The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Ce rapport produit par WhiteHat en mai 2013 offre une vision pertinente des menaces web et des paramètres à prendre en compte pour assurer sécurité et disponibilité.
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Ce rapport produit par WhiteHat en mai 2013 offre une vision pertinente des menaces web et des paramètres à prendre en compte pour assurer sécurité et disponibilité.
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsCognizant
As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamper-proof way of ensuring regulatory compliance while extending their embrace of IT service automation.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
On Wednesday, a worm started spreading around Gmail that suggested to users a friend or colleague was trying to share a Google Doc. Google has already disabled the offending accounts (only 0.1 percent were affected), and that it was able to stop the worm within an hour. We should take this as a wake-up that we're all potentially vulnerable to attack.
This week’s open source and open source security news includes stories on the eternal “open source good / bad” debate; 5 reasons why enterprises should be using open source; news from Red Hat Summit; and what CISOs need to known about cybersecurity.
CVE Numbers from the NVD: 1590 entries for April 2017; 50 entries currently for the month of May; a total of 5,238 reports to date for 2017.
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
The Forrester Wave™: Enterprise Mobile Management Q3 2014Symantec
We’re happy to share that Symantec was named a Leader in the Forrester Wave™: Enterprise Mobile Management, Q3 2014! The research conducted by Forrester Research, Inc. evaluated Symantec and 14 other vendors against 27 criteria for current offering, strategy, and market presence.
Symantec was identified as one of ten vendors that “lead the pack.” The leaders were noted for separating ourselves from other vendors by introducing a strong security background without disruption for the employee. Forrester defines Leaders as balancing OS, application, and data management functionality while providing flexible container options and productivity applications, and have demonstrated a strong vision and roadmap to help customers as they bring their PC and mobile management strategies together.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Software occupy an increasingly prominent place in the critical embedded systems : their size and complexity is increasing , while their criticality also continues to rise. In this context, how the aeronautical, space , automotive, industrial domains are facing these challenges ? Application of international standards is essential to define the scope of practices recognized by the community as " state of the art " in terms of producing safety critical software . What are these practices, the principles on which they are built ? Starting with (re)defining the concept of software criticality and placing this concept in the whole system, then we will try to answer all these questions. During this presentation , we will illustrate the point with examples from aeronautics, air traffic control , space , automotive or railway . Finally, we will take a look at some trends , particularly through standards recently released.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
Demonstrating thought leadership and automotive expertise, Alan Amici, vice president of Engineering for Automotive, wrote an article for the new issue of Electronics World, titled "Revolution in Mobility."
Read the article to learn more about the evolution of the connected car and potential roadblocks that must be addressed to ensure privacy, security and more.
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
Mobile devices are always on the move, switching from network to network and place to place constantly. The best way to keep your company's information safe is through a unified approach securing at the device, app and network levels.
About this webinar:
Today’s electronic systems are more intelligent, more connected, and more at risk than ever before. A single vulnerability can lead to widespread system-of-systems compromises. Organizations participating in security-critical industries like Aerospace and Defense (A&D) are especially at risk.
In this webinar, Christopher Rommel from VDC and Joe Jarzombek from Synopsys will discuss the results from a recent report highlighting issues facing these organizations. They will also identify what considerations need to be made for the security of software that enables and controls system functionality.
https://www.brighttalk.com/webcast/11447/268705
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
Selecting an App Security Testing Partner: An eGuideHCLSoftware
In the age of digital transformation, global businesses leverage web application scanning tools to shape innovative employee cultures, business processes, and customer experiences. The surge in remote work, cloud computing, and online services unveils unprecedented vulnerabilities and threats.
Learn more: https://hclsw.co/ftpwvz
Procuring an Application Security Testing PartnerHCLSoftware
Procuring an Application Security Testing Partner is crucial for safeguarding digital assets. An Application Security Testing Partner specializes in conducting comprehensive assessments using keywords like vulnerability scanning, penetration testing, code review, and threat modeling. Their expertise ensures your applications are fortified against cyber threats, providing peace of mind in an increasingly interconnected digital landscape.
Learn More: https://hclsw.co/ftpwvz
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsCognizant
As IT organizations push forward with DevOps tools that automate application development and maintenance processes, they can lose sight of the key “who, what, where and when” variables that surround software releases, thus elevating the possibility of noncompliance with a host of regulatory mandates. By embracing blockchain, they can create a tamper-proof way of ensuring regulatory compliance while extending their embrace of IT service automation.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
On Wednesday, a worm started spreading around Gmail that suggested to users a friend or colleague was trying to share a Google Doc. Google has already disabled the offending accounts (only 0.1 percent were affected), and that it was able to stop the worm within an hour. We should take this as a wake-up that we're all potentially vulnerable to attack.
This week’s open source and open source security news includes stories on the eternal “open source good / bad” debate; 5 reasons why enterprises should be using open source; news from Red Hat Summit; and what CISOs need to known about cybersecurity.
CVE Numbers from the NVD: 1590 entries for April 2017; 50 entries currently for the month of May; a total of 5,238 reports to date for 2017.
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
The Forrester Wave™: Enterprise Mobile Management Q3 2014Symantec
We’re happy to share that Symantec was named a Leader in the Forrester Wave™: Enterprise Mobile Management, Q3 2014! The research conducted by Forrester Research, Inc. evaluated Symantec and 14 other vendors against 27 criteria for current offering, strategy, and market presence.
Symantec was identified as one of ten vendors that “lead the pack.” The leaders were noted for separating ourselves from other vendors by introducing a strong security background without disruption for the employee. Forrester defines Leaders as balancing OS, application, and data management functionality while providing flexible container options and productivity applications, and have demonstrated a strong vision and roadmap to help customers as they bring their PC and mobile management strategies together.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Software occupy an increasingly prominent place in the critical embedded systems : their size and complexity is increasing , while their criticality also continues to rise. In this context, how the aeronautical, space , automotive, industrial domains are facing these challenges ? Application of international standards is essential to define the scope of practices recognized by the community as " state of the art " in terms of producing safety critical software . What are these practices, the principles on which they are built ? Starting with (re)defining the concept of software criticality and placing this concept in the whole system, then we will try to answer all these questions. During this presentation , we will illustrate the point with examples from aeronautics, air traffic control , space , automotive or railway . Finally, we will take a look at some trends , particularly through standards recently released.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
Demonstrating thought leadership and automotive expertise, Alan Amici, vice president of Engineering for Automotive, wrote an article for the new issue of Electronics World, titled "Revolution in Mobility."
Read the article to learn more about the evolution of the connected car and potential roadblocks that must be addressed to ensure privacy, security and more.
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
Mobile devices are always on the move, switching from network to network and place to place constantly. The best way to keep your company's information safe is through a unified approach securing at the device, app and network levels.
About this webinar:
Today’s electronic systems are more intelligent, more connected, and more at risk than ever before. A single vulnerability can lead to widespread system-of-systems compromises. Organizations participating in security-critical industries like Aerospace and Defense (A&D) are especially at risk.
In this webinar, Christopher Rommel from VDC and Joe Jarzombek from Synopsys will discuss the results from a recent report highlighting issues facing these organizations. They will also identify what considerations need to be made for the security of software that enables and controls system functionality.
https://www.brighttalk.com/webcast/11447/268705
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
In Agile’s fast-paced environment with frequent releases,
security reviews and testing can sound like an impediment to success. How can you keep up with Agile development's demands of continuous integration and deployment without
abandoning security best practices? These 10 steps will help you get the best of both worlds.
Selecting an App Security Testing Partner: An eGuideHCLSoftware
In the age of digital transformation, global businesses leverage web application scanning tools to shape innovative employee cultures, business processes, and customer experiences. The surge in remote work, cloud computing, and online services unveils unprecedented vulnerabilities and threats.
Learn more: https://hclsw.co/ftpwvz
Procuring an Application Security Testing PartnerHCLSoftware
Procuring an Application Security Testing Partner is crucial for safeguarding digital assets. An Application Security Testing Partner specializes in conducting comprehensive assessments using keywords like vulnerability scanning, penetration testing, code review, and threat modeling. Their expertise ensures your applications are fortified against cyber threats, providing peace of mind in an increasingly interconnected digital landscape.
Learn More: https://hclsw.co/ftpwvz
Does Application Security Pay? Measuring the Business Impact of Software Secu...Mainstay
Cyber security has emerged as a top priority for enterprises worldwide, but are automated software security assurance (SSA) solutions worth the investment? In this updated study of enterprise companies across multiple industries,
SSA solutions from HP Fortify were shown to generate millions of dollars in cost savings, revenue enhancement, and risk reduction. What’s more, companies found they could accelerate benefits using Fortify on Demand, a Security-as-a-Service solution that helped them ramp up faster, fix vulnerabilities sooner, and generate savings in days.
Traditional, full-code waterfall application development, with its focus on a sequential define-develop-test-deploy-maintain approach has given way for many enterprises to low-code/no-code development
Want to know how to secure your web apps from cyber-attacks? Looking to know the Best Web Application Security Best Practices? Check this article, we delve into six essential web application security best practices that are important for safeguarding your web applications and preserving the sanctity of your valuable data.
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
Every IT company aspires to be on every media agency's "hot news" and "latest headline" section, but not with such negative news. That's why DevSecOps security was introduced.
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxlisandrai1k
Appendix A
Operating Scenario
GPS/CDU Project for Wild Blue Yonder Technologies
Wild Blue Yonder Technologies Inc (WYBT) is a general holding company whose line of business is tailored to high-tech holdings. Wild Blue Yonder Technologies various subsidiary companies are maintained as one coordinated business from offices in New York City. The centralization of policy and planning direction at one location has historically produced higher revenues, profit margins, and customer satisfaction. The necessary degree of coordination is enabled by a global, enterprise network that is managed from the New York location.
That network provides secure telecommunications capability with embedded firewall protection, multi-carrier cellular access options and automatic access point database updates for all connection types. It enables access to the enterprise’s applications from any location on an as-needed basis. The network also provides integrated, any distance, seamless connectivity to WBYT’s centralized information resources.
WBYT’s holdings are concentrated in
advanced technology products
and services. Two closely held subsidiaries deal exclusively with the Federal government. The line of business of one, which is based in Gaithersburg, Maryland, is R&D and manufacture for advanced capability components for the F 16 Fighting Falcon and F 18 Super Hornet. The other, based in Jacksonville deals in R&D in target acquisition and fire control systems for Army helicopters. There is also a manufacturing facility in Detroit. That facility builds Leopard tanks for the Canadian Army under license from the German government. Other close holdings in WBYT’s empire include a commercial electronics R&D facility in Corvallis. The Corvallis facility also does contract work for the Idaho National Laboratory. In addition to the closely held corporations, there are loosely held electronics manufacturing, or service holdings in Pittsburgh, Houston, Des Moines, Sioux Falls, Denver and Bozeman. These facilities serve the consumer high-tech industry.
Finally, there are a number of loosely held international corporations in India, Australia and across the Pacific Rim, all concentrated in advanced technology. All computer services for that region are provided over
a public/private VPN
, which is maintained for that area in Singapore. The Singapore data center is actually owned and operated by WBYT, as part of the company’s global VPN. The VPN itself is maintained out of the New York office.
According to WBYT’s charter, the primary business goal of the Company is to utilize the global marketplace to provide high quality technology components at the lowest price possible price.
Wild Blue Yonder Technologies entered the market knowing that the ability to closely monitor its operation and deliver competitive business information quickly was going to be a prerequisite to its success, particularly in the integration and reuse of COTS products. In essence, its entire.
Building security into software is harder than it should be. This article explores a way to align application security practices
with other software development best practices in order to make building security in easier to manage and more cost effective.
In particular, this article looks at combining continuous integration (CI) with security testing and secure static code analysis.
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
This whitepaper delves into the security and privacy challenges that are core to Fintech companies and explains how one should go about formulating the security strategy for the Fintech initiative. It also brings into perspective, the various technical aspects of the secured environment from a Fintech point-of-
view.
- Craft a compelling RFP Executive Summary that includes quantified measures of business impact and KPIs.
- Prepare a Business Value Assessment (BVA) of their existing solution’s business value.
- Executive-ready presentation that is included as an appendix to the RFP.
- Providing existing RFP customers with a “cost to conduct an RFP” calculator.
- Estimate the full cost of going out to multiple RFPs.
Working with the Mainstay team, the Cisco IOT Manufacturing Marketing team combined research from manufacturing trade associations, management consulting research and an internal benchmarking project to create an Executive Briefing Presentation that would educate CxOs on the opportunities IOT can provide. This content was also repurposed to create a manufacturing IOT whitepaper to provide an asset to entice prospective customers to consider Cisco’s IOT offerings.
Kofax turned to Mainstay to help define the key value drivers and impact levels to help promote their Claims Automation Solution. Working closely with Kofax’s product team and working with key customer references, Mainstay was able to build a very compelling infographic that provides a simple, rapid way to digest a very complex solution.
Mainstay was introduced to Bluewolf through their relationship with Oracle and brought our team in to help capture the business value story at Kele. Working with the Bluewolf sales team and the Kele project sponsor, Mainstay was able to develop a quantitative view of the business value achieved. The story focused on the impact of developing a marketing automation solution to benefit Kele’s customers by providing greater customer support and a deeper partnership with their clients.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Fortify Continuous Delivery
1. Continuous Delivery of Business Value
with Fortify
Mainstay Customer Evidence Research
WHITE PAPER
2. Continuous Delivery of Business Value with Fortify WHITE PAPER
22
MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION
Today every business is becoming a software business. Even traditional brick-and-mortar
industries are facing the necessity of software-driven “digital transformation” to stay relevant
and competitive in their markets. Industrial icon GE, for instance, is developing software that
harnesses data from sensors inside wind turbines to squeeze more electricity from existing
wind farms.Automakers embed tens of millions of lines of code into their increasingly “smart”
and “connected” vehicles.1
As software becomes core to every business — and as cloud-based software services surge
in popularity — companies are developing and updating applications faster than ever before.
Welcome to the new era of continuous software delivery. Continuous delivery means
development teams are releasing software with new features and functionalities in
increasingly shorter cycles, from every year or quarter to every month, week, or day.
The approach is now woven into the DevOps environments of leading enterprises like
Microsoft, Google and Facebook, which typically issue major software releases every
week across their web sites, followed by daily bug fixes over the rest of the week.
Forrester Research predicts that organizations will go from four application releases
per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2
SECURITY TEAMS UNDER PRESSURE
With the market moving to an agile, continuous delivery model, development and security
teams within organizations are scrambling to keep up with the sheer number of applications
and releases, which is putting pressure on a key part of the development lifecycle: software
security assurance (SSA). Simply put, organizations cannot afford for security testing and
remediation to slow the pace of software delivery.
This challenge is complicated by several trends:
• The proliferation of SaaS and mobile devices, which requires even more testing of
applications for security flaws.
• Many enterprises maintain hybrid environments with a mix of legacy and COTS applica-
tions and varying release cycles, thus increasing the complexity of security programs.
• Developers increasingly utilize downloaded code from open-source software (OSS)
repositories such as Maven and GitHub, many of which are known to contain
vulnerabilities.
Organizations generally have been slow to respond to the challenge, in part because most
of them are still using outmoded security testing tools and practices. These tools lack
automated features that could enable organizations to tackle greater volumes of code
and scans in less time. Often these tools cover only part of the security-testing process,
a handful of specific languages, or limited deployment options, forcing organizations to
switch between multiple tools during the development cycle, hurting productivity.3
A NEW ERA IN SOFTWARE SECURITY
Continuous delivery of applications
has become the new normal for soft-
ware development organizations
across every industry. Software
development teams are now
expected to deliver new releases
and updates at a dizzying pace,
putting tremendous pressure on
software security teams to keep
up. In this report, we detail how
development organizations at
leading companies are using
software security solutions from
Fortify to scan more applications
faster, focus and streamline reme-
diation efforts with better triaging,
and integrate security assurance
methods throughout the software
development environment. No
longer a production bottleneck,
security teams can now support
increasingly ambitious release
schedules, ensuring faster time to
market and freeing developers to
focus on creating better software.
3. Continuous Delivery of Business Value with Fortify WHITE PAPER
3
In fact, industry analysts estimate that even though 90% of companies are engaged in application development —
and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner
estimates that fewer than 20% of enterprise security architects have systematically incorporated information
security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation
required to qualify as Secure DevOps.
SHIFTING TO THE ‘LEFT’
Until recently, organizations have focused security testing and remediation efforts primarily on the later phases
of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive
and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability
increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability
of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and
releases continues to grow.
All of this represents a reactive approach to security assurance that increases the risk of project delays, compro-
mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous
delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one
that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code.
In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of
vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations
that make this move end up spending 55% less time remediating security issues.5
THE EVOLUTION OF
SOFTWARE SECURITY
ASSURANCE
Mainstay conducted initial
research on the economic
impact of Fortify’s appli-
cation security solutions
in 2010, a time when the
biggest challenges facing
IT and application security
teams was simply finding
software vulnerabilities,
and finding them earlier
enough to make remedi-
ation easier.4
In 2013,
Mainstay re-surveyed
leading organizations and
concluded they were
still largely focused on
finding and fixing as
many vulnerabilities as
possible, and many were
choosing cloud services to
extend these capabilities
to third-party developers.
Our latest survey found an
evolving market for soft-
ware security solutions,
with organizations
demanding greater speed
and scalability to meet
more ambitious release
cadences. Beyond just
finding every potential
vulnerability, organiza-
tions now want better
triaging to quickly focus
on and remediate flaws
that pose the most
serious risk to
the business.
Laggards Test Later and Less Frequently
Leaders Deploy Software Security Throughout the Software Development Cycle
• Reactive
• Likelihood of discovering more
vulnerabilities than available
capacity to triage or remediate
• Difficulty in remediating
• High risk of application delays
• Incompatible with frequent development releases
Requirements Design
Code
Reviews
Security Testing Penetration Testing
Vulnerability Scanning
Coding Integration ProductionQA
Code
Reviews
Scope of Software Security Scans
Need to
“Shift Left”
• Proactive
• Vulnerabilities are discovered early
• Easier to remediate
• The number of iterations that occur across
the SDLC improves time to production
• The time required to fix an issue is less as
you shift left, driving shorter time to production
Requirements Design
Code
Reviews
Static Code
Analysis
Dynamic
Code
Analysis
Real-time
Security
Testing
Software
Security
Requirements
Analysis
Threat
Modeling
Security
Architecture
Design
Reviews
Security
Testing
Penetration
Testing
Vulnerability
Scanning
Coding Integration ProductionQA
Scope of Software Security Scans with Fortify
“Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
4. Continuous Delivery of Business Value with Fortify WHITE PAPER
4
SURVEY OF SOFTWARE SECURITY OPERATIONS
AT LEADING COMPANIES
To understand how leading enterprises are coping with the demands of continuous software delivery, market analyst
Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted
products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even
broader portrait of the challenges that software development and security departments face in today’s fast-paced
environment.
Among the companies participating in the software security survey were:
• One of the world’s largest financial services holding companies.
• Two of the world’s largest multinational oil and gas companies
• Global peer-to-peer lending and online trading platform company
• A provider of online investing services for institutions
• One of the world’s largest banks with operations in over 50 countries
The survey looked at five critical aspects in the software security assurance process and evaluated how the
adoption of Fortify impacted each one:
• Scan Setup. Ease and speed in setting up scans; how well security tools and processes are
integrated with development environment
• Scan Performance. Speed of scans and the number of vulnerabilities found
• Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified;
ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT)
• Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed;
reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR)
• Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale
their security processes to scan and remediate significantly more applications in less time.
Metrics include the quantity of apps scanned, scan cycles performed, and developer issues
avoided at the source during coding.
The following sections discuss the results of the survey.
• Ease
• Speed
• Readiness/integration
with development
environments
• Speed
• Number of
vulnerabilities
identified
• Number of
vulnerabilities to fix
• Speed of fixing
• Prioritize by
address critical
vulnerabilities first
• Number of apps
• Number of scan cycles
• Developer issues
avoided at source
during coding
• Speed
• Number of false
positives identified
• Prioritizing by
criticality
Setting Up Scans Performing Scans Triaging Remediating Process Scalability
/integration
opment
nts
• Speed
• Number of
vulnerabilities
identified
• Number of
vulnerabilities to fix
• Speed of fixing
• Prioritize by
address critical
vulnerabilities first
• Number of apps
• Number of scan cycles
• Developer issues
avoided at source
during coding
• Speed
• Number of false
positives identified
• Prioritizing by
criticality
p Scans Performing Scans Triaging Remediating Process Scalability
of
lities
• Number of
vulnerabilities to fix
• Speed of fixing
• Prioritize by
address critical
vulnerabilities first
• Number of apps
• Number of scan cycles
• Developer issues
avoided at source
during coding
• Speed
• Number of false
positives identified
• Prioritizing by
criticality
ng Scans Triaging Remediating Process Scalability
• Number of
vulnerabilities to fix
• Speed of fixing
• Prioritize by
address critical
vulnerabilities first
• Number of apps
• Number of scan cycles
• Developer issues
avoided at source
during coding
of false
s identified
ng by
y
ing Remediating Process Scalability
of
lities to fix
fixing
by
critical
lities first
• Number of apps
• Number of scan cycles
• Developer issues
avoided at source
during coding
ating Process Scalability
WHY FORTIFY
Of the companies
surveyed, 54% said that
Fortify was their first
choice for application
security software before
later deciding to implement
Fortify. Their top three
reasons for choosing
Fortify were:
• Solution flexibility
• Greater coverage of
different programming
languages and
third-party code
• Better ability to find
and fix vulnerabilities
5. Continuous Delivery of Business Value with Fortify WHITE PAPER
5
KEY FINDING:
FORTIFY PROVIDES FASTER, MORE EFFECTIVE
SOFTWARE SECURITY ASSURANCE
Faster Scan Setups
In a continuous delivery environment, development
teams must move quickly to plan and execute security
scans. However, given the wide variety of programming
languages and code components commonly found in
a modern development environment, it can be a slow
process to assemble the right security tools — and the
right people and expertise — for the job. Before moving
to Fortify, fewer than half of the organizations in our
survey could accommodate the requirements of
fast-release cycles (weekly).
The Fortify platform provided coverage and integration
across a broad range of development environments and
languages, eliminating the need for multiple point tools
and the experts necessary to operate them. On average,
companies replaced about 10 tools with a single Fortify
solution. This allowed organizations to streamline their
software security environment, reduce complexity and
improve operational efficiencies. Customers believed
this offers the potential to lower the overall cost
involved in software security licenses and maintenance.
LESS TIME
SCANNING,
MORE TIME
ENHANCING APPS
Scanning within an
integrated development
environment (IDE) can
take several hours and
add 25% or more to
development overhead.
To speed the process,
one Fortify customer
created a centralized
Hadoop repository
where developers can
upload code and run
scans in minutes. As a
result, developers avoid
getting bogged down
by administrative and
security tasks and now
have more time to
focus on improving the
software. The customer
considers this to be
a huge competitive
advantage in an
increasingly software-
driven world.
Fewer Security Tools Needed
Before Fortify After Fortify
$17.5K
$5K
$10K
$15K
$20K
$2K
89%
reduction
FeeSavings
10Customers replaced
10 different point
tools with Fortify,
saving on integration
and set-up efforts.
1
Number of
Software
Security
Tools
Faster Setups Allows More Frequent Releases
Before Fortify After FortifySurvey Finding:
Organizations were
able to increase their
ability to do weekly,
monthly or quarterly
releases with the
same amount of
resources.
Percentage of companies that could support monthly
or weekly release cadences
35%
100%
Increasing adoption of agile environments is driving the
demand for tighter process integration across the develop-
ment lifecycle. Organizations that moved to the Fortify
environment — which provides tools and plugins to simplify
integration with existing development environments —
could create fast, automated processes for uploading
code, running scans, and incorporating security checks
into each phase of the development cycle.
In fact, the survey found that the percentage of customers
who could improve their release frequencies — from
annual or quarterly to monthly, weekly, or even daily
releases — increased significantly. Whereas only 35%
of the respondents could do monthly or weekly releases
before adopting Fortify, nearly all respondents said
they could handle accelerate release schedules after
adopting Fortify’s speed-enhancing rules engines,
templates, and triaging technologies.
6. Continuous Delivery of Business Value with Fortify WHITE PAPER
6
More Efficient Scanning
Most companies focus on combatting the top 10 common
critical vulnerabilities that impact their organization
(or application security landscape). For the companies
surveyed in 2017, these included cross-site scripting
(XSS), SQL injection, broken authentication, cross-site
request forgery, and security misconfigurations.
More than half of survey respondents reported that Fortify
was particularly effective in finding these high-risk
vulnerabilities early in the development lifecycle, when
they can be remediated more easily and cheaply.6
Tools such as Fortify Security Assistant, for example,
enabled developers to identify vulnerabilities in
real time while they are writing code.
Overall, companies using Fortify Static Code Analyzer
found they could uncover tens of thousands of previously
unidentified vulnerabilities. In addition, respondents
said they could run the scans in a significantly shorter
amount of time — from several days to just a few hours
or even minutes — freeing developers to focus more
time on what they do best: writing high-quality code
and not waiting for scans.
6
Twice as Many True Vulnerabilities Found…
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%
reduction
SSA
FeeSavings
Customers reported
that the number of
legitimate vulnera-
bilities found with
Fortify was double
that of other
software vendors.
Number
of True
Vulnerabilities
Found
2X
…With Significantly Faster Scans
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%
reduction
SSA
FeeSavings
Customers reported
that scanning with
Fortify was 10–15
times faster than with
other software vendors.
Speed of
Scans
10–15X
WHAT TYPES OF
VULNERABILITIES
MATTER?
In our survey, most
customers were
concerned not just
with common
vulnerabilities like
cross-site scripting
and SQL injections,
but were also worried
about data breaches
and the consequences
that ensued, which
most rated as one
of their top security
concerns.
7. Continuous Delivery of Business Value with Fortify WHITE PAPER
7
Better Triaging, Fewer False Positives
Survey participants were attracted to Fortify’s unique
ability to dig through large sets of vulnerabilities,
identify those vulnerabilities that are meaningful to
the organization, and quickly separate false positives
and low-risk issues from serious flaws, significantly
reducing mean time to triage (MTT).
Many of the companies augmented their triaging
routines by factoring in the latest industry intelligence
and trends, and by connecting static and dynamic
analyses. Several companies regularly tapped experts
from Fortify to design and execute these time-saving
triaging protocols. One leading data-analytics company,
for example, routinely uploads code to Fortify on
Demand to scan, then conducts a joint review and
triaging session with the technical account manager
before starting remediation.
Before Fortify After Fortify
$17.5K
0
$5K
$10K
$15K
$20K
$2K
89%
reduction
SSA
FeeSavings
Customers reported
that the number of
false positives were
reduced by up to
95% with Fortify on
Demand managed
services offering.
Reduction
in False
Positives
95%
Fewer False Positives
Improved Remediation Efforts
Survey respondents repeatedly stressed the importance
of finding vulnerabilities early in the development lifecycle,
noting that it took nearly 100-times more effort to
remediate security flaws if they’re found after software
has gone into production versus during the coding
process.Vulnerabilities found during quality assurance
testing is less expensive to remediate but still takes
about 10-times more effort and time to fix compared
to the coding phase.
On average organizations reported they could complete
triaging and remediation tasks about 10-times faster
with Fortify — from 20 days per application to just one
to two days.Again, the time saved could be redirected
to enhancing the software in ways that made it more
appealing to end users.
Before Fortify After Fortify
Customers reported
that, with Fortify,
they are able to speed
up the triaging and
remediation process.
20 days
per app to
triage and
remediate
1–2 days
per app to
triage and
remediate
10x
Faster
Triaging and
Remediation
Faster Remediation
FALSE POSITIVES CAN SLOW YOU DOWN
A leading financial institution reported that scans for a large application could uncover as many as 50,000
vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not
deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using
Fortify’s software and managed services, the institution avoided false positives and leveraged insights that
improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way
to scale is by eliminating false positives.”
8. Continuous Delivery of Business Value with Fortify WHITE PAPER
8
KEY FINDING:
FORTIFY’S SCALABILITY DRIVES
CONTINUOUS DELIVERY
As the number of applications continues to grow,
organizations need to scale their software security
programs to avoid delays in delivering releases and
updates. Companies in the survey consistently
identified a set of obstacles to achieving process
scalability. These included:
• Disparate point solutions
• Manual processes/lack of automation
• Poor identification of vulnerabilities
• Large amount of false positives
• Lack of access to security expertise
When organizations combined Fortify solutions with
its managed services offering, they could transform
software security assurance into a fully scalable and
repeatable process capable of managing the increasing
operational demands of enterprise-level development
organizations.8
What does true scalability look like? Before adopting
Fortify, one customer in the survey could complete about
30–50 scans per quarter, covering about 25 applications.
Since implementing Fortify, it can complete 300 scans
covering 75 applications — a 30X increase in speed
and capacity.
Before Fortify After Fortify
Customers reported
that the number of
false positives were
reduced by up to
95% with Fortify and
managed services
support.
30–50 scans
covering
25 apps
300 scans
covering
75 apps
30X
More Scanning, More Apps
Before Fortify After Fortify
Customers reported
seeing a 40%
reduction in repeat
vulnerabilities, thus
creating high-quality
and secured
applications.
40%
Reduction in
Vulnerabilities
Fewer Repeat Vulnerabilities
Before Fortify After Fortify
Survey Finding:
Fortify customers
expect to double
the number of
applications scanned
in the future.
2X
X
Scaling Up for the Future
9. Continuous Delivery of Business Value with Fortify WHITE PAPER
9
KEY FINDING:
FORTIFY ENABLES FASTER TIME TO MARKET
When organizations used Fortify to accelerate and
improve the quality of their software security testing
and remediation, they significantly reduced the length
of their software development lifecycles, helping teams
throughout the organization meet rapid-release deadlines.
As illustrated below, before adopting Fortify, organizations
faced longer testing timelines — the result of less-
frequent and later-cycle scanning and remediation
efforts. Respondents reported that late-cycle security
“surprises” could easily threaten market launches.
With Fortify, organizations can scan code, find and
fix vulnerabilities in frequent iterations starting early
in the lifecycle, and leverage advanced triaging
techniques to shrink cycles even further.The result:
A greater number of relevant vulnerabilities are
uncovered and remediated earlier, and tail-end
surprises are minimized. Furthermore, repeat
vulnerabilities are progressively reduced because
developers learn to code more securely, resulting in
cleaner and more secure code in each future cycle.
NumberofVulnerabilitiesFound
Time Time
Scalability and Time to Market Acceleration 30X More
2X More
Vulnerabilities Found
More
Vulnerabilities
Remediated
10X Faster
10–15X Faster Scans
95% Fewer
False Positives
Effort Peaks
High Risk
Rare Release Events
“Waterfall Methodology”
Smoother Effort
Less Risk
Frequent Release Events
“Agile Methodology”
Without Fortify With Fortify
Faster Time to Market with Fortify
KEY FINDING:
FORTIFY IMPROVES MANAGEMENT OF
EXTENDED DEVELOPMENT ECOSYSTEMS
Managing Third-Party Developers
Many organizations today supplement their in-house
developers with third-party coding contractors.
Operationalizing the software security process to
include these external teams, however, can be a
complex challenge for development organizations.
Several of the companies we studied are using Fortify on
Demand to extend security testing and quality control to
third party developers. Some have created innovative
“pay for performance” programs that enabled companies
to adjust fees paid to outsourcing partners based on the
“cleanliness” of the code delivered. The result: improved
product quality and better value for the money spent on
outside vendors.
10. Continuous Delivery of Business Value with Fortify WHITE PAPER
10
Simplify and reduce SSA set-up time
Scan faster
Find more vulnerabilities
Triage and audit faster
Reduce number of false positives
Reduce remediation effort
Avoid repeat vulnerabilties
10 point tools
1 to 3 weeks per app
Thousands per app
1 to 2 weeks per app
1,000 to 50,000 per app
3 to 4 weeks
Repeat vulnerabilities common
Single end-to-end tool
A few hours to 1 day
At least 2X more true vulnerabilities found
1 to 2 days
10s to 100s, 95% reduction
1 to 2 weeks
Repeat vulnerabilities reduced by 40%
Before FortifyBenefits After Fortify
Scalability 30 to 50 scans covering
25 apps per quarter
300 scans covering
75 apps per quarter
Summary of Operational Improvements from Fortify
EMPOWERING CONTINUOUS DELIVERY
Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities,
and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier
conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared
to competing solutions.
However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success.
These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations
to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the
means to support their expanding development environments and significantly faster release cadences.
BENEFIT SUMMARY
The figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition
to the operational improvements, many of the organizations found that Fortify enabled them to:
• Accelerate application time to market
• Reduce disaster recovery and data breach costs
• Get better value for services from third-party development vendors
TEAMING WITH
FORTIFY FOR GREATER
ASSURANCE
To realize the full
potential of their SSA
programs, organizations
augmented their Fortify
solutions with managed
services and resources
from Fortify’s professional
services team. These include
best practices, metrics,
and templates designed
to ensure a predictable
and measurable software
security process.
11. Continuous Delivery of Business Value with Fortify WHITE PAPER
11
THE WAY FORWARD
For companies that leverage software to compete, the ability to rapidly develop and update applications has
become a strategic necessity. Application development teams are addressing this demand for continuous software
delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases.
For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities
as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing
volumes of applications, security teams will need to introduce more automation and achieve even greater levels
of operational efficiency.
In this survey of leading companies, we found that Fortify is changing the game for development and security
teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and
remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost
is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid
vulnerabilities for swift remediation.
Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a
trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that
can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new
era, Fortify will continue to innovate and help organizations keep pace with high-performance application security
solutions and services.
For more information about Fortify, visit fortify.com.
ENDNOTES
1
When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in
the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing
issue is discovered.
2
“Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned
by HP (now Hewlett Packard Enterprise), Dec. 2013.
3
The average development organization uses as many as 10 security testing and remediation tools.
4
This current survey builds on earlier studies of the business impact of Fortify solutions. See:“Does Application Security Pay? Measuring the Business Impact of
Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf
5
“Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned
by HP (now Hewlett Packard Enterprise), Dec. 2013.
6
A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities.
7
Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said.
8
A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%).
9
“Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned
by HP (now Hewlett Packard Enterprise), Dec. 2013.