Open Source Security at Scale- The DevOps Challenge

•

0 likes•103 views

It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018. The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down? Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses: - The current state of open source vulnerabilities management; - The latest innovations in the open source security world; and - The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.

Open Source Security at Scale
The DevOps Challenge

Hello!
Shiri Arad Ivtsan
Product Manager @WhiteSource
Shiri.ivtsan@WhiteSourceSoftware.com

Open Source
96.8%of the developers rely on
open source components

Some Basic Statistics
* Based on a survey conducted in more than 650 companies

OSS Security Vulnerabilities Are On The Rise
51%
The observed YoY rise
of reported vulnerabilities in 2017

Open Source Challenges
Onechallenging area in particular
is pronounced

Companies Do Not Prioritize Their Fixes Efficiently
Criticality of the project that might be impacted by the vulnerability
Availability of the suggested fix
Perceived impact of the vulnerability on projects
Number of software libraries containing the vulnerability
Vulnerability severity
Creation date of the vulnerability alert
prioritize based on the real business
impact
~56%
Just

Recent News
Integrity Availability Security-Protection

CI/CD Pipeline
Code Build Package Deploy

Code
Code Build Package Deploy
• Choose the right component from the earliest
stages
• Automatically open pull requests for patches
• Restrict merges if vulnerabilities exist

Build
Code Build Package Deploy
• Scan on any build
• Fail builds based on policies (i.e high severity
vulnerabilities)

Package
Code Build Package Deploy
• Scan Docker images – in private and public
image registries

Deploy
Code Build Package Deploy
• Scan upon deployment to your production
platform
• Monitor running applications in production for
newly published vulnerabilities

Key Takeaways
Know your code
Monitor it frequently
Make it simple & faster: Automate
• Automate the scanning
• Automate the prioritization
• Automate your remediation

The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018. Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality. It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses: - the current state of open source vulnerabilities management; - organizations' struggle to handle open source vulnerabilities; and - the key strategy for effective vulnerability management.

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

WhiteSource

Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries. Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss: The key differences between accidental vulnerabilities and malicious releases, How to manage the risk for each type of vulnerability, Lessons learned from the most interesting malicious packages spotted during 2019.

Tackling the Risks of Open Source Security: 5 Things You Need to Know

WhiteSource

This document discusses open source security risks and provides recommendations. It contains 5 sections: 1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing. 2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation. 3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities. 4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps. 5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.

5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...

WhiteSource

The Challenges of Scaling DevSecOps

WhiteSource

Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery. Now some good news: you can easily integrate security into your existing processes to solve this challenge. In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss: - Leveraging the DevSecOps approach to help speed up security - Scaling security into your agile processes - 5 easy ways to start driving DevSecOps in your organization

Taking Open Source Security to the Next Level

WhiteSource

Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future. Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.

CI/CD pipeline security from start to finish with WhiteSource & CircleCI

WhiteSource

This document provides an agenda for a webinar on securing CI/CD pipelines from start to finish with CircleCI and WhiteSource. The agenda includes brief introductions to CircleCI and WhiteSource, an overview of CircleCI Orbs and how they can simplify integrations, a discussion of the state of open source usage and security, and a demo of WhiteSource scanning functionality directly within a CircleCI pipeline using an Orb.

Empowering Financial Institutions to Use Open Source With Confidence

WhiteSource

The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution). FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly. Join FINOS and WhiteSource as they discuss: The challenges of open source usage The state of open source vulnerabilities management How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software

Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these? Join Codefresh and WhiteSource, as they embark on a journey to tackle: The container iceberg - learn what are your blind spots The main security challenges when using open source in containerized applications The role of automation in open source security in containers A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

WhiteSource

This document discusses open source security challenges and recommendations for addressing them. It notes that over 96% of developers rely on open source components but open source vulnerabilities are rising. While companies prioritize fixes, over half do not do so efficiently based on real business impact. The document recommends integrating scanning for vulnerabilities into the entire software development lifecycle from code to deployment. Automating scanning, prioritization of issues, and remediation helps ensure open source security.

Open Source Security: How to Lay the Groundwork for a Secure Culture

WhiteSource

Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements. However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software. Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses: 1. The four layers of open-source security 2. How to integrate continuous security into your SDLC 3. Best practices for organizations to own and execute the security process

Winning open source vulnerabilities without loosing your deveopers - Azure De...

WhiteSource

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

WhiteSource

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: - Why traditional DevOps has shifted, and what this will mean - Who should own security in the age of DevOps - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline

DevSecOps outline

Nickleus Jimenez

DevSecOps aims to define success, assign responsibilities and milestones, discover the code pipeline by treating code as infrastructure and implementing quality control, inventory security tools by understanding what is owned and the costs, assess gaps by picking frameworks and balancing controls with complexity, and iterate quickly by continuously improving and focusing on platforms over individual tools. The presentation outlines steps for organizations to implement DevSecOps practices by defining objectives, understanding code movement, taking inventory of security tools, assessing gaps, and iterating processes.

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

DevOps.com

The traditional way of handling security issues in DevOps involves security teams analyzing vulnerabilities and opening issues/tickets, with closing the loop on resolutions being difficult. This model is changing as the cost of fixing later-stage defects rises significantly. The shift is toward DevSecOps where responsibility for application security moves to development teams. Developers are integrating security tools earlier in the software development lifecycle (SDLC) to enable a more secure-by-design approach. Effective DevSecOps requires tools that fit seamlessly into developer workflows and prioritize actual vulnerabilities over non-issues. It also demands integrating security practices into DevOps processes through agile methodologies and automation.

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

PIACERE - DevSecOps Automated

PIACERE

This document summarizes the PIACERE project, which aims to integrate security into DevSecOps processes. It receives funding from the EU Horizon 2020 program. The project develops tools like the DevSecOps Modeling Language (DOML) and Verification Tool to integrate security principles into infrastructure modeling and deployment. It also includes a Canary Sandbox Environment for testing deployments and an Infrastructure Optimization Platform for optimizing cloud resources. The overall goal is to provide a unified platform for secure, automated deployment to multiple clouds.

WhiteSource Webinar What's New With WhiteSource in December 2018

WhiteSource

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevSecOps

Joel Divekar

This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

DevOps Indonesia

Demystifying DevSecOps

Archana Joshi

This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DevOps.com

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they? In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights. Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about: The current challenges of the security and development teams when it comes to AppSec The contradicting views and gaps between the teams on DevSecOps maturity How to break the silos and advance toward DevSecOps maturity

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

A journey from dev ops to devsecops

Veritis Group, Inc

Open Source Security for Newbies - Best Practices

Black Duck by Synopsys

Deep Dive into Container Security

WhiteSource

"Many organizations are using containers to develop and manage their applications. Containers enable development teams work faster, deploy more easily and efficiently, and operate at a much larger scale. However, there are many security measures that need to be taken across the entire software development lifecycle, especially when it comes to open source security. In this session, Shiri Ivtsan, Product Manager at WhiteSource, will discuss: 1) The complexity and security challenges with containers 2) The greatest risks when deploying containers 3) The three steps to take before shipping a Docker container 4) How to automate your container security process"

What's hot

Tackling the Container Iceberg:How to approach security when most of your sof...

WhiteSource

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

WhiteSource

Open Source Security: How to Lay the Groundwork for a Secure Culture

WhiteSource

Winning open source vulnerabilities without loosing your deveopers - Azure De...

WhiteSource

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

WhiteSource

DevSecOps outline

Nickleus Jimenez

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

DevOps.com

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

PIACERE - DevSecOps Automated

PIACERE

WhiteSource Webinar What's New With WhiteSource in December 2018

WhiteSource

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevSecOps

Joel Divekar

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

DevOps Indonesia

Demystifying DevSecOps

Archana Joshi

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DevOps.com

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

A journey from dev ops to devsecops

Veritis Group, Inc

What's hot (20)

Tackling the Container Iceberg:How to approach security when most of your sof...

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...

Open Source Security: How to Lay the Groundwork for a Secure Culture

Winning open source vulnerabilities without loosing your deveopers - Azure De...

Automating Open Source Security: A SANS Review of WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

DevSecOps outline

The State of Open Source Vulnerabilities - A WhiteSource Webinar

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

PIACERE - DevSecOps Automated

WhiteSource Webinar What's New With WhiteSource in December 2018

Benefits of DevSecOps

DevSecOps

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

Demystifying DevSecOps

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DEVSECOPS: Coding DevSecOps journey

Practical DevSecOps Using Security Instrumentation

A journey from dev ops to devsecops

Similar to Open Source Security at Scale- The DevOps Challenge

Open Source Security for Newbies - Best Practices

Black Duck by Synopsys

Deep Dive into Container Security

WhiteSource

IBM Rational AppScan Product Overview

Ashish Patel

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

This document discusses myths and misperceptions around open source security. It addresses 6 common misperceptions: 1) that security tools can find all open source vulnerabilities, 2) that scanning is best done at the end of development, 3) that the National Vulnerability Database covers all vulnerabilities, 4) that replacing vulnerable components is always the answer, 5) that the "many eyes" theory ensures open source security, and 6) that open source is less secure than commercial software. The document provides details to counter each misperception and emphasizes that all software can have vulnerabilities, and that visibility into what software is used is key to security.

Perforce on Tour 2015 - Grab Testing By the Horns and Move

Perforce

The document discusses integrating security testing into agile development processes. It proposes building security metrics at each stage and providing results to developers to help prioritize and quickly fix issues. Testing should be flexible to each team's needs and provide actionable results and tracing to help developers learn and fix root causes of errors. Maintaining independence of audits and regular updates are also suggested.

Shifting the conversation from active interception to proactive neutralization

Rogue Wave Software

When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective. In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions. Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

5 things about os sharon webinar final

DevOps.com

Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market. However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.

All Things Open 2022 - State of OSS Security & Support

Javier Perez

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

Denim Group

HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement. Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US

Create Agile confidence for better application security

Rogue Wave Software

Now that you’ve learned how to create code confidence for better application security, the second webinar in this series focuses on ensuring your processes are secure. With many organizations transforming development efforts from traditional environments toward Agile development, the need to redefine and establish security standards and testing methods is more important than ever. In this second one-hour webinar you'll learn how to: - Integrate security and compliance testing with Agile development - Provide context for fast triage and remediation - Create policies for code management in integrated testing environments

Create code confidence for better application security

Rogue Wave Software

Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications. With this presentation you'll learn how to: -Protect your systems from risk -Comply with security standards -Ensure the entire codebase is bulletproof

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Tim Mackey

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Black Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Software Security Assurance for Devops

Jerika Phelps

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Open Source evaluation: A comprehensive guide on what you are using

All Things Open

Presented at All Things Open 2023 Presented by Viral Chhasatia & Karan Marjara - Amazon Title: Open Source evaluation: A comprehensive guide on what you are using Abstract: What happens if an open source package your service relies on changes direction or shuts down? This talk provides a step-by-step approach that enables users to thoroughly assess open source software risks and rewards before making a final decision to use it in your product or service. Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen 2023 conference: https://2023.allthingsopen.org/

Experience Sharing on School Pentest Project (Updated)

eLearning Consortium 電子學習聯盟

As an independent security consultant, the author conducted penetration tests of ten K-12 school websites over 99 hours. They found over 1,700 vulnerabilities total, including 170 critical issues exposing over 20,000 student records. Common vulnerabilities included SQL injection, outdated systems, and unencrypted passwords. The author provided demonstrations of their scanning tools and process and recommendations to schools like regular scanning, patching systems, and relying less on vulnerable third-party vendor solutions.

Similar to Open Source Security at Scale- The DevOps Challenge (20)

Open Source Security for Newbies - Best Practices

Deep Dive into Container Security

IBM Rational AppScan Product Overview

Myths and Misperceptions of Open Source Security

Perforce on Tour 2015 - Grab Testing By the Horns and Move

Shifting the conversation from active interception to proactive neutralization

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

5 things about os sharon webinar final

All Things Open 2022 - State of OSS Security & Support

Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...

Create Agile confidence for better application security

Create code confidence for better application security

Secure application deployment in the age of continuous delivery

Continuous security: Bringing agility to the secure development lifecycle

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Software Security Assurance for Devops

Software Security Assurance for DevOps

Open Source evaluation: A comprehensive guide on what you are using

Experience Sharing on School Pentest Project (Updated)

More from WhiteSource

Securing Container-Based Applications at the Speed of DevOps

WhiteSource

Thanks to containerization and automation, applications are being developed and delivered faster than ever. With tools such as AWS ECR, developers are able to store, manage and deploy Docker container images without having to worry about operating their own container repositories or scaling the underlying infrastructure. With this, however, arise challenges around managing the security and compliance aspect of your container images. With tools such as WhiteSource, developers are able to manage the security of their containers and container images with no impact on agility and speed. Join Shiri Ivtsan, Product Manager at WhiteSource and Carmen Puccio, Solutions Architect at AWS, as they discuss the following: Effectively managing and deploying your container images Gaining full visibility into your container images Building and automating security into each layer of the container environment to ensure a continuous process throughout the SDLC Demonstrating a live example using a vulnerable container image

Fire alarms vs. Fire hoses: Keeping up with Dependencies

WhiteSource

Today no one can claim ignorance about the need for an open source vulnerability strategy, so what is yours? Are you the fire alarm type, who prefers to sit tight unless a vulnerability alert is ringing in your inbox? Or are you the fire hose type, staying ahead of the game with a never-ending stream of open source updates to apply? Join Rhys as he discusses the pros and cons of these two approaches, as well as whether there's a magical middle ground between the two which doesn't involve a fire analogy.

DevSecOps: Closing the Loop from Detection to Remediation

WhiteSource

"DevSecOps sets out to relieve the costly and stressful delays that can occur when security testing is performed late in the game, by setting up processes and tools for ""shifting left"" so security testing can happen early and often. As organizations continue to embrace this DevSecOps approach, testing tools and practices are integrated even further left in the development pipeline. Join Senior Product Manager, Shiri Ivtsan, as she discusses: Where and how developers are implementing DevSecOps in the SDLC; Best practices for developers to adopt DevSecOps and more efficiently handle vulnerabilities; Necessary steps for implementing a process for detection, prioritization, and remediation of open source vulnerabilities."

Barriers to Container Security and How to Overcome Them

WhiteSource

Over the past few years, more and more companies are turning to containerized environments to scale their applications. However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools. This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely. Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses: The top challenges to security in containerized environments How DevSecOps addresses security in containerized environments Tips and tricks for successfully incorporating security into the container lifecycle

SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...

WhiteSource

Top Open Source Licenses Explained

WhiteSource

Open source licenses can be more than a little confusing for those of us that just want to write a little bit of code. However, with open source components playing such a big part in the products that we create, open source licenses and compliance simply can’t be ignored. We’ve compiled the one stop resource guide for working compliantly with open source components, including answers to FAQs about the most popular licenses in 2018. Read all about the hottest licensing trends that you need to be following and some predictions for 2019.

WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...

WhiteSource

Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar

WhiteSource

The document summarizes a product update webinar held by David Habusha in September 2018. Key points include: - The release of a new Effective Usage Analysis technology to help identify vulnerabilities that pose an actual risk. - Support for additional platforms and package managers in the Unified Agent, as well as new build/CI tools. - Enhancements to the Fortify SSC integration including synchronized alerts. - Various workflow enhancements like user access control and conditional failing of builds. - Faster navigation features and a new customer community portal. - An outlook on additional features coming in Q4 2018 like enhanced GitHub integration and release reports.

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

WhiteSource

Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar

WhiteSource

Strategies for Improving Enterprise Application Security - a WhiteSource Webinar

WhiteSource

This document debunks 3 common myths about open source security: 1) That security and agility are mutually exclusive, noting that shifting security processes left and mitigating rather than just reacting can minimize vulnerabilities while maximizing agility. 2) That security responsibilities can be delegated, and should empower developers through flexible selection processes. 3) That security vulnerabilities can be prioritized, as research shows 70% of reported vulnerabilities in open source libraries are not referenced by code. It recommends improving security through shifting left, streamlining policies, and prioritizing remediation.

How temenos manages open source use, the easy way combined

WhiteSource

More from WhiteSource (12)

Securing Container-Based Applications at the Speed of DevOps

Fire alarms vs. Fire hoses: Keeping up with Dependencies

DevSecOps: Closing the Loop from Detection to Remediation

Barriers to Container Security and How to Overcome Them

SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...

Top Open Source Licenses Explained

WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...

Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar

Strategies for Improving Enterprise Application Security - a WhiteSource Webinar

How temenos manages open source use, the easy way combined

Recently uploaded

SWEBOK and Education at FUSE Okinawa 2024

Hironori Washizaki

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

Aftab Hussain

Understanding variable roles in code has been found to be helpful by students in learning programming -- could variable roles help deep neural models in performing coding tasks? We do an exploratory study. - These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia

socradar-q1-2024-aviation-industry-report.pdf

SOCRadar

SOCRadar's Aviation Industry Q1 Incident Report is out now! The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers. SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

Vitthal Shirke Java Microservices Resume.pdf

Vitthal Shirke

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Google

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-fusion-buddy-review AI Fusion Buddy Review: Key Features ✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini ✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique! ✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs! ✅Fully automated AI articles bulk generation! ✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more. ✅With one keyword or URL, generate complete websites, landing pages, and more… ✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7. ✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches. ✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all! ✅Save over $5000 per year and kick out dependency on third parties completely! ✅Brand New App: Not available anywhere else! ✅ Beginner-friendly! ✅ZERO upfront cost or any extra expenses ✅Risk-Free: 30-Day Money-Back Guarantee! ✅Commercial License included! See My Other Reviews Article: (1) AI Genie Review: https://sumonreview.com/ai-genie-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review #AIFusionBuddyReview, #AIFusionBuddyFeatures, #AIFusionBuddyPricing, #AIFusionBuddyProsandCons, #AIFusionBuddyTutorial, #AIFusionBuddyUserExperience #AIFusionBuddyforBeginners, #AIFusionBuddyBenefits, #AIFusionBuddyComparison, #AIFusionBuddyInstallation, #AIFusionBuddyRefundPolicy, #AIFusionBuddyDemo, #AIFusionBuddyMaintenanceFees, #AIFusionBuddyNewbieFriendly, #WhatIsAIFusionBuddy?, #HowDoesAIFusionBuddyWorks

Mobile App Development Company In Noida | Drona Infotech

Drona Infotech

Enterprise Resource Planning System in Telangana

NYGGS Automation Suite

Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics. To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/

Microservice Teams - How the cloud changes the way we work

Sven Peters

A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams? Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx

lorraineandreiamcidl

WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.

Graspan: A Big Data System for Big Code Analysis

Aftab Hussain

We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs. We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations. These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18. - Accepted in ASPLOS ‘17, Xi’an, China. - Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17. - Invited for presentation at SoCal PLS ‘16. - Invited for poster presentation at PLDI SRC ‘16.

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

Crescat

Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry. Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events. With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use. Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements. If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition

Envertis Software Solutions

Odoo ERP software Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth. The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently. This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.

Empowering Growth with Best Software Development Company in Noida - Deuglo

Deuglo Infosystem Pvt Ltd

Do you want Software for your Business? Visit Deuglo Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions. Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC). Requirement — Collecting the Requirements is the first Phase in the SSLC process. Feasibility Study — after completing the requirement process they move to the design phase. Design — in this phase, they start designing the software. Coding — when designing is completed, the developers start coding for the software. Testing — in this phase when the coding of the software is done the testing team will start testing. Installation — after completion of testing, the application opens to the live server and launches! Maintenance — after completing the software development, customers start using the software.

Orion Context Broker introduction 20240604

Fermin Galan

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Neo4j

Atelier - Innover avec l’IA Générative et les graphes de connaissances Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement. Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

E-commerce Application Development Company.pdf

Hornet Dynamics

Recently uploaded (20)

SWEBOK and Education at FUSE Okinawa 2024

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

socradar-q1-2024-aviation-industry-report.pdf

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Energy consumption of Database Management - Florina Jonuzi

Vitthal Shirke Java Microservices Resume.pdf

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Mobile App Development Company In Noida | Drona Infotech

Enterprise Resource Planning System in Telangana

Microservice Teams - How the cloud changes the way we work

Essentials of Automations: The Art of Triggers and Actions in FME

LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx

Graspan: A Big Data System for Big Code Analysis

Introducing Crescat - Event Management Software for Venues, Festivals and Eve...

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition

Empowering Growth with Best Software Development Company in Noida - Deuglo

Orion Context Broker introduction 20240604

Atelier - Innover avec l’IA Générative et les graphes de connaissances

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

E-commerce Application Development Company.pdf

Open Source Security at Scale- The DevOps Challenge

1. Open Source Security at Scale The DevOps Challenge

2. Hello! Shiri Arad Ivtsan Product Manager @WhiteSource Shiri.ivtsan@WhiteSourceSoftware.com

3. Continuous Delivery

4. Continuous Delivery

5. Open Source 96.8%of the developers rely on open source components

6. Security in Open Source

7. Some Basic Statistics * Based on a survey conducted in more than 650 companies

8. OSS Security Vulnerabilities Are On The Rise 51% The observed YoY rise of reported vulnerabilities in 2017

9. Open Source Challenges Onechallenging area in particular is pronounced

10. Companies Do Not Prioritize Their Fixes Efficiently Criticality of the project that might be impacted by the vulnerability Availability of the suggested fix Perceived impact of the vulnerability on projects Number of software libraries containing the vulnerability Vulnerability severity Creation date of the vulnerability alert prioritize based on the real business impact ~56% Just

11. Recent News Integrity Availability Security-Protection

12.

13. Security Throughout The SDLC Pipeline

14. Scan

15. CI/CD Pipeline Code Build Package Deploy

16. Code Code Build Package Deploy • Choose the right component from the earliest stages • Automatically open pull requests for patches • Restrict merges if vulnerabilities exist

17. Build Code Build Package Deploy • Scan on any build • Fail builds based on policies (i.e high severity vulnerabilities)

18. Package Code Build Package Deploy • Scan Docker images – in private and public image registries

19. Deploy Code Build Package Deploy • Scan upon deployment to your production platform • Monitor running applications in production for newly published vulnerabilities

20. Key Takeaways Know your code Monitor it frequently Make it simple & faster: Automate • Automate the scanning • Automate the prioritization • Automate your remediation

21. Q&A

Open Source Security at Scale- The DevOps Challenge

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Open Source Security at Scale- The DevOps Challenge

Similar to Open Source Security at Scale- The DevOps Challenge (20)

More from WhiteSource

More from WhiteSource (12)

Recently uploaded

Recently uploaded (20)

Open Source Security at Scale- The DevOps Challenge