SlideShare a Scribd company logo

Taking Open Source Security to the Next Level

S
SBWebinars

Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future. Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.

Technology
1 of 41
Download to read offline
1© 2019 Forrester. Reproduction Prohibited. Amy DeMartine Vice President, Research Director, Forrester Jeff Crum Senior Director of Product Marketing, WhiteSource
SCA Is Critical To Secure Modern Application Development
3 33% of firms suffered a breach as a result of an external attack. This is how.
4 Agile And DevOps Practices Increase Release Speeds
5© 2019 Forrester. Reproduction Prohibited. Put Testing As Early In The SDLC As Possible Source: “Use DevOps And Supply Chain Principles To Automate Application Delivery Governance” Forrester report. SCA & SAST DAST or IAST
6 Push Remediation Advice As Early In The SDLC As Possible Source: “The State Of Application Security, 2019” Forrester report
Early testing + automation = results overload
8 8© 2019 FORRESTER. REPRODUCTION PROHIBITED. We Investigated The Undergrad Programs Of The 40 Best US Computer Science Programs…
…none of the top 40 computer science programs in the US require a class about secure coding or secure application design.
None of the top five international schools for computer science require a class on secure coding.
You need prioritization and autoremediation to fix vulnerabilities.
12 Prioritization Limit what developers must act on before they become overwhelmed • Highest severity • Proof of exploit • Age • Most used • Estimated time to fix • Most number of different versions
13© 2019 Forrester. Reproduction Prohibited. Autoremediation Enable developers to easily create patches themselves • Automatically creates pull request with updated manifest file • Includes remediation for transient dependencies
14 Top 5 features to consider when choosing an SCA tool 1. Language coverage 2. Both license and vulnerability identification 3. Integrations into CI/CD pipeline 4. Prioritization 5. Autoremediation
The future of SCA….
16 Key Takeaways Vulnerabilities are plaguing applications Developers aren’t trained to understand the risks of using vulnerable open source components Look for SCA tools that will not only cover basic functionality but help developers remediate the most important vulnerabilities quickly 1 2 3
17 Thank You. Amy DeMartine VP, Research Director +1 617.613.8906 ademartine@forrester.com
The Agenda 18 § WhiteSource and the Forrester Software Composition Analysis (SCA) Wave Report § Developers tools vs. Governance tools § The WhiteSource Solution
THE LEADER OF SOFTWARE COMPOSITION ANALYSIS Founded in 2011. Offices in NY, Boston, London & Tel-Aviv 800+ Customers Empowering over 1.2 M developers Supporting 23% of Fortune 100 companies Over 3x YOY growth
20 Some of Our Customers
WhiteSource and the Forrester SCA Wave Report 21
Prioritization 22 CoverageRemediation 1 2 3
23 1 Prioritization
24 Open Source Vulnerabilities Are On The RiseOpen Source Vulnerabilities Are On The Rise
DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: a novel approach to prioritization Prioritization Is Key To Saving Wasted Time On Vulnerabilities Management
27 Vulnerability Effectiveness: a metaphor Floor F2 Floor F1 Floor L Floor F3 stairs stairs stairs stairs door door Vulnerable floor stairs The vulnerability is manifested in Floor F3. Entrance from the Floor L left door Can potentially access that floor – and the vulnerability. The vulnerability is nonetheless inaccessible from the right door entrance. Private func F1() Private func L1() Private func F2() Private func F3_vuln() Let’s look at a pseudocode example: Proprietary1() CAN reach the vulnerable code - func_F3_vuln() (via direct or transitive calls) Private func F1_A() Private func L1_A() Let’s examine again from a pseudocode perspective: Proprietary2() CANNOT reach the vulnerable code func_F3_vuln() If a person uses an entrance that even potentially can lead to a reported vulnerability in the building, that person is at risk. If a person only uses an entrance that even potentially does not lead to a reported vulnerability in the building, that person is not at risk. Public func os1() func Proprietary1() Public func os2() func Proprietary2() Prioritization Is Key To Saving Wasted Time On Vulnerabilities Management
28 2 Remediation
98% of all reported vulnerabilities have at least one fix offered by the community. So why not use it? We provide links to all suggested patches, new source files, version etc. Top Fixes Offered by the Community Initiate workflows automatically once a vulnerability is detected to close the loop with your development team. Integrate your SCA with your bug trackers to assign remediation task to the developers in real-time and track time to fix. Initiating Remediation Workflow Automatically
Automate Open Source Vulnerability Remediation
31 3 Coverage
Supporting All Languages Detecting All Reported Vulnerabilities Covering All Relevant Environments Cater All Groups In Your Org
Developers tools vs. Governance tools 33
Governance solutions Developers tools § Used by Management, Security, DevOps, Legal teams § Visibility and control § Reports, prioritization and policy enforcement § Used by Developers § Information on issues and remediation support § Integration with dev tools, real-time alerts and remediation insights Both Teams Need Security Tools
The WhiteSource Solution 35
36 Detection Real Time Alerts Automated Policies Advanced Reporting Prioritization CONTAINERPRIORITIZE
37 IDE Integration RemediateBrowser Integration Repo Integration
38 WhiteSource Product Portfolio PLAN CODE BUILD MAINT.DEPLOY
39 IDE Selection Post Deployment Repository BuildDeployment WITH YOU EVERY STEP OF THE WAY
Supporting over 200 programming languages. All environments. All groups, complete solution. COVERAGEPRIORITIZATION We help you focus on what matters with vulnerabilities prioritization and no false positives. REMEDIATION We not only alert, but also provide actionable, validated remediation tools to enable quick resolution. 40 What Sets Us Apart?
Thank You! 41

Recommended

The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
CAST
 

Recommended

The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
CAST
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
Sonatype
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
Tim Mackey
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
Ann Marie Neufelder
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
Mainstay
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
DevOps Indonesia
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
Philip Beyer
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
DevOps.com
 
Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
Muhammad Alhalaby
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
Lumension
 

More Related Content

What's hot

Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
Sonatype
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
Tim Mackey
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
Ann Marie Neufelder
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
Mainstay
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
DevOps Indonesia
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
Philip Beyer
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
DevOps.com
 

What's hot (20)

Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
 

Similar to Taking Open Source Security to the Next Level

Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
Muhammad Alhalaby
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
Lumension
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
Andrew Kanikuru
 
Defect effort prediction models in software maintenance projects
Defect effort prediction models in software maintenance projectsDefect effort prediction models in software maintenance projects
Defect effort prediction models in software maintenance projects
iaemedu
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
Thiagu Haldurai
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Developing Effective Software Productively
Developing Effective Software ProductivelyDeveloping Effective Software Productively
Developing Effective Software Productively
Gail Murphy
 
It’s a world of bugs after all
It’s a world of bugs after allIt’s a world of bugs after all
It’s a world of bugs after all
Thessaloniki Software Testing and QA meetup
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
se01.ppt
se01.pptse01.ppt
se01.ppt
xiso
 
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppDynamics
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 

Similar to Taking Open Source Security to the Next Level (20)

Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Defect effort prediction models in software maintenance projects
Defect effort prediction models in software maintenance projectsDefect effort prediction models in software maintenance projects
Defect effort prediction models in software maintenance projects
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
 
Developing Effective Software Productively
Developing Effective Software ProductivelyDeveloping Effective Software Productively
Developing Effective Software Productively
 
It’s a world of bugs after all
It’s a world of bugs after allIt’s a world of bugs after all
It’s a world of bugs after all
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
se01.ppt
se01.pptse01.ppt
se01.ppt
 
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 

More from SBWebinars

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside Out
SBWebinars
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application Security
SBWebinars
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply ChainYou're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply Chain
SBWebinars
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
SBWebinars
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
SBWebinars
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need Them
SBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation Backlog
SBWebinars
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
SBWebinars
 

More from SBWebinars (20)

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside Out
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application Security
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply ChainYou're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply Chain
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need Them
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation Backlog
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 

Recently uploaded

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Artificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic WarfareArtificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic Warfare
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Taking Open Source Security to the Next Level

  • 1. 1© 2019 Forrester. Reproduction Prohibited. Amy DeMartine Vice President, Research Director, Forrester Jeff Crum Senior Director of Product Marketing, WhiteSource
  • 2. SCA Is Critical To Secure Modern Application Development
  • 3. 3 33% of firms suffered a breach as a result of an external attack. This is how.
  • 4. 4 Agile And DevOps Practices Increase Release Speeds
  • 5. 5© 2019 Forrester. Reproduction Prohibited. Put Testing As Early In The SDLC As Possible Source: “Use DevOps And Supply Chain Principles To Automate Application Delivery Governance” Forrester report. SCA & SAST DAST or IAST
  • 6. 6 Push Remediation Advice As Early In The SDLC As Possible Source: “The State Of Application Security, 2019” Forrester report
  • 7. Early testing + automation = results overload
  • 8. 8 8© 2019 FORRESTER. REPRODUCTION PROHIBITED. We Investigated The Undergrad Programs Of The 40 Best US Computer Science Programs…
  • 9. …none of the top 40 computer science programs in the US require a class about secure coding or secure application design.
  • 10. None of the top five international schools for computer science require a class on secure coding.
  • 11. You need prioritization and autoremediation to fix vulnerabilities.
  • 12. 12 Prioritization Limit what developers must act on before they become overwhelmed • Highest severity • Proof of exploit • Age • Most used • Estimated time to fix • Most number of different versions
  • 13. 13© 2019 Forrester. Reproduction Prohibited. Autoremediation Enable developers to easily create patches themselves • Automatically creates pull request with updated manifest file • Includes remediation for transient dependencies
  • 14. 14 Top 5 features to consider when choosing an SCA tool 1. Language coverage 2. Both license and vulnerability identification 3. Integrations into CI/CD pipeline 4. Prioritization 5. Autoremediation
  • 15. The future of SCA….
  • 16. 16 Key Takeaways Vulnerabilities are plaguing applications Developers aren’t trained to understand the risks of using vulnerable open source components Look for SCA tools that will not only cover basic functionality but help developers remediate the most important vulnerabilities quickly 1 2 3
  • 17. 17 Thank You. Amy DeMartine VP, Research Director +1 617.613.8906 ademartine@forrester.com
  • 18. The Agenda 18 § WhiteSource and the Forrester Software Composition Analysis (SCA) Wave Report § Developers tools vs. Governance tools § The WhiteSource Solution
  • 19. THE LEADER OF SOFTWARE COMPOSITION ANALYSIS Founded in 2011. Offices in NY, Boston, London & Tel-Aviv 800+ Customers Empowering over 1.2 M developers Supporting 23% of Fortune 100 companies Over 3x YOY growth
  • 20. 20 Some of Our Customers
  • 21. WhiteSource and the Forrester SCA Wave Report 21
  • 24. 24 Open Source Vulnerabilities Are On The RiseOpen Source Vulnerabilities Are On The Rise
  • 25. DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
  • 26. EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: a novel approach to prioritization Prioritization Is Key To Saving Wasted Time On Vulnerabilities Management
  • 27. 27 Vulnerability Effectiveness: a metaphor Floor F2 Floor F1 Floor L Floor F3 stairs stairs stairs stairs door door Vulnerable floor stairs The vulnerability is manifested in Floor F3. Entrance from the Floor L left door Can potentially access that floor – and the vulnerability. The vulnerability is nonetheless inaccessible from the right door entrance. Private func F1() Private func L1() Private func F2() Private func F3_vuln() Let’s look at a pseudocode example: Proprietary1() CAN reach the vulnerable code - func_F3_vuln() (via direct or transitive calls) Private func F1_A() Private func L1_A() Let’s examine again from a pseudocode perspective: Proprietary2() CANNOT reach the vulnerable code func_F3_vuln() If a person uses an entrance that even potentially can lead to a reported vulnerability in the building, that person is at risk. If a person only uses an entrance that even potentially does not lead to a reported vulnerability in the building, that person is not at risk. Public func os1() func Proprietary1() Public func os2() func Proprietary2() Prioritization Is Key To Saving Wasted Time On Vulnerabilities Management
  • 29. 98% of all reported vulnerabilities have at least one fix offered by the community. So why not use it? We provide links to all suggested patches, new source files, version etc. Top Fixes Offered by the Community Initiate workflows automatically once a vulnerability is detected to close the loop with your development team. Integrate your SCA with your bug trackers to assign remediation task to the developers in real-time and track time to fix. Initiating Remediation Workflow Automatically
  • 30. Automate Open Source Vulnerability Remediation
  • 32. Supporting All Languages Detecting All Reported Vulnerabilities Covering All Relevant Environments Cater All Groups In Your Org
  • 33. Developers tools vs. Governance tools 33
  • 34. Governance solutions Developers tools § Used by Management, Security, DevOps, Legal teams § Visibility and control § Reports, prioritization and policy enforcement § Used by Developers § Information on issues and remediation support § Integration with dev tools, real-time alerts and remediation insights Both Teams Need Security Tools
  • 36. 36 Detection Real Time Alerts Automated Policies Advanced Reporting Prioritization CONTAINERPRIORITIZE
  • 38. 38 WhiteSource Product Portfolio PLAN CODE BUILD MAINT.DEPLOY
  • 40. Supporting over 200 programming languages. All environments. All groups, complete solution. COVERAGEPRIORITIZATION We help you focus on what matters with vulnerabilities prioritization and no false positives. REMEDIATION We not only alert, but also provide actionable, validated remediation tools to enable quick resolution. 40 What Sets Us Apart?