5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource Webinar

•Als PPTX, PDF herunterladen•

17 gefällt mir•374 views

The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.

Software

Tackling The Risks Of
Open Source Security
5 Things Every CISO Needs To Know

Senior Director of Product
Management
Meet Today’s Speaker
Rami Elron
Senior Director
of Product Management
at WhiteSource

02
It’s Time To Change
Your Mindset
5 Things Every CISO Needs To Know About
Open Source Security
01
Open Source Risk
Is On The Rise
05
Shift Left Is At It’s Best
With Open Source.
04
Delegate Security
Responsibilities
03
Prioritize Security
Vulnerabilities

Are You Spending Enough In AppSec?
Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Gaps in Security Risks and the Allocation of Spending The Level of Risk (# of
Breaches Multiplied By
Severeness)
The Level of
Annual Spending
(Investment) in IT Security
0%
5%
10%
15%
20%
25%
30%
35%
40%
Application Endpoints Networks Data Servers
Risk Level Annual Spending %
0
1

Open Source Components Account For
60%-80% Of The Average Software Product
5%-10%
1998
30%-50%
2008
60%-80%
2016
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
0
1

Number Of New CVEs Discovered
MoreThan Doubled YoY in 2017
0
2000
4000
6000
8000
10000
12000
14000
16000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
# of Vulnerabilities
Source: Common Vulnerabilities and Exposures
0
1

Potential vulnerability detected
(SAST & DAST)
No public information
Need to research to find a fix
During development
Detection
Publicity
Remediation
Scan Phase
Known vulnerability
All information is publicly available
Actionable remediation(s) are available
Continuous monitoring (incl. post release)
PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES
Open Source Security is a different game -
change your mindset
0
2

On average, 70%* of reported
security vulnerabilities
in open source libraries
are not referenced
by the developers’ code.
Effective vs Passive
* Based on preliminary research by WhiteSource
Open Source Code
70%
30%
Passive
Effective
0
3

Automate Security Tools To Improve Coverage While
Reducing Friction
0
4
Security DevOps Developers

Turn Developers Into Security Advocates
Empower developers with more flexible selection and approval processes
0
4
Project
Planning
Requirements
Definition
Design
Development
Integration &
Test
Installation &
Acceptance

05
Shift Left Is At It’s Best
With Open Source.

The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
0
5Detect Issues As Early As Possible

Detect Issues As Early As Possible
Cost of fixing issues reduces by 90% when detected in the build vs post release
0
5

Think Differently
When It Comes To Processes
Final Note:

Analyze and prioritize
open source security vulnerability remediation
Streamline
policies with better integration options
Shift-left
security processes to establish better practices

Weitere ähnliche Inhalte

Was ist angesagt?

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries. Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss: The key differences between accidental vulnerabilities and malicious releases, How to manage the risk for each type of vulnerability, Lessons learned from the most interesting malicious packages spotted during 2019.

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

WhiteSource

From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...

WhiteSource

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

WhiteSource

The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution). FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly. Join FINOS and WhiteSource as they discuss: The challenges of open source usage The state of open source vulnerabilities management How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software

Empowering Financial Institutions to Use Open Source With Confidence

WhiteSource

WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...

WhiteSource

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: - Why traditional DevOps has shifted, and what this will mean - Who should own security in the age of DevOps - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

WhiteSource

Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these? Join Codefresh and WhiteSource, as they embark on a journey to tackle: The container iceberg - learn what are your blind spots The main security challenges when using open source in containerized applications The role of automation in open source security in containers A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline

Tackling the Container Iceberg:How to approach security when most of your sof...

WhiteSource

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource, and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: Why traditional DevOps has shifted, and what this will mean? Who should own security in the age of DevOps? Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline?

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

DevOps.com

Demystifying DevSecOps

Archana Joshi

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they? In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights. Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about: The current challenges of the security and development teams when it comes to AppSec The contradicting views and gaps between the teams on DevSecOps maturity How to break the silos and advance toward DevSecOps maturity

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DevOps.com

In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.

RoboCop: Bringing Law and Order to CI/CD

Franklin Mosley

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

Presentation from 18 November 2014. Software applications need to be delivered faster and across more platforms than ever. To build high quality software in short order, we’ve seen a dramatic shift from source code to component-based development, with open source and third party components providing the innovation and efficiency that developers need. Unfortunately, our dependence on components is growing faster than our ability to secure them. These shared components are not top-of-mind when considering application risk. Worse yet, components are increasingly the preferred attack surface in today’s applications. The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing this security gap. So what’s the “neglected 90%,” why is it attractive to your adversaries and what can you do about it? Plenty. Here are 7 key points, for starters. http://bit.ly/AHC_USAF

7 Reasons Your Applications are Attractive to Adversaries

Derek E. Weeks

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack

Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill

AgileNetwork

Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.

Empowering Application Security Protection in the World of DevOps

IBM Security

Getting to Know Security and Devs: Keys to Successful DevSecOps

Franklin Mosley

Link to Youtube video: https://youtu.be/-awH_CC4DLo You can contact me at abhimanyu.bhogwan@gmail.com My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/ Basic Introduction to DevSecOps concept Why What and How for DevSecOps Basic intro for Threat Modeling Basic Intro for Security Champions 3 pillars of DevSecOps 6 important components of a DevSecOps approach DevSecOps Security Best Practices How to integrate security in CI/CD pipeline

Introduction to DevSecOps

abhimanyubhogwan

Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.

Secure Code review - Veracode SaaS Platform - Saudi Green Method

Salil Kumar Subramony

Was ist angesagt? (20)