The Netsparker web application security scanner allows both development and security teams to easily test web applications for common security vulnerabilities. This webinar demonstrates how Netsparker can be used with the ThreadFix vulnerability resolution platform to correlate testing results, prioritize risk decisions based on data, and transition security vulnerabilities to development teams in the tools they’re already using. Combining the application vulnerability correlation capabilities of ThreadFix with the proof-based vulnerability scanning technology of Netsparker allows organizations to take a quantitative approach to addressing application security risk.
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
This webinar demonstrates the value of combining the powerful and easy-to-use Checkmarx CxSAST engine with the application vulnerability correlation capabilities of the ThreadFix vulnerability resolution platform to create a comprehensive application security program. Specifically, it will examine:
Correlating Checkmarx CxSAST results with DAST scans via Hybrid Analysis Mapping to help developers maximize the value from both security testing approaches and increase the confidence in testing results
Using Checkmarx CxSAST and ThreadFix’s HotSpot identification technology to highlight vulnerable components developed and shared within your organization
Onboarding Checkmarx CxSAST scanning results and operations into ThreadFix to get up and running quickly
Integrating both Checkmarx CxSAST and dynamic application security testing into developers’ CI/CD pipelines to reduce critical metrics like mean-time-to-discover and mean-time-to-fix
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...Denim Group
Effective application security programs both highlight security requirements early in the development process and manage vulnerabilities throughout the development lifecycle. This webinar demonstrates how the SD Elements security requirements automation system can be integrated with the ThreadFix vulnerability resolution platform to provide end-to-end tracking throughout the SDLC. The combination increases both developer and security team productivity by providing a seamless way to enumerate security specifications and track development teams success in meeting these obligations, and the presentation provides insight into how the integrated system reduces the cost of developing and maintaining secure applications.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
Effective application security programs rely on multiple sources for vulnerability data – from traditional static and dynamic testing, interactive testing, to manual and 3rd-party testing. Unfortunately, many organizations fail to consider the impact of open source software use and reuse on their security posture. This webinar will demonstrate how Black Duck Hub can identify security issues associated with open source usage and how ThreadFix’s correlation engine can provide a comprehensive view of an organization’s application security posture. In addition, the webinar demonstrates how ThreadFix’s HotSpot detection technology identifies security issues created by internally developed components – providing a complete of both open source and proprietary component usage.
Clear AppSec Visibility with AppSpider and ThreadFixDenim Group
The evolution of application technology is measured in months, not years. The question for devops teams everywhere is how to gain full visibility into your application security testing program. Rapid7's AppSpider lets you collect the information needed to test all the apps so that you aren’t left with gaping risks, and with DAST/SAST correlation with ThreadFix you gain end-to-end application security visibility. Join us to see how, together, ThreadFix and AppSpider provide organizations with a fully integrated view of your application security program.
What a locked down law firm looks like updatedDenim Group
This session will focus on real-world case studies and actionable next steps for security professionals looking to protect their firms and the sensitive client data they maintain.
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
Join us for a webinar to learn more about the capabilities available in the upcoming ThreadFix 2.4 release. See how teams are using ThreadFix to get more application testing done with fewer resources, secure their CI/CD pipelines and fix vulnerabilities faster.
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
This webinar demonstrates the value of combining the powerful and easy-to-use Checkmarx CxSAST engine with the application vulnerability correlation capabilities of the ThreadFix vulnerability resolution platform to create a comprehensive application security program. Specifically, it will examine:
Correlating Checkmarx CxSAST results with DAST scans via Hybrid Analysis Mapping to help developers maximize the value from both security testing approaches and increase the confidence in testing results
Using Checkmarx CxSAST and ThreadFix’s HotSpot identification technology to highlight vulnerable components developed and shared within your organization
Onboarding Checkmarx CxSAST scanning results and operations into ThreadFix to get up and running quickly
Integrating both Checkmarx CxSAST and dynamic application security testing into developers’ CI/CD pipelines to reduce critical metrics like mean-time-to-discover and mean-time-to-fix
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...Denim Group
Effective application security programs both highlight security requirements early in the development process and manage vulnerabilities throughout the development lifecycle. This webinar demonstrates how the SD Elements security requirements automation system can be integrated with the ThreadFix vulnerability resolution platform to provide end-to-end tracking throughout the SDLC. The combination increases both developer and security team productivity by providing a seamless way to enumerate security specifications and track development teams success in meeting these obligations, and the presentation provides insight into how the integrated system reduces the cost of developing and maintaining secure applications.
Running a High-Efficiency, High-Visibility Application Security Program with...Denim Group
This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology.
Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams.
This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
Effective application security programs rely on multiple sources for vulnerability data – from traditional static and dynamic testing, interactive testing, to manual and 3rd-party testing. Unfortunately, many organizations fail to consider the impact of open source software use and reuse on their security posture. This webinar will demonstrate how Black Duck Hub can identify security issues associated with open source usage and how ThreadFix’s correlation engine can provide a comprehensive view of an organization’s application security posture. In addition, the webinar demonstrates how ThreadFix’s HotSpot detection technology identifies security issues created by internally developed components – providing a complete of both open source and proprietary component usage.
Clear AppSec Visibility with AppSpider and ThreadFixDenim Group
The evolution of application technology is measured in months, not years. The question for devops teams everywhere is how to gain full visibility into your application security testing program. Rapid7's AppSpider lets you collect the information needed to test all the apps so that you aren’t left with gaping risks, and with DAST/SAST correlation with ThreadFix you gain end-to-end application security visibility. Join us to see how, together, ThreadFix and AppSpider provide organizations with a fully integrated view of your application security program.
What a locked down law firm looks like updatedDenim Group
This session will focus on real-world case studies and actionable next steps for security professionals looking to protect their firms and the sensitive client data they maintain.
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
Join us for a webinar to learn more about the capabilities available in the upcoming ThreadFix 2.4 release. See how teams are using ThreadFix to get more application testing done with fewer resources, secure their CI/CD pipelines and fix vulnerabilities faster.
ThreadFix 2.1 and Your Application Security ProgramDenim Group
ThreadFix allows security analysts to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using.
This webinar examines how organizations can use ThreadFix 2.1 to help establish and scale their application security programs. Using a combination of demos and real-world examples, attendees will learn how to best use ThreadFix's capabilities to support their application security program.
See more at:
http://www.denimgroup.com/blog/denim_group/2014/12/threadfix-webinar-recording.html
http://threadfix.org
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
Snyk continuously monitors your application’s dependencies and lets you quickly respond when new vulnerabilities are disclosed. Threadfix allows organizations to gain true visibility into a your project’s security posture by cross referencing results on an app from multiple sources (SCA, SAST, DAST, etc.), ultimately enabling better prioritization, while Snyk focuses on remediation at the source with the automated fix pull requests. Join us to see how, together, Snyk and ThreadFix can enhance application security and prevent risks, while preserving development scale and speed.
Running a Software Security Program with Open Source Tools (Course)Denim Group
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), gauntlt, and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Why Java Server App Security Should Be Keeping You up at Night
The success of Java in the enterprise has made it a popular target for cyber attacks via SQL Injection, zero day malware and un-patched vulnerabilities. Join Waratek to hear why traditional approaches to application protection including vulnerability analysis, coding best practices and network security appliances are unable to keep up with Java threats. You’ll learn about a new approach that Gartner calls Run-time Application Self Protection or RASP, which protects Java server applications from the inside out by putting security in the Java Virtual Machine.
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
The Waratek security plugin hardens legacy and current Java
Runtime, the JBoss application server and the Application itself by
adding security features and benefits across the full application
stack.
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
ThreadFix allows security analysts to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using. This webinar examines how organizations can use ThreadFix 2.2 to help establish and scale their application security programs. Using a combination of demos and real-world examples, attendees will learn how to best use ThreadFix's capabilities to support their application security program.
Topics will include:
Consolidating application vulnerability data by integrating SAST, DAST and now IAST and component lifecycle management results into a single dashboard
Managing application risk with ThreadFix’s completely overhauled vulnerability analytics and reporting as well as GRC integration capabilities
Ramping up application penetration testing with the updated ThreadFix ZAP and Burp plugins, featuring integrated Hybrid Analysis Mapping
Communicating security risks to development managers via SonarQube integration
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to:
•Manage a risk-ranked application portfolio
•Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting
•Convert application vulnerabilities into software defects in developer issue tracking systems
•Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage
•Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data
•Map the results of DAST and SAST scanning into developer IDEs
The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
Structuring and Scaling an Application Security ProgramDenim Group
Most organizations understand that the software they develop and deploy
exposes them to risk from attackers. However the scope of the problem can
be daunting. This talk looks at challenges organizations face when trying
to structure and scale their application security programs and looks at
strategies leading organizations have adopted to help make them
successful. Using OWASP's Open Software Assurance Maturity Model
(OpenSAMM), the presentation looks at how development teams can plan to
design and build applications securely via secure coding training,
security requirements and threat modeling and how security teams can help
evaluate the security of what development teams have produced via
automated scanning as well as manual testing. In addition, the
presentation discusses how both security and development teams can prepare
to respond to issues that will inevitably arise so that they can most
effectively diagnose and correct issues in a timely manner.
Mobile Application Assessment - Don't Cheat YourselfDenim Group
See the video - http://youtu.be/V5a6DkSZn8E
Too often, organizations looking to address mobile application security risks cheat themselves by myopically scanning only the software living on the device. Unfortunately, this ignores the fact that security issues can exist in code deployed on the device, in corporate web services backing the device, in any third party supporting services as well as in the interactions between any of these components.
By analyzing the data from a large body of mobile application security assessments, this webinar characterizes the most common and most damaging mobile application security vulnerabilities as well as where these vulnerabilities are found and the testing activities that identified them.
Attendees will walk away with a better understanding of the scope of potential mobile application security issues as well as statistics to help them better craft mobile application security programs.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
This webinar looks at the new features included in the upcoming 2.3 release of ThreadFix that help organizations secure their DevOps initiatives. These include greatly expanded Scan Orchestration capabilities to support ThreadFix's use in Continuous Integration/Continuous Development (CI/CD) environments as well as tighter integrations with developer tools to reduce the effort and time required for vulnerability remediation. We will also highlight generous contributions from the ThreadFix community from organizations such as Pearson and Samsung.
SecDevOps: Development Tools for Security ProsDenim Group
Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.
Running a Software Security Program with Open Source ToolsDenim Group
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely available tools that can be used to help implement the activities involved in such a program.
The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
Typically, mobile application assessments myopically test only the software living on the device. However, the code deployed on the device, the corporate web services backing the device and any third party supporting services must be “whole-isticly” tested AS WELL AS testing the interactions between these components to reach an acceptable level of software assurance for mobile applications.
ThreadFix 2.1 and Your Application Security ProgramDenim Group
ThreadFix allows security analysts to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using.
This webinar examines how organizations can use ThreadFix 2.1 to help establish and scale their application security programs. Using a combination of demos and real-world examples, attendees will learn how to best use ThreadFix's capabilities to support their application security program.
See more at:
http://www.denimgroup.com/blog/denim_group/2014/12/threadfix-webinar-recording.html
http://threadfix.org
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
Snyk continuously monitors your application’s dependencies and lets you quickly respond when new vulnerabilities are disclosed. Threadfix allows organizations to gain true visibility into a your project’s security posture by cross referencing results on an app from multiple sources (SCA, SAST, DAST, etc.), ultimately enabling better prioritization, while Snyk focuses on remediation at the source with the automated fix pull requests. Join us to see how, together, Snyk and ThreadFix can enhance application security and prevent risks, while preserving development scale and speed.
Running a Software Security Program with Open Source Tools (Course)Denim Group
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), gauntlt, and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Why Java Server App Security Should Be Keeping You up at Night
The success of Java in the enterprise has made it a popular target for cyber attacks via SQL Injection, zero day malware and un-patched vulnerabilities. Join Waratek to hear why traditional approaches to application protection including vulnerability analysis, coding best practices and network security appliances are unable to keep up with Java threats. You’ll learn about a new approach that Gartner calls Run-time Application Self Protection or RASP, which protects Java server applications from the inside out by putting security in the Java Virtual Machine.
Waratek Securing Red Hat JBoss from the Inside OutWaratek Ltd
The Waratek security plugin hardens legacy and current Java
Runtime, the JBoss application server and the Application itself by
adding security features and benefits across the full application
stack.
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
ThreadFix allows security analysts to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using. This webinar examines how organizations can use ThreadFix 2.2 to help establish and scale their application security programs. Using a combination of demos and real-world examples, attendees will learn how to best use ThreadFix's capabilities to support their application security program.
Topics will include:
Consolidating application vulnerability data by integrating SAST, DAST and now IAST and component lifecycle management results into a single dashboard
Managing application risk with ThreadFix’s completely overhauled vulnerability analytics and reporting as well as GRC integration capabilities
Ramping up application penetration testing with the updated ThreadFix ZAP and Burp plugins, featuring integrated Hybrid Analysis Mapping
Communicating security risks to development managers via SonarQube integration
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to:
•Manage a risk-ranked application portfolio
•Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting
•Convert application vulnerabilities into software defects in developer issue tracking systems
•Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage
•Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data
•Map the results of DAST and SAST scanning into developer IDEs
The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
Structuring and Scaling an Application Security ProgramDenim Group
Most organizations understand that the software they develop and deploy
exposes them to risk from attackers. However the scope of the problem can
be daunting. This talk looks at challenges organizations face when trying
to structure and scale their application security programs and looks at
strategies leading organizations have adopted to help make them
successful. Using OWASP's Open Software Assurance Maturity Model
(OpenSAMM), the presentation looks at how development teams can plan to
design and build applications securely via secure coding training,
security requirements and threat modeling and how security teams can help
evaluate the security of what development teams have produced via
automated scanning as well as manual testing. In addition, the
presentation discusses how both security and development teams can prepare
to respond to issues that will inevitably arise so that they can most
effectively diagnose and correct issues in a timely manner.
Mobile Application Assessment - Don't Cheat YourselfDenim Group
See the video - http://youtu.be/V5a6DkSZn8E
Too often, organizations looking to address mobile application security risks cheat themselves by myopically scanning only the software living on the device. Unfortunately, this ignores the fact that security issues can exist in code deployed on the device, in corporate web services backing the device, in any third party supporting services as well as in the interactions between any of these components.
By analyzing the data from a large body of mobile application security assessments, this webinar characterizes the most common and most damaging mobile application security vulnerabilities as well as where these vulnerabilities are found and the testing activities that identified them.
Attendees will walk away with a better understanding of the scope of potential mobile application security issues as well as statistics to help them better craft mobile application security programs.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
This webinar looks at the new features included in the upcoming 2.3 release of ThreadFix that help organizations secure their DevOps initiatives. These include greatly expanded Scan Orchestration capabilities to support ThreadFix's use in Continuous Integration/Continuous Development (CI/CD) environments as well as tighter integrations with developer tools to reduce the effort and time required for vulnerability remediation. We will also highlight generous contributions from the ThreadFix community from organizations such as Pearson and Samsung.
SecDevOps: Development Tools for Security ProsDenim Group
Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.
Running a Software Security Program with Open Source ToolsDenim Group
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely available tools that can be used to help implement the activities involved in such a program.
The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the
inputs to those URLs that can change the behavior of the application. Understanding an
application’s attack surface is critical to being able to provide sufficient security test coverage,
and by watching an application’s attack surface change over time security and development
teams can help target and optimize testing activities. This presentation looks at methods of
calculating web application attack surface and tracking the evolution of attack surface over
time. In addition, it looks at metrics and thresholds that can be used to craft policies for
integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD)
pipelines for teams integrating security into their DevOps practices.
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
Typically, mobile application assessments myopically test only the software living on the device. However, the code deployed on the device, the corporate web services backing the device and any third party supporting services must be “whole-isticly” tested AS WELL AS testing the interactions between these components to reach an acceptable level of software assurance for mobile applications.
Application Security Management with ThreadFixVirtual Forge
How to efficiently identify and remediate critical vulnerabilities in SAP and other Business Applications.
Vulnerabilities in individual applications harbor enormous risks for companies because they can be exploited by hackers to gain access to the corporate network and critical IT infrastructure such as SAP systems. An effective approach to application security management therefore must take the entire application portfolio of a company into consideration. It must evaluate critical vulnerabilities uniform and must be capable to track their remediation, regardless of the programming language or the development environment used.
This approach is facilitated by ThreadFix, an open source software offered by Denim Group. In our webinar APPLICATION SECURITY MANAGEMENT we show you:
- How you can scan your SAP and other business applications automatically for critical vulnerabilities
- How you can easily track the remediation of vulnerabilities with ThreadFix
- How you can accomplish important security and quality milestones more easily in your projects
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenVirtual Forge
Virtual Forge hat eine umfassende Qualitätsuntersuchung von ABAP Eigenentwicklungen bei SAP-Kunden durchgeführt. Hierbei wurde der gesamte selbst geschriebene Quellcode von mehr als 200 SAP-Installationen bei Unternehmen aus den verschiedensten Branchen und Ländern untersucht.
Andreas Wiegenstein von Virtual Forge stellte das Ergebnis der Untersuchung im Rahmen seines Vortrags am 30. April 2015 auf der iqnite-Konferenz in Düsseldorf vor.
Die Erhebung ist statistisch repräsentativ, somit lassen sich die Erkenntnisse generell auf alle Firmen projizieren, die SAP im Einsatz haben. Dadurch können Teilnehmer ableiten, welche Herausforderungen ihre Unternehmen im Bereich ABAP Qualität zu erwarten und zu meistern haben.
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out.
Two different interactions are examined:
• How can knowledge of code make application scanning better?
• How can application scan results be mapped back to specific lines of code?
Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.
Shifting Left…AND Right to Ensure Full Application Security CoverageDevOps.com
Web Applications continue to be one of the primary attack vectors that lead to breaches within organizations all over the world. As more and more organizations adopt DevOps and CI/CD workflows, there has been an added push to shift security testing to earlier stages in the software development lifecycle. Finding flaws earlier can save precious time as release cycles become faster, however, what happens once an application is running? With the ever-changing threat landscape that organizations function in today, even an application initially developed as securely as possible can become vulnerable over time as attackers uncover new ways to exploit weaknesses. Organizations that fail to test their running web applications risk missing exploitable vulnerabilities that could lead to a breach.
In this webinar, product leaders from CA Veracode will discuss the importance of performing Dynamic Application Security Testing (DAST) on web applications during the testing and QA phases to catch exploitable vulnerabilities before release that static testing alone cannot find. They will also discuss how establishing a recurring schedule of DAST scans on your running web applications can help your organization discover new vulnerabilities and help you reduce your risk of a breach.
Desktop Software Asset Management – Today and TomorrowFlexera
Many mid-size organizations are facing the challenge of managing and optimizing the licensing for their desktop environments. The goals are to maintain license compliance/reduce audit risk, maximize utilization of assets, and control costs. Today, that typically means managing mostly on-premises software, with some Software as a Service (SaaS) applications thrown into the mix. And, of course, managing Microsoft licensing and contracts is the number one challenge. Going forward, many organizations are planning on making the move to the cloud and Office 365. What does it take to be ready?
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
For almost 10 years, ThreadFix has been the preeminent solution for managing your application vulnerabilities. In that time, it has grown from that initial correlation and reporting engine which brought your SAST and DAST vulnerabilities together, into a developer-integrated, CI/CD-enabling management platform. Deployed and used in Fortune 100 companies ranging from entertainment to banking to health care, in addition to some of the largest organizations within the Federal Government, ThreadFix now helps organizations correlate and prioritize risk across their applications and the network infrastructure that supports them.
Join us as we debut the largest update to the ThreadFix platform to date, ThreadFix 3.0. Featuring new network vulnerability management tools, a new containerized microservices architecture, and a new user interface, ThreadFix 3.0 is the solution for comprehensive and correlated risk-based reporting on your entire portfolio of applications and infrastructure assets.
Application Asset Management with ThreadFixDenim Group
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
The Netsparker Web Application #Security #Scanners employ a unique and dead-accurate vulnerability scanning technology that automatically verify the vulnerabilities by producing a proof of exploit.
Discover how Netsparker find security flaws in websites, applications and services and protect whole system in 3 clicks.
Softprom by ERC official Value added #distributor of #Netsparker in Europe.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
How to Integrate AppSec Testing into your DevOps Program Denim Group
During this live webinar, IBM & Denim Group join forces to demonstrate how Application Security Testing can be integrated with DevOps methodologies to identify and remediate high-risk vulnerabilities quickly, with minimal overhead.
Specifically, we’ll discuss how you can integrate Dynamic Application Security Testing (DAST) using IBM AppScan Enterprise REST API into a DevOps CI/CD pipeline, which helps you to automatically identify high-risk vulnerabilities within web applications and web services. We’ll also show how using Denim Group’s ThreadFix offering with AppScan Enterprise allows for seamless integration with typical DevOps tool-sets, in order to further reduce the overhead associated with AppSec testing within the SDLC.
Windows 10 Rapid Release Management - Featuring AdaptivaFlexera
Flexera Software and Adaptiva discuss changes taking place in the enterprise infrastructure that is requiring IT practitioners to change the way they think about updates like Windows 10, including:
Automating the update process
“Future-proofing” to stay ready for future updates
Reducing risks throughout the enterprise application portfolio
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
With that in mind, here are 10 best DevSecOps tools for 2023 so you can get started on the right foot with the latest and greatest techniques. https://bit.ly/3Fd295g
This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
Presentation I just finished creating for Denim Group, my clients new vulnerability management platform launch.. we\'ve gotten over 10 articles so far and several analyst quotes!
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaCristian Garcia G.
Hoy en día, una media de más de 1000 aplicaciones Cloud se está utilizando en cada empresa, de las cuales, el 98% se categoriza como «Shadow IT», lo cual significa que la dirección IT no las controla.
Además, 80% de la información que sale afuera de las empresas se comparte utilizando aplicaciones Cloud. Y más de 50% del acceso y uso de las aplicaciones Cloud se realiza desde fuera de las redes corporativas.
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
This webinar takes a dive into the biggest features and benefits in the latest ThreadFix release and the evolving feature set. We will focus on ThreadFix’s new capabilities, including - managing internal penetration testing teams with ThreadFix, tracking vulnerability time to live policies, as well as a host of additional enhancements.
Similar to Optimizing Your Application Security Program with Netsparker and ThreadFix (20)
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
Title:
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Abstract:
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Speaker:
Dan Cornell
Bio:
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
Vulnerability management - especially application vulnerability management - is a challenging business function because it crosses disciplinary boundaries. Security teams find and adjudicate vulnerabilities, DevOps and server ops teams have to fix them, and GRC teams need to be kept apprised of status and progress. As has always been the case - but especially in a necessarily remote work environment - collaboration is key to making these business functions operate efficiently and effectively. This webinar looks at common bottlenecks that snarl vulnerability remediation workflows and discusses strategies to address these issues via collaboration. Examples are given of implementing these via the ThreadFix platform, but the strategies are universally-applicable for vulnerability management professionals looking to streamline their vulnerability remediation workflows.
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
An Updated Take: Threat Modeling for IoT SystemsDenim Group
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture.
This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
The tempo for software delivery to the warfighter continues to accelerate to meet the goals and demands of their missions. Pressures to rapidly build and deploy mission software drive the need to deliver new capabilities via DevSecOps pipelines. Many of the latest leading-edge DevSecOps practices draw heavily from commercial tech companies and innovative programs across DoD like Kessel Run. What are these latest trends, and how do you take advantage of them? How do you quantify the risk of microservices, new languages and frameworks, and cloud environments and still obtain authority to operate (ATO)?
The ThreadFix platform has built-in automation and orchestration capabilities to enable your teams to provide immediate feedback in the form of policy evaluation, notifications in the form of emails and automated developer defect creation, and decision-making on your CI program as scan results are generated. In addition to built-in automation, plugins and the ThreadFix API enable CI programs to seamlessly integrate security testing into existing build/release pipelines to provide evaluation of code changes directly to your development tools.
These key issue items and other trends will be discussed in this highly interactive briefing, providing critical insights on how to inject agility and responsiveness into environments that have traditionally struggled to keep pace with modern development approaches.
AppSec in a World of Digital TransformationDenim Group
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
AppSec in a World of Digital TransformationDenim Group
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have an attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.
Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.
An OWASP SAMM Perspective on Serverless ComputingDenim Group
Serverless architectures enable organizations to build and deploy software and services without maintaining or provisioning any physical or virtual servers. They are an excellent choice for a wide range of services, and can scale elastically as cloud workloads grow, and as a result have become a popular architectural element for development teams. However, this new approach can have a significant impact on the security of systems, and many teams are not familiar with how to securely incorporate serverless elements into their architectures. Using the OWASP SAMM maturity model as a framework, this webinar walks through how teams adopting serverless computing can do so in a secure manner and consistent with their organization’s roadmap for maturing their application security posture.
Optimize Your Security Program with ThreadFix 2.7Denim Group
ThreadFix 2.7’s feature set represents the most significant expansion to the platform since ThreadFix was first released almost 10 years ago. This release bundles new application risk-ranking capabilities with the powerful addition to receive a 3rd party assessment for any application managed within ThreadFix. Join us to see how your team’s capacity and capabilities can be instantly expanded through on-demand application security assessments delivered directly into your ThreadFix instance, adding Denim Group’s nearly two decades of application security experience to your team anytime you need it.
Application Security Testing for a DevOps Mindset Denim Group
The cultural transition to DevOps is coming to organizations, and security teams must learn to adapt or be marginalized. Forward-thinking security teams will use this transition to their advantage and will reap the benefits of better and more frequent security insight into development cycles. By understanding the goals of development teams, security representatives can help to meaningfully include themselves in the development process and provide value through sensible risk management.
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
Sprawling networks, streaming vendor vulnerability updates, and an application portfolio that remains a mystery keep you up late wondering where your weakest link exists. Budget constraints make you wonder where to begin, given that the responsibility to protect your organization remains firmly on your shoulders. How do savvy leaders identify the most pressing exposures and prioritize their efforts given limited budgets? What are the strategies that sophisticated IT and security leaders pursue to identify the scariest vulnerabilities and fix them before attackers find them? This session will lay out actionable plans to immediately identify and reduce more of your organization’s attack surface.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.