SlideShare a Scribd company logo

Webinar – Streamling Your Tech Due Diligence Process for Software Assets

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process. For more information, please visit our website at www.synopsys.com/open-source-audit

Software
1 of 33
Download to read offline
© 2019 Synopsys, Inc.1 Streamlining Your Tech Due Diligence Process for Software Assets Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
© 2019 Synopsys, Inc.2 Billions are spent each year on tech acquisitions Annual worldwide tech and telecom deal flow Source: 451 Research's MSA KnowledgeBase. Includes disclosed and estimated values $573B acquisitions in 2018 68% growth from 2017 to 2018 Top 5 industries software
© 2019 Synopsys, Inc.3 Why acquirers worry • Governance processes vary by company size • Time to market often prioritized over compliance • Deeper pockets may draw compliance fire “In deploying open-source tools, I&O leaders often create dependence on individuals with pockets of tribal knowledge, leading to blind spots in security and license compliance” – Gartner - Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain (2019)
© 2019 Synopsys, Inc.4 Tech due diligence often requires a trusted third party Product / strategy People Process / tools Architecture Code Acquirer DD team or Strategy consultant Third-party audit: Acquirers do not typically get access without a third party Subjective and qualitative Objective and quantitative
© 2019 Synopsys, Inc.5 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
© 2019 Synopsys, Inc.6 Background—Overview of Open Source Understanding why open source development and governance matters
© 2019 Synopsys, Inc.7 So what is “Open Source” anyway? • Open Source Initiative Definition – Open Source software is software that can be freely accessed, used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. • Common Definition – Open source software is software whose source code I have access to outside of a commercial license agreement. • What about commercial software? – Commercial software can easily be created from open source components. Managing and securing open source software is complicated, and open source within commercial software is even more so. Note – Lots of legal nuance here so don’t take this as legal advice!
© 2019 Synopsys, Inc.8 Equifax breach focused attention on open source
© 2019 Synopsys, Inc.9 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict Source: 2019 Synopsys Open Source Security and Risk Report
© 2019 Synopsys, Inc.10 Indeterminate licenses are particularly challenging Contained custom licenses that had the potential to cause conflict or needed legal review Contained components that were “not licensed” Source: 2019 Synopsys Open Source Security and Risk Report
© 2019 Synopsys, Inc.11 Open source components are third-party components
© 2019 Synopsys, Inc.12 Example: Which version of OpenSSL do you have?
© 2019 Synopsys, Inc.13 Being a security target is costly Average cost of data breach: $3.86 Million Lost business: $4.20 Million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Institute
© 2019 Synopsys, Inc.14 Open source vulnerability management is a challenge Source: 2019 Synopsys Open Source Security and Risk Report Components per codebase 257 298 Contained obsolete or unmaintained components Unpatched vulnerabilities decline 23% Contained vulnerabilities over 10 years old
© 2019 Synopsys, Inc.15 So what is a vulnerability? • IETF RFC 2828 Definition – A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy • Taxonomies – There are many classification systems for software vulnerabilities, with the Common Weakness Enumeration (CWE) being a common form. Weakness can be exploited to become vulnerabilities which when disclosed become part of the Common Vulnerabilities and Exposures (CVE) List. • Who can disclose a CVE? – CVE disclosures occur through CVE Numbering Authorities (CNA). Originally only a limited number of vendors participated. As of March 2019 over 90 organizations are CNAs including five governmental ones. MITRE is the root CNA and the National Vulnerability Database (NVD) is the most common query location. I’m omitting a ton of detail here, so consider this the bare minimum
© 2019 Synopsys, Inc.16 1649 Days 7 Days A simple vulnerability: The tale of CVE-2017-5638 Struts 2.5 Released May 2016 Struts 2.3 Forked Struts 2.3 Released November 2012 Commit Merged August 2012 Patches Available March 6 2017 March 7 2017 Disclosure Published NVD Details March 14 2017
© 2019 Synopsys, Inc.17 Requirements to detect an OSS vulnerability 1. Source of security information – Primary research from internal security team – Free NVD data feed – Sub license from third party security vendor – Component distributions – Open source risk analysis 2. Ability to identify components – Versions and forks matter – Open source can be in code or binary form – Embedded within commercial software – Not always managed via package managers 3. Current patch status – Patch must be compatible – Upstream could change behaviors
© 2019 Synopsys, Inc.18 Risk is a function of the full stack – not just app “CNCF Interactive Landscape” application • Cloud Native Computing Foundation provides a web based application to browse for partner technology providers. Application Details • 40K Source Lines of Code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
© 2019 Synopsys, Inc.19 Are there any flaws in the design that could lead to security vulnerabilities? Security risks can be present across the software stack Does the company track and manage open source use and the security risks that come with it? Was the code produced with any defects or security weaknesses? Are there any exploitable vulnerabilities or data protection issues? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
© 2019 Synopsys, Inc.20 Design and process issues pose integration challenges Are there any flaws in the design that could be adding time or cost to the process? Was the code produced with any defects or process flaws? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
© 2019 Synopsys, Inc.21 Dissecting the security design decisions of modern applications Example: An IoT application is more than just firmware
© 2019 Synopsys, Inc.22 IoT security requires multiple disciplines • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA
© 2019 Synopsys, Inc.23 Identify security targets from platform requirements Design Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during developmentConcern: Device instability leading to data disclosure and reputational damage
© 2019 Synopsys, Inc.24 Select development frameworks and environment Role: Development Lead with Product Owner guidance Design Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security reqs 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis Concern: Identify intrinsic security issues and potential rework costs
© 2019 Synopsys, Inc.25 Continuous security assessments during development Role: Developer with Development Lead guidance Development Goal: Identify security weaknesses prior to code commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left Concern: Poor security training and developer engagement
© 2019 Synopsys, Inc.26 Continuous security assessments during build Role: Release Engineer with guidance from QA and Product Owner Release Goal: Ensure release meets quality, security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Centralized security progress tracking Concern: Identify weak code coverage and limited security testing
© 2019 Synopsys, Inc.27 Confirm governance and security target progress Role: Security Architect Governance Goal: Ensure release meets security and functional targets Tasks: 1. Centralized review of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases Concern: Identify whether continuous improvement is part of the culture or if issues recur with each cycle
© 2019 Synopsys, Inc.28 Web services APIs also impact risk profiles API Lifecycle • Twitter API shutdown August 2018 • Google+ shutdown April 2019 • Salesforce API versioning Data usage and control • GDPR data processor vs data controller • Data sovereignty and jurisdiction • Data mashups and inference scenarios Data and privacy breaches • Facebook API tokens • [24]7.io and Delta, Kmart, Sears • Third-party data bleeds • Phone home tracking • CVE-2018-1002105 in Kubernetes API
© 2019 Synopsys, Inc.29 Focus on risk identification Start with open source and account for other development risks
© 2019 Synopsys, Inc.30 Why Black Duck leads Open Source risk management Singular focus on Open Source governance and risk management Powered by a Knowledge Base designed for the realities of open source development Delivering actionable Open Source security information in near real-time
© 2019 Synopsys, Inc.31 Key due diligence questions for open source usage Is there a complete list of open source components in use? How was it created and how is it maintained? How complete and accurate is it? What policies are defined for the use of open source? How are they enforced? Are they compatible with the pace of development? How are open source vulnerabilities being tracked? How disruptive would the next Equifax or Heartbleed scale vulnerability be? Does the application patch strategy include open source awareness? What are the patch and update processes for each component? How are patches vetted? How is open source usage in commercial applications identified? If vulnerable open source components are used in binaries, are vendors addressing patches?
© 2019 Synopsys, Inc.32 Portfolio – Audit Services Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture Open Source and Third-Party Code Audit Open Source Risk Assessment Web Services and API Risk Audit Penetration Test Audit Static Application Security Test Audit Quantitative Code Quality Audit Qualitative Code Quality Audit Security Controls Design Analysis Encryption Algorithm Detection Audit
© 2019 Synopsys, Inc.33 Build secure, high-quality software faster

Recommended

Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 

Recommended

Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
South Tyrol Free Software Conference
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation FinalTony_Clarke
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015
Simone Luca Giargia
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Black Duck by Synopsys
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Black Duck by Synopsys
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
Security Innovation
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
VMware Tanzu
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 

More Related Content

What's hot

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
South Tyrol Free Software Conference
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation FinalTony_Clarke
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015
Simone Luca Giargia
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Black Duck by Synopsys
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Black Duck by Synopsys
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
Security Innovation
 

What's hot (19)

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation Final
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 

Similar to Webinar – Streamling Your Tech Due Diligence Process for Software Assets

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
VMware Tanzu
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Webinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your OrganizationWebinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your Organization
Synopsys Software Integrity Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
FinTech Belgium
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Executive Leaders Network
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
hani727151
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Santos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptxSantos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptx
MuraliDorai1
 

Similar to Webinar – Streamling Your Tech Due Diligence Process for Software Assets (20)

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your OrganizationWebinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your Organization
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Santos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptxSantos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptx
 

More from Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
Synopsys Software Integrity Group
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (9)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Recently uploaded

Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 

Recently uploaded (20)

Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 

Webinar – Streamling Your Tech Due Diligence Process for Software Assets

  • 1. © 2019 Synopsys, Inc.1 Streamlining Your Tech Due Diligence Process for Software Assets Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
  • 2. © 2019 Synopsys, Inc.2 Billions are spent each year on tech acquisitions Annual worldwide tech and telecom deal flow Source: 451 Research's MSA KnowledgeBase. Includes disclosed and estimated values $573B acquisitions in 2018 68% growth from 2017 to 2018 Top 5 industries software
  • 3. © 2019 Synopsys, Inc.3 Why acquirers worry • Governance processes vary by company size • Time to market often prioritized over compliance • Deeper pockets may draw compliance fire “In deploying open-source tools, I&O leaders often create dependence on individuals with pockets of tribal knowledge, leading to blind spots in security and license compliance” – Gartner - Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain (2019)
  • 4. © 2019 Synopsys, Inc.4 Tech due diligence often requires a trusted third party Product / strategy People Process / tools Architecture Code Acquirer DD team or Strategy consultant Third-party audit: Acquirers do not typically get access without a third party Subjective and qualitative Objective and quantitative
  • 5. © 2019 Synopsys, Inc.5 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
  • 6. © 2019 Synopsys, Inc.6 Background—Overview of Open Source Understanding why open source development and governance matters
  • 7. © 2019 Synopsys, Inc.7 So what is “Open Source” anyway? • Open Source Initiative Definition – Open Source software is software that can be freely accessed, used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. • Common Definition – Open source software is software whose source code I have access to outside of a commercial license agreement. • What about commercial software? – Commercial software can easily be created from open source components. Managing and securing open source software is complicated, and open source within commercial software is even more so. Note – Lots of legal nuance here so don’t take this as legal advice!
  • 8. © 2019 Synopsys, Inc.8 Equifax breach focused attention on open source
  • 9. © 2019 Synopsys, Inc.9 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict Source: 2019 Synopsys Open Source Security and Risk Report
  • 10. © 2019 Synopsys, Inc.10 Indeterminate licenses are particularly challenging Contained custom licenses that had the potential to cause conflict or needed legal review Contained components that were “not licensed” Source: 2019 Synopsys Open Source Security and Risk Report
  • 11. © 2019 Synopsys, Inc.11 Open source components are third-party components
  • 12. © 2019 Synopsys, Inc.12 Example: Which version of OpenSSL do you have?
  • 13. © 2019 Synopsys, Inc.13 Being a security target is costly Average cost of data breach: $3.86 Million Lost business: $4.20 Million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Institute
  • 14. © 2019 Synopsys, Inc.14 Open source vulnerability management is a challenge Source: 2019 Synopsys Open Source Security and Risk Report Components per codebase 257 298 Contained obsolete or unmaintained components Unpatched vulnerabilities decline 23% Contained vulnerabilities over 10 years old
  • 15. © 2019 Synopsys, Inc.15 So what is a vulnerability? • IETF RFC 2828 Definition – A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy • Taxonomies – There are many classification systems for software vulnerabilities, with the Common Weakness Enumeration (CWE) being a common form. Weakness can be exploited to become vulnerabilities which when disclosed become part of the Common Vulnerabilities and Exposures (CVE) List. • Who can disclose a CVE? – CVE disclosures occur through CVE Numbering Authorities (CNA). Originally only a limited number of vendors participated. As of March 2019 over 90 organizations are CNAs including five governmental ones. MITRE is the root CNA and the National Vulnerability Database (NVD) is the most common query location. I’m omitting a ton of detail here, so consider this the bare minimum
  • 16. © 2019 Synopsys, Inc.16 1649 Days 7 Days A simple vulnerability: The tale of CVE-2017-5638 Struts 2.5 Released May 2016 Struts 2.3 Forked Struts 2.3 Released November 2012 Commit Merged August 2012 Patches Available March 6 2017 March 7 2017 Disclosure Published NVD Details March 14 2017
  • 17. © 2019 Synopsys, Inc.17 Requirements to detect an OSS vulnerability 1. Source of security information – Primary research from internal security team – Free NVD data feed – Sub license from third party security vendor – Component distributions – Open source risk analysis 2. Ability to identify components – Versions and forks matter – Open source can be in code or binary form – Embedded within commercial software – Not always managed via package managers 3. Current patch status – Patch must be compatible – Upstream could change behaviors
  • 18. © 2019 Synopsys, Inc.18 Risk is a function of the full stack – not just app “CNCF Interactive Landscape” application • Cloud Native Computing Foundation provides a web based application to browse for partner technology providers. Application Details • 40K Source Lines of Code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
  • 19. © 2019 Synopsys, Inc.19 Are there any flaws in the design that could lead to security vulnerabilities? Security risks can be present across the software stack Does the company track and manage open source use and the security risks that come with it? Was the code produced with any defects or security weaknesses? Are there any exploitable vulnerabilities or data protection issues? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
  • 20. © 2019 Synopsys, Inc.20 Design and process issues pose integration challenges Are there any flaws in the design that could be adding time or cost to the process? Was the code produced with any defects or process flaws? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
  • 21. © 2019 Synopsys, Inc.21 Dissecting the security design decisions of modern applications Example: An IoT application is more than just firmware
  • 22. © 2019 Synopsys, Inc.22 IoT security requires multiple disciplines • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA
  • 23. © 2019 Synopsys, Inc.23 Identify security targets from platform requirements Design Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during developmentConcern: Device instability leading to data disclosure and reputational damage
  • 24. © 2019 Synopsys, Inc.24 Select development frameworks and environment Role: Development Lead with Product Owner guidance Design Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security reqs 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis Concern: Identify intrinsic security issues and potential rework costs
  • 25. © 2019 Synopsys, Inc.25 Continuous security assessments during development Role: Developer with Development Lead guidance Development Goal: Identify security weaknesses prior to code commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left Concern: Poor security training and developer engagement
  • 26. © 2019 Synopsys, Inc.26 Continuous security assessments during build Role: Release Engineer with guidance from QA and Product Owner Release Goal: Ensure release meets quality, security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Centralized security progress tracking Concern: Identify weak code coverage and limited security testing
  • 27. © 2019 Synopsys, Inc.27 Confirm governance and security target progress Role: Security Architect Governance Goal: Ensure release meets security and functional targets Tasks: 1. Centralized review of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases Concern: Identify whether continuous improvement is part of the culture or if issues recur with each cycle
  • 28. © 2019 Synopsys, Inc.28 Web services APIs also impact risk profiles API Lifecycle • Twitter API shutdown August 2018 • Google+ shutdown April 2019 • Salesforce API versioning Data usage and control • GDPR data processor vs data controller • Data sovereignty and jurisdiction • Data mashups and inference scenarios Data and privacy breaches • Facebook API tokens • [24]7.io and Delta, Kmart, Sears • Third-party data bleeds • Phone home tracking • CVE-2018-1002105 in Kubernetes API
  • 29. © 2019 Synopsys, Inc.29 Focus on risk identification Start with open source and account for other development risks
  • 30. © 2019 Synopsys, Inc.30 Why Black Duck leads Open Source risk management Singular focus on Open Source governance and risk management Powered by a Knowledge Base designed for the realities of open source development Delivering actionable Open Source security information in near real-time
  • 31. © 2019 Synopsys, Inc.31 Key due diligence questions for open source usage Is there a complete list of open source components in use? How was it created and how is it maintained? How complete and accurate is it? What policies are defined for the use of open source? How are they enforced? Are they compatible with the pace of development? How are open source vulnerabilities being tracked? How disruptive would the next Equifax or Heartbleed scale vulnerability be? Does the application patch strategy include open source awareness? What are the patch and update processes for each component? How are patches vetted? How is open source usage in commercial applications identified? If vulnerable open source components are used in binaries, are vendors addressing patches?
  • 32. © 2019 Synopsys, Inc.32 Portfolio – Audit Services Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture Open Source and Third-Party Code Audit Open Source Risk Assessment Web Services and API Risk Audit Penetration Test Audit Static Application Security Test Audit Quantitative Code Quality Audit Qualitative Code Quality Audit Security Controls Design Analysis Encryption Algorithm Detection Audit
  • 33. © 2019 Synopsys, Inc.33 Build secure, high-quality software faster