SlideShare a Scribd company logo
1 of 15
Software Security in the Real World
Kelsey Hightower
Dan Perry
Customer Success Engineer
Anchore
Housekeeping
01
02
03
All participant lines are muted
Questions will be accepted throughout, enter questions via Q&A panel
You will receive a follow-up email with a link to the recording
04 Please respond to poll questions as they are appear on your screen
Anchore | Software Supply Chain Management
Anchore | Software Supply Chain Management
Securing your
software supply chain
with a frictionless
developer experience
that optimizes velocity
Your DevOps Process
Run
Deploy
Test
Build
Develop
Source
Agenda
Current Events
Discussion on the latest
events
Dive into recent events and how
we can navigate these
Live Demo
See real examples across
three areas
Visibility & Inspection
Policy Enforcement
Remediation
Q&A
Question and Answer with
Kelsey & Dan
Time to ask those questions on
anything from Anchore to
Software Security
Current Events
Software Supply Chains today are complex
Run
Deploy
Stage
Build
Source
Many dependencies brought in at each stage
Multiple teams
and tools
Multiple
Source repos
Multiple builds
per day
Multiple
registries
Multiple
deployments
Multiple
clusters
Scan
Limited
checks
How Anchore Enterprise can help
Pass/Fail
for best practices
or compliance
controls via
policy-as-code
Visibility Inspection Policy
Enforcement
Remediation Reporting
DevOps
SecOps &
Compliance
SBOM metadata
and (optional)
data stored in
database for
querying
Security issues
assessed
continually
against stored
SBOMs
Notifications
sent via native
developer tools
about security
issues
Scheduled or
ad-hoc reports
for triage, SLA,
compliance, or
trending
✅
❌
SBOM generated
locally in CI
or pulled for
backend
generation
CI/CD
Registry
Runtime
Vuln Feed
Everything we show today is real
💻
Try for yourself & follow along later
github.com/anchore/webinar-demo
Topic 1 - Visibility & Inspection
Build an accurate software bill of materials (SBOM) from source.
Security checks inspecting for vulnerabilities, secrets, permissions, malware
Topic 2 - Policy Enforcement
Enforce compliance with external or internal standards
Topic 3 - Remediation
Recommendations and automation to resolve issues more quickly.
Give the developer what they need to move fast.
Anchore Enterprise
Software Composition Analysis from Code to Cloud
Cloud-native
Focus
Fast scanning of containerized applications, at scale
High Fidelity SBOMs to identify OSS content and security issues
Multi-stage scanning across Git, CI/CD, Registry, and Kubernetes
Open Source
Centric
End to End
Coverage
Controls for NIST, FedRAMP, DISA and more.
Compliance
Automation
More Information
Get started with Anchore Enterprise labs
https://github.com/anchore/webinar-demo
Learn more about Anchore Enterprise
https://anchore.com/platform
Get a personal demo
get.anchore.com/contact
Download the NVIDIA case study
www.anchore.com/nvidia
Q&A
Thank you for joining!

More Related Content

Similar to Software Security in the Real World w/Kelsey Hightower

Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
You need to analyze the features of three videoconferencing systems
You need to analyze the features of three videoconferencing systems You need to analyze the features of three videoconferencing systems
You need to analyze the features of three videoconferencing systems walthamcoretta
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfJames Anderson
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 

Similar to Software Security in the Real World w/Kelsey Hightower (20)

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
You need to analyze the features of three videoconferencing systems
You need to analyze the features of three videoconferencing systems You need to analyze the features of three videoconferencing systems
You need to analyze the features of three videoconferencing systems
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 

Recently uploaded

Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 

Recently uploaded (20)

Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 

Software Security in the Real World w/Kelsey Hightower

  • 1. Software Security in the Real World Kelsey Hightower Dan Perry Customer Success Engineer Anchore
  • 2. Housekeeping 01 02 03 All participant lines are muted Questions will be accepted throughout, enter questions via Q&A panel You will receive a follow-up email with a link to the recording 04 Please respond to poll questions as they are appear on your screen
  • 3. Anchore | Software Supply Chain Management Anchore | Software Supply Chain Management Securing your software supply chain with a frictionless developer experience that optimizes velocity Your DevOps Process Run Deploy Test Build Develop Source
  • 4. Agenda Current Events Discussion on the latest events Dive into recent events and how we can navigate these Live Demo See real examples across three areas Visibility & Inspection Policy Enforcement Remediation Q&A Question and Answer with Kelsey & Dan Time to ask those questions on anything from Anchore to Software Security
  • 6. Software Supply Chains today are complex Run Deploy Stage Build Source Many dependencies brought in at each stage Multiple teams and tools Multiple Source repos Multiple builds per day Multiple registries Multiple deployments Multiple clusters Scan Limited checks
  • 7. How Anchore Enterprise can help Pass/Fail for best practices or compliance controls via policy-as-code Visibility Inspection Policy Enforcement Remediation Reporting DevOps SecOps & Compliance SBOM metadata and (optional) data stored in database for querying Security issues assessed continually against stored SBOMs Notifications sent via native developer tools about security issues Scheduled or ad-hoc reports for triage, SLA, compliance, or trending ✅ ❌ SBOM generated locally in CI or pulled for backend generation CI/CD Registry Runtime Vuln Feed
  • 8. Everything we show today is real 💻 Try for yourself & follow along later github.com/anchore/webinar-demo
  • 9. Topic 1 - Visibility & Inspection Build an accurate software bill of materials (SBOM) from source. Security checks inspecting for vulnerabilities, secrets, permissions, malware
  • 10. Topic 2 - Policy Enforcement Enforce compliance with external or internal standards
  • 11. Topic 3 - Remediation Recommendations and automation to resolve issues more quickly. Give the developer what they need to move fast.
  • 12. Anchore Enterprise Software Composition Analysis from Code to Cloud Cloud-native Focus Fast scanning of containerized applications, at scale High Fidelity SBOMs to identify OSS content and security issues Multi-stage scanning across Git, CI/CD, Registry, and Kubernetes Open Source Centric End to End Coverage Controls for NIST, FedRAMP, DISA and more. Compliance Automation
  • 13. More Information Get started with Anchore Enterprise labs https://github.com/anchore/webinar-demo Learn more about Anchore Enterprise https://anchore.com/platform Get a personal demo get.anchore.com/contact Download the NVIDIA case study www.anchore.com/nvidia
  • 14. Q&A
  • 15. Thank you for joining!