How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Welcome & The State of Open Source SecurityJerika Phelps
This document summarizes information from a conference on open source software. It discusses trends showing that open source adoption continues to increase rapidly and is now essential to most development strategies. However, open source security and management practices have not kept pace. Many organizations do not have formal policies or processes to track, inventory, or remediate known open source vulnerabilities. Common vulnerabilities in widely used open source components continue to be exploited years later. The document outlines challenges but also the value that open source brings through reduced costs, accelerated innovation, and time to market. It concludes by emphasizing the need for sustained efforts to promote more secure use of open source.
The document summarizes Black Duck's position as a leader in software composition analysis and open source security. It highlights that [1] Virtually all Global 2000 companies use open source to run critical infrastructure, [2] Black Duck is recognized as the sole "Leader" in Forrester's software composition analysis landscape evaluation, and [3] Black Duck has a large knowledge base of open source projects, vulnerabilities, and license types to help customers identify security risks and compliance issues from open source use.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
Open Source: The Legal & Security Implications for the Connected CarJerika Phelps
Automobiles are becoming increasingly intelligent, automated and most importantly, Internet-connected. This will exacerbate a problem that already exists. Much of the software that binds sensors and other car hardware together comes from third-parties. That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Welcome & The State of Open Source SecurityJerika Phelps
This document summarizes information from a conference on open source software. It discusses trends showing that open source adoption continues to increase rapidly and is now essential to most development strategies. However, open source security and management practices have not kept pace. Many organizations do not have formal policies or processes to track, inventory, or remediate known open source vulnerabilities. Common vulnerabilities in widely used open source components continue to be exploited years later. The document outlines challenges but also the value that open source brings through reduced costs, accelerated innovation, and time to market. It concludes by emphasizing the need for sustained efforts to promote more secure use of open source.
The document summarizes Black Duck's position as a leader in software composition analysis and open source security. It highlights that [1] Virtually all Global 2000 companies use open source to run critical infrastructure, [2] Black Duck is recognized as the sole "Leader" in Forrester's software composition analysis landscape evaluation, and [3] Black Duck has a large knowledge base of open source projects, vulnerabilities, and license types to help customers identify security risks and compliance issues from open source use.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
Open Source: The Legal & Security Implications for the Connected CarJerika Phelps
Automobiles are becoming increasingly intelligent, automated and most importantly, Internet-connected. This will exacerbate a problem that already exists. Much of the software that binds sensors and other car hardware together comes from third-parties. That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security.
Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Black Duck Software provides products that help organizations automate securing and managing open source software to eliminate security vulnerabilities, license compliance issues, and operational risks. Black Duck is headquartered in Burlington, MA and has offices worldwide. Their products help secure applications from cyberattacks by managing open source vulnerabilities, which are a major risk for applications and can lead to costly security breaches if unaddressed.
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life cycle, the initial release of OpsSight is optimized for Red Hat’s OpenShift Container Platform.
If you missed FLIGHT 2017, you can read all the news about OpsSight below, as well as stories on FLIGHT keynoters Charlie Miller and Chris Valasek’s presentation on why IoT insecurity is here to stay; the top 5 cybersecurity mistakes you need to avoid; the SEC prepares new cybersecurity guidelines; and security for the connected car
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
Black Duck is now a part of Synopsys, with the acquisition complete this week. Dr. Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group provides some background of how Synopsys and Black Duck joining forces will enhance the company’s efforts in the software security market by broadening our product offering and strengthening the Software Integrity Platform.
Tim Mackey, technical evangelist for Black Duck, tackles the tricky issue of container security. Mike Pittenger, vice president of security strategy for Black Duck, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure.
This week’s open source security and cybersecurity news follows in Open Source Insight.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
This document summarizes the findings of a survey about open source software usage. It finds that open source usage has increased significantly and is now core to most organizations' IT infrastructure. However, many organizations still do not have formal processes for managing open source use and risks. Common risks include unreviewed code, lack of responsibility for security issues, and incomplete vulnerability tracking. The document recommends that organizations improve open source governance, automate reviews, and participate more actively in open source communities to help address ongoing risks from open source use.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
This document discusses regulatory requirements for vulnerability assessments and the challenges of managing open source software vulnerabilities. It notes that regulatory requirements from standards like PCI-DSS require vulnerability monitoring and patching, but traditional vulnerability assessment tools do not provide visibility into custom code or track vulnerabilities over time in open source components. The document argues that organizations need software bills of materials and proactive vulnerability management programs that can map vulnerabilities to applications to effectively manage risks from open source.
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
This document provides a summary of cybersecurity and open source news stories from March 2nd. It discusses the need to incorporate application security practices into the DevOps process. It also looks at deciding between open source and proprietary software based on factors like code transparency and vendor support. Additionally, it reports that one in eight open source components contain security flaws and explains why enterprises need a comprehensive software security program rather than isolated security activities. Finally, it provides answers to frequently asked questions about the GDPR regulation and notes unexpected places where GDPR-related data can be found.
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
As presented by Patrick Carey in San Jose at a Lunch & Learn. Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
A question of trust - understanding Open Source risksTim Mackey
As presented at the Bay Area Cyber Security Meetup on January 25th, 2018.
Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works.
In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Black Duck Software provides products that help organizations automate securing and managing open source software to eliminate security vulnerabilities, license compliance issues, and operational risks. Black Duck is headquartered in Burlington, MA and has offices worldwide. Their products help secure applications from cyberattacks by managing open source vulnerabilities, which are a major risk for applications and can lead to costly security breaches if unaddressed.
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life cycle, the initial release of OpsSight is optimized for Red Hat’s OpenShift Container Platform.
If you missed FLIGHT 2017, you can read all the news about OpsSight below, as well as stories on FLIGHT keynoters Charlie Miller and Chris Valasek’s presentation on why IoT insecurity is here to stay; the top 5 cybersecurity mistakes you need to avoid; the SEC prepares new cybersecurity guidelines; and security for the connected car
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Black Duck by Synopsys
Black Duck is now a part of Synopsys, with the acquisition complete this week. Dr. Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group provides some background of how Synopsys and Black Duck joining forces will enhance the company’s efforts in the software security market by broadening our product offering and strengthening the Software Integrity Platform.
Tim Mackey, technical evangelist for Black Duck, tackles the tricky issue of container security. Mike Pittenger, vice president of security strategy for Black Duck, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure.
This week’s open source security and cybersecurity news follows in Open Source Insight.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
This document summarizes the findings of a survey about open source software usage. It finds that open source usage has increased significantly and is now core to most organizations' IT infrastructure. However, many organizations still do not have formal processes for managing open source use and risks. Common risks include unreviewed code, lack of responsibility for security issues, and incomplete vulnerability tracking. The document recommends that organizations improve open source governance, automate reviews, and participate more actively in open source communities to help address ongoing risks from open source use.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
This document discusses regulatory requirements for vulnerability assessments and the challenges of managing open source software vulnerabilities. It notes that regulatory requirements from standards like PCI-DSS require vulnerability monitoring and patching, but traditional vulnerability assessment tools do not provide visibility into custom code or track vulnerabilities over time in open source components. The document argues that organizations need software bills of materials and proactive vulnerability management programs that can map vulnerabilities to applications to effectively manage risks from open source.
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
This document provides a summary of cybersecurity and open source news stories from March 2nd. It discusses the need to incorporate application security practices into the DevOps process. It also looks at deciding between open source and proprietary software based on factors like code transparency and vendor support. Additionally, it reports that one in eight open source components contain security flaws and explains why enterprises need a comprehensive software security program rather than isolated security activities. Finally, it provides answers to frequently asked questions about the GDPR regulation and notes unexpected places where GDPR-related data can be found.
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
As presented by Patrick Carey in San Jose at a Lunch & Learn. Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
A question of trust - understanding Open Source risksTim Mackey
As presented at the Bay Area Cyber Security Meetup on January 25th, 2018.
Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works.
In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Open source software is widely used but faces security challenges as vulnerabilities have been found in widely used open source components. While most companies do not currently monitor open source code for security issues, the open source community is adapting to improve security. New approaches for security processes and tools are emerging and will provide increased choices for addressing open source security over time.
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.
This RVAsec presentation by Black Duck Software's Bill Weinberg explores the role of and requirements for secure development and deployment with open source software.
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open Source Insight!
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
It’s everywhere. From your phone to the enterprise, open source software (OSS) is running far and wide. Gartner predicts that by 2016, 99 percent of Global 2000 enterprises will use open source in mission-critical software. While it’s free, easy to find, and pushes software to the market faster, it’s vital to understand how to use OSS safely.
Join Richard Sherrard, director of product management at Rogue Wave, for a live webinar reviewing the top five OSS trends of 2015. From OSS discovery, to risk, and governance, we’ll take a deep dive into the trends we’ve noticed this year while providing you with some predictions for 2016.
In this webinar you’ll learn how to:
-Discover the OSS in your codebase to ensure that code is free of bugs, security vulnerabilities, and license conflicts
-Implement controls on OSS usage at your organization
-Create a multi-tier approach to OSS risk reduction with open source tools, static code analysis and dynamic analysis
Watch the webinar recording now: https://www.brighttalk.com/webcast/12285/164531
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
This presentation was given by Ryan Berg, Sonatype CSO, at the All Things Open conference in Raleigh, NC.
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry-wide study on open source development and application security. Among the surprising results…
- 1-in-3 organizations had or suspected an open source breach in the last 12 months
- Only 16% of participants must prove they are not using components with known vulnerabilities
- 64% don’t track changes in open source vulnerability data
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
Similar to Software Security Assurance for DevOps (20)
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys
This document provides an overview of open source license management best practices that have evolved over 16 years, from 2002 to 2018. It discusses how the risks have changed from lawsuits prompting code inspections to security vulnerabilities coming to the forefront. It also outlines the key functionality of Black Duck Hub for managing open source licenses, including predefined license groups, component usage settings, license risk modeling, policy management, license review workflows, and integrations. Finally, it proposes a suggested license management workflow involving license planning, policy creation, component reviews, attribution statements, and more.
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys
Managing open source security risks is important because most modern applications contain a significant amount of open source code that may contain vulnerabilities. It is difficult to manage these risks because vulnerabilities are often discovered after code is released. Tools can help with open source selection, governance, detection of used components, prioritizing and remediating vulnerabilities, and monitoring applications post-release. Managing open source security risks requires identifying components, setting policies, understanding usage, prioritizing issues, and monitoring ongoing.
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
Utsav Sanghani, Product Manager, Integrations and Alliance at Synopsys presented on how to "Black Duck your Code Faster with Black Duck Integrations." For more information, please visit www.blackducksoftware.com
Black Duck On-Demand-Audits von über 1.100
kommerziellen Anwendungen im Jahr 2017
verdeutlichen die ständigen Herausforderungen, vor
denen Unternehmen stehen, um Open Source effektiv
zu erkennen und zu sichern.
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
Open source software, patents, and trade secrets each offer different ways to protect information relating to software. Open source licenses make source code available and allow free distribution but also allow others to modify the code. Patents protect specific inventions for a limited time but require describing the invention publicly. Trade secrets have indefinite protection as long as information is kept secret, but lose protection if the secret becomes public. Combining these approaches poses challenges, as open source and trade secrets in particular seem contradictory. Companies must carefully manage what software is shared openly versus kept proprietary through internal policies and legal agreements.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
The document discusses data breaches and relevant laws. It notes an increasing number of data breaches and introduces key laws around data security - the GDPR and NISD. The GDPR requires organizations to implement appropriate security measures to protect personal data and report breaches. It applies broadly to any group processing EU citizens' data or offering goods/services to them. The NISD focuses on essential services and digital service providers, requiring security and reporting of significant incidents. Non-compliance can result in large fines and litigation. Proper precautions such as response planning and legal advice are recommended.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
2018 is the Open Source Rookies report’s 10th anniversary, brought to you by Black Duck by Synopsys. This infographic shows the impressive number of projects started in 2017 and the distribution across the world and a wide range of categories. Narrowing them down was hard! The open source community continues to produce innovative and influential open source projects.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions.
Read on for all the open source security and cybersecurity news you need to know this week.
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Principal engineer at MITRE, Bob Martin, examines the potential security issues introduced by the Internet of Things and proactive measures you can take to address those issues.
Open Source Insight:IoT Security, Tech Due Diligence, and Software Security ...Black Duck by Synopsys
A grab-bag of open source security and cybersecurity news is in this week’s edition of Open Source Insight. Is “many eyeballs” not enough? Some security researchers think Linus’ Law doesn’t work anymore. Black Duck by Synopsys kicks off a new video series with MITRE IoT expert, Bob Martin. Learn how open source tech due diligence helped one company close a deal securely. Should “Privacy Day” be renamed to “Lack of Privacy” day? Plus, an eye-catching infographic on how too little software security training is putting many companies at risk.
Open Source Insight:Banking and Open Source, 2018 CISO Report, GDPR LoomingBlack Duck by Synopsys
This document provides a summary of cybersecurity news and topics related to open source software. It discusses a new report on different types of CISOs ("tribes") and challenges with compliance as the GDPR deadline approaches. Additional articles summarize topics like using open source for core banking systems, open source security challenges, cybersecurity predictions for 2018, and questions around automotive cybersecurity and the GDPR.
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.”
In other cybersecurity news, we look at 10 open source technologies you need to know about, cybersecurity predictions for 2018, and an interesting white paper published by the University of Michigan on identifying cybersecurity threats in connected vehicles.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Software Security Assurance for DevOps
1. Software Security
Assurance for DevOps
Mike Pittenger, VP Security Strategy, Black Duck Software
Lucas v. Stockhausen, Sr. Product Manager HPE Fortify
2. • Challenges impacting application security in
DevOps
• Strategies for overcoming these challenges
• 5 Things you can do tomorrow
Agenda
2
3. Why We Partnered
• Organizations today manage application security for both custom and open
source code
• HPE Security Fortify is a market leader in the application security space for
customer code; Black Duck is a market leader in the application security
space for open source
• Together, we allow customers to manage security risk in custom and open
source code, through a single interface
3
4. GROWING ATTACK SURFACE NEW DEPLOYMENT MODELS
Web, Mobile, Cloud, IoT
Containers, IT and Small Security
Teams
• Which apps are people using?
• How do I set internal policy
requirements for app security?
• Is my private / sensitive data
exposed by apps?
• Who is developing the apps?
• How do we prioritize the work for
the resources I have?
• What do we test and how do we
test it?
• How do we staff and improve skills
and awareness?
OPEN SOURCE
Increasing Portion of Code Base
• What policies are in place for
open source use?
• How are those policies enforced?
• Who is tracking usage for new
vulnerabilities
Application Security Challenges
4
5. • Web applications
• Cloud applications and services
• IoT
Changing Attack Surface
5
“If perimeter control is
to remain the paradigm
of cybersecurity, then
the number of
perimeters to defend in
the Internet of Things is
doubling every 17
months.”
Dan Geer
In-Q-Tel
RSA 2016
6. Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Open Source is the Foundation of Modern Applications
6
7. @FUTUREOFOSS
#FUTUREOSS
GROWING OPPORTUNITY
FOR POLICIES &
PROCEDURES
50%
Nearly
2016
INSIGHTS 4
@FUTUREOFOSS
#FUTUREOSS
UNDERSTANDING YOUR OPEN
SOURCE CODE
Top ways companies review
their code for open source
Development teams
manually keep track of
open source use
48% 30% 21%
Ask developers about
open source content
Use third party tools
to scan for open
source content
2016
INSIGHTS 4
@FUTUREOFOSS
#FUTUREOSS
HOW ARE COMPANIES
HANDLING KNOWN OPEN
SOURCE VULNERABILITIES?
of companies have
no process for
identifying,
tracking or
remediating known
open source
vulnerabilities
Nearly
1/3
2016
INSIGHTS 4
Open source Use has Outpaced Process Maturity
Everybody is using open source, but many organizations still do not have
adequate processes or tools in place to manage it.
7
9. OPEN SOURCE CODE
DELIVERED CODE
Open Source Enters Your Code in Many Ways…
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
…and security, compliance & quality risks can come with it.
11. • Automated testing finds common vulnerabilities in
the code you write
• They are good, not perfect
• Different tools work better on different classes of bugs
• Many types of bugs are undetectable except by trained
security researchers
Static Analysis Does Not Help With Open
Source
All possible
security vulnerabilities
FREAK!
12. Four Factors That Make Open Source Different
12
Easy access to code
Exploits readily availableVulnerabilities are public
Used Everywhere
13. Who’s Responsible for Open Source Security?
13
Commercial Code Open Source Code
• Dedicated security researchers
• Alerting and notification infrastructure
• Regular patch updates
Dedicated support team with SLA
• “Community”-based code analysis
• Monitor newsfeeds yourself
• No standard patching mechanism
Ultimately, you are responsible
14. Bad Guys Have Quotas Too (Non-Targeted Attacks)
Rational Choice Theory
• Criminals make a conscious, rational choice to commit crimes
• Behavior is a personal choice made after weighing costs and benefits of
available alternatives
• The path of least resistance will be taken
18. • HPE Security Fortify + Black Duck Technology
Alliance Partnership
• Address pervasive, rapidly-growing Security &
Compliance risks with Open Source
• Gain visibility on risks across Custom Code and
Open Source Code
• Integrate governance and remediation as part of
Software Security Assurance
Black Duck Integration with HPE Security
Fortify SSC
Risks in Open
Source Code (Black
Duck Hub)
Manage Risks in Open
Source as part of HPE
Security Fortify SSC
Risks in Custom
Code with SAST,
DAST, & RASP
20. Overview Shows Black Duck Results Within HPE Security Fortify
Open Source
vulnerabilities (3rd Party
Components) from Black
Duck analysis
Custom Code vulnerabilities
from Fortify SCA analysis
26. • Speak with your heads of application security and software development and
find out…
• What policies exist for managing open source?
• Is there a list of components used in all applications?
• How are they creating the list?
• What controls do they have to ensure nothing gets through?
• How are they tracking vulnerabilities for all components over time?
• How do they account for the different testing requirements for custom code v. open
source?
• What is the best security automation strategy for your organization?
What Can You Do Tomorrow?
26
PITTENGER:
Welcome! My name is Mike Pittenger and I’m the Vice President of Security Strategy here at Black Duck Software. I’m joined by Lucas von Stockhausen, Sr Product Manager for HPE Security Fortify.
Today’s webinar will focus on application security for DevOps and what Black Duck and HPE Security are doing together to help.
PITTENGER
There are 3 Challenges impacting application security in a DevOps world
Expanding attack surface
Agile + New Delivery Models
Rise of open source
Strategies for overcoming these challenges
Security testing in agile environments
Custom and open source
Talk about automation
5 Things you can do tomorrow
Stockhausen
HPE Security Fortify and Black Duck recently announced a partnership.
The goal of our partnership is to empower organizations with a software security solution, that provides visibility into the security posture of applications across your enterprise, in both custom code and open source libraries. With the partnership and integration, security vulnerabilities identified from Black Duck can now be viewed through Fortify Software Security Center.
PITTENGER: While automation has addressed the challenge presented by agile development, there are other challenges organizations face when it comes to application security in a changing world.
Expanding Attack Surface –
* Not only are we seeing a huge increase in the sheer number of web facing applications, but also many more devices in the workspace managing critical data. This can include mobile devices, cloud services, and IoT
New Deployment Models
* With changing development models and companies moving to an Agile environment, we are also seeing a change in the way applications are being deployed. This leads to new security strategies to address things like the secure use of containers
–
The greater use Open Source
Open source is used virtually everywhere today. This presents some new security challenges from a testing and monitoring perspective.
Now, let’s look at each of these in a bit more detail…
Stockhausen
In the connected world of today, when we think of attack surface we're typically discussing web applications. But, it’s not enough to only scan/test your critical web applications. The number of apps continue to increase substantially and companies have come to the realization that applications are a competitive differentiator that sets them apart. As they create complex web apps, mobile apps, and IOT apps, their attack surface expands.
There are an ever increasing numbers of web apps which provide customers and adversaries with a way to reach our data and critical assets. But there are other ways in which we’re exposing ourselves to hackers.
If we consider IoT apps and device deployments are exploding across commercial, home products, and the automotive industries. Particularly infotainment systems in the connected car. Less visible are business to business and vertical apps, including critical infrastructure. Gartner Research estimates that the installed base of IoT devices, which has almost doubled in the last 2 years, will increase 3–fold in the next 4 years. Dan Geer of In-Q-Tel, the investment arm of the CIA, paints the picture in another way. By looking at the number of CPU cores, device drivers for bluetooth, GPS, video and USB ports, he estimates that the actual attack surface is doubling every 17 months!
PITTENGER: One of the most challenging aspects of applications and container security is finding open source software vulnerabilities. This is increasingly important. After all, open source software makes up a growing percentage of a companies code base, and containers are commonly built on open source components.
PITTENGER
Open source has been adopted widely, but this has presented new challenges. Primarily, how do organizations manage the code they use. The 2016 Future of Open Source survey shows that
Nearly half the companies had no policies for what 3rd party code could be used.
Keeping tack of open source is a manual process without controls – about half claim to track manually. As we will see later, this greatly underestimates the amount of open source used
Nearly a third of the companies had no process for tracking new vulnerabilities in the code they used. This is compounded, of course, by the fact that most companies have no reliable way of even knowing which open source projects they are using, and the fact that vulnerabilities vary by version
PITTENGER
: Open source is being embraced by organizations, including the federal government. How important is it to understand what your organization is using?
Our recent study on open source in commercial applications showed:
Go through stats
We as security professionals need to recognize that open source and custom code require defense in depth -
PITTENGERManaging open source can be a challenge, because it can enter into an organizations code base in several ways. An org may have reviewed and approved open source in design reviews, but developers maybe using reused internal code that includes older open source components that have not been approved, or they have pulled unapproved code from web-based repositories, or integrated code from supply chain partners. In all of these scenarios, you are exposing and increasing risk to your organization.
The end result is organizations are deployed code that contains open source, often without the knowledge or review of development managers and security teams.
PITTENGER: There are two very different but equally important application security challenges for organizations.
You may recognize the logo’s shown here, but think for a moment about what they have in common
They are all vulnerabilities in well known and widely used open source components
They were all present in the code for years, in spite of thousands of instances of testing using traditional security tools and pen tests
They were all found by security researchers and disclosed responsibly to the public
While vulnerabilities like Heartbleed, GHOST, ShellShock, DROWN are well known, they represent a tiny fraction of the vulnerabilities reported in open source. In fact, the National Vulnerability Database has reported over 6,000 new vulnerabilities in open source software since 2014 alone. As you can see in the chart, we see a pretty consistent flow of new vulnerabilities based on the work of security researchers. The spike in the graph shows how the discovery of Heartbleed 2 years ago spurred increased research and scrutiny of open source. And again, while Heartbleed made the evening news, there have been over 70 additional vulnerabilities – just in OpenSSL – since then.
The problem this presents is two-fold, visibility to the components you use, and visibility to the vulnerabilities
PITTENGER
Organizations should use static and dynamic analysis to find bugs in the code they write, but…
Open source vulnerabilities are too complex and too nuanced to be found by automated tools
If the tools were effective at finding vulnerabilities in open source, the vulnerabilities would have been found long ago
HeartBleed was present in OpenSSL for 2+ years, despite constant testing using automated tools
50+ vulnerabilities in OpenSSL since Heartbleed have all been found by researchers.
Vulnerabilities in open source are almost exclusively found by researchers manually inspecting the code and conducting experiments
Of the 4,000 vulnerabilities identified last year, fewer than 10 we
Very useful in identifying common security bugs in custom code
Typically responsibility of security team
Some can integrate into the build
Provide a snapshot of security vulnerabilities that each tool can identify
Exploitability of an issue can easily change
Results require review and scrubbing
#1 complaint – too many useless issues
Typically used late in the SDLC
Often require compiled application and/or test environment
re identified by automated tools
PITTENGER
: Open source is not necessarily less secure, or more secure, than commercial software. There are, however, some characteristics of open source that make it particularly attractive to attackers.
Open source is widely used by enterprises in commercial applications
Therefore, a new vulnerability in a popular project provides a target-rich environment for attackers.
Attackers have access to the code for analysis
Vulnerabilities in commercial code are exploitable, but attackers don’t have easy access to the source for analysis. That’s not the case in open source, where everyone has access. Like researchers, attackers can also identify new vulnerabilities
When new vulnerabilities are disclosed, we publish them to the world
NIST maintains the National Vulnerability database as a publicly available reference for vulnerabilities identified in software, and other sources – most notably OSVDB – focus on all identified vulnerabilities in open source.
Proof of the vulnerability (in the form of an exploit) is often included
When a vulnerability is discovered, the researcher will typically provide proof of the vulnerability in the form of exploit code, making the attackers’ job easier
Attackers can use these as well – but if they are confused, there are typically YouTube videos available to provide step-by-step instructions
PITTENGER:
The predominant method for tracking open source in organizations is a manually compiled spreadsheet that is created at the end of the SDLC. While that’s a problem by itself, it’s exacerbated by the lack of visibility into the thousands of vulnerabilities reported in open source each year.
Why is this?
* Start – open source is no more or less secure than commercial code. However, Characteristics of open source that make it attractive to attackers
* support model
PITTENGER
: Now let’s turn it over to Lucas von Stockhausen from HPE Security Fortify to take a look at the some of the available technologies for automating application security testing and implementing the concept of gates / controls.
Stockhausen: There are a variety of technologies on the market for assessing the security of application.
First I’d like to start with Static Analysis. Fortify’s Static Code Analyzer identifies security vulnerabilities in source code during development. It pinpoints the root cause of a vulnerability with line of code detail so that developers can easily ID and quickly remediate issues. It prioritizes results & provides best practices so developers can code securely. SCA also helps organizations identify issues early in the software development lifecycle when they are the easiest & least expensive to fix.
Open Source Scanning such as Black Duck also integrates into the build process. This technology assesses your applications to identify known vulnerabilities in the open source components. These vulnerabilities are almost exclusively found by researchers manually inspecting the code and conducting experiments.
Dynamic Analysis, Fortify WebInspect is for QA testers & security professionals to help identify and prioritize security vulnerabilities. It simulates real world attacks on your running applications and provides a comprehensive analysis of complex web applications and their services.
Runtime is a technology that helps organizations manage and mitigate risk in production applications. Fortify Application Defender is able to actively monitor and protect applications that have known and unknown security vulnerabilities. It also provides visibility into the malicious activity and will identify the root cause.
So as orgs are transitioning to an agile environment, processes and greater collaboration across dev, QA and security Ops has to get automated further. The traditional approach is to deploy static and dynamic testing technologies during the build and QA process and although this testing is still important, it is no longer enough.
New trends have emerged and we now have a new SDLC –
Secure developement is shifting left and empowering developers to find and fix vulnerabilities as they code. This happens entirely within the developers native environment. We do this by continuously testing and providing remediation guidance on the source code as it is being developed.
Today, applications have to embed and build-in security testing tools such as Fortify and BlackDuck which can tightly integrate into existing DevOp tools sets
Stockhausen
With this integration, customers that already manage vulnerabilities in Fortify Software Security Center can now incorporate issues that have been identified by BlackDuck. This provides added value, visibility and governance to your entire application security program.
PITTENGER
Black Duck scans are kicked off concurrent with the Fortify scans, typically as part of the build process. The result is an inventory, or bill-of-materials, listing all of the open source identified down to the version level. Once identified, we map information from our knowledgebase on over 1.5 million open source projects about known vulnerabilities, license information, and operational risk from poorly supported projects.
Stockhausen
This is one example demonstrating the usefulness of having Black Duck issues incorporated into Software Security Center. At the issue level, you can see the flexibility that SSC offers. Users can combine filtering with grouping to identify specific types of issues.
Stockhausen
This is one example demonstrating the usefulness of having Black Duck issues incorporated into Software Security Center. At the issue level, you can see the flexibility that SSC offers. Users can combine filtering with grouping to identify specific types of issues.
This slide will set up the discussion on automation
PITTENGER or RIGHT
Moving from a waterfall environment to DevOps has changed the way organizations are creating and deploying their applications. The advantages of integrating Development and IT Operation teams, and moving to a continuous and frequent production releases cycle, provides faster time to value, allows companies to react quickly to market needs, and helps to stay ahead of a very competitive environment.
A new approach to development also requires a new approach to security testing. As companies transition to a DevOps environment they need to find ways to further automate their application security testing efforts and process. It is even more crucial now to make sure testing processes are built into your SDLC.
PITTENGER
Most continuous integration infrastructures contain a similar collection of components including:
IDE’s integrated development environments,
version control systems,
bug tracking tools,
binary repositories,
and test automation tools,
The most common component is a continuous integration solution such as Jenkins, TeamCity, or Bamboo to orchestrate and schedule all of the critical steps of the build.
<ANIM> Application scanning can be implemented in a number of locations within the ecosystem, including automated scanning as part of the continuous integration process which provides visibility into security vulnerabilities within your code.
PITTENGER
Security testing technologies that are integrated with a CI tools provides the most flexibility and reduces friction in the devops environment. For example, using your CI tools to initiate Static and Open Source analysis with each build provides rapid feedback on vulnerabilities in both customer and open source code, giving companies a complete assessment of the risk in an application.
As a final check before deployment, a good practice is to run an open source analysis of both the application layer and the Linux stack to identify known vulnerabilities, and if you choose, prevent vulnerable containers from being deployed live.
PITTENGER
To achieve consistency in the build and delivery process, continuous integration solutions can take advantage of pipelines. A pipeline is simply a chain of events that can be scheduled or triggered and are kicked off within your CI system. They can be quite simple and only involve a few tasks or complex and contain many tasks and can include both serial and parallel paths.
There is no such thing as a standard pipeline but most incorporate unit tests, acceptance tests, packaging, reporting and deployment phases.
It’s not unusual for your CI team to have several software build pipelines constructed to accommodate different types of builds.
For example:
<ANIM> Pipeline 1 may be invoked each night and only used internally to test the code that was committed to that day.
<ANIM> <ANIM> Other pipelines might include more automated testing and deployment and packaging tasks to ready the software for general release and public consumption.
<ANIM> You may choose to only include scanning on a subset of your pipelines where you need visibility into security, licensing, and operational risk. You need to be careful not to get in the way of downstream activities such as QA testing. So, if you are adding scanning to your nightly or weekly QA builds, you probably don’t want to fail the builds and slow down the software development testing process.
However, prior to releasing software to customers, you may want to leverage the build pass / fail options to monitor configured policy violations and fail the build if they arise. <ANIM> In these situations, the build will be halted and downstream tasks will not be completed. Notifications can be distributed to key personnel to inform them of the failure so it can be addressed.
GO TO NEXT SLIDE
PITTENGER: In summary, we’ve discussed:
The application development environment is changing rapidly
Security testing in these environments requires further automation to meet the needs of an agile environment
OSS is pervasive and integral part of app development
OSS has unique security and support challenges
Therefore, level of risk warrants action.
If you agree this is a priority, the next steps are critical. CISOs we speak with want to find out more about the current situation at their organization. The best person to ask is often the head of application security and software development.
What you want to know are the answers to the following questions:
What policies exist?
Is there a list of components?
How are they creating the list?
Are they tracking vulnerabilities?
How do they ensure nothing gets through?
What steps are they taking to automate their processes?
These questions will shed light on the current state of how open source is used and managed at your organization and give you a good starting point for further discussions. What would you propose the next steps should be?
At this point, we’d like to open it up to questions and answer those that have already come into the Chat window….
If you have further questions, please contact us at: