions to CircleCI and WhiteSource, an overview of CircleCI Orbs and how they can simplify integrations, a discussion of the state of open source usage and security, and a demo of WhiteSource scanning functionality directly within a CircleCI pipeline using an Orb.

Top Open Source Licenses Explained

Open source licenses can be more than a little confusing for those of us that just want to write a little bit of code. However, with open source components playing such a big part in the products that we create, open source licenses and compliance simply can’t be ignored. We’ve compiled the one stop resource guide for working compliantly with open source components, including answers to FAQs about the most popular licenses in 2018. Read all about the hottest licensing trends that you need to be following and some predictions for 2019.

WhiteSource Webinar What's New With WhiteSource in December 2018