FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline

•

1 gefällt mir•843 views

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

Software

Continuous Monitoring of Open
Source Components in the CI
Pipeline
Basma Shahadat
Lead Release Engineer at Proofpoint

Importance of
Software Security
• Digital transformation in all industries is
powered by software
• The nature of the threat is changing
more rapidly with the concurrent rise in
cybercrime

Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Today, most application code is open source
*Source: Black Duck Software

Had Known
Vulnerabilities67%
Of Those Were
Rated as Severe52%
Were Out Of
License Compliance85%
96% of audited apps contain open source…
*Source: Black Duck Software

• Commitment to security
• Desire to continuously monitor application security
• Desire to automate process so it was scalable
Challenges

Do it often
Do it continuously
Do it frequently
What Did We Learn?

Continuous Integration Flow
Black Duck:
Each Build
Build Code with Unit test (Send Result
to Code Coverage tools)
Scan Artifact with Black Duck
Deploy Code to QA stack
Run Integration test
QA Promotes for production
Coverity:
Weekly
Scan Code with Coverity
Notify the Committer
about new code flaws

Get everybody on-boarded right away!
• Internal Tech Talks on Black Duck ongoing
• Train to understand value
• Periodic training
Cultivating a Security Community in Development

Our Journey with Black Duck
• Development team: It is part of our
Continuous Integration process
• Operation: Scan for all third party
libraries included in our system
• Integrate with development workflow
through Jenkins, JIRA and Hipchat

• Get the developers engaged with the findings
• Work on the findings: Ongoing training
• Minimize false positives: Working with Black Duck to update KnowledgeBase
• An appropriate job configuration must run relatively fast in CI-CD pipeline
• Better notification to team about the scanned project
Challenges with Black Duck

Weitere ähnliche Inhalte

Was ist angesagt?

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

Fujitsu Network Communication (FNC) was historically an closed-source development organization. Today, FNC is not only a consumer of open source in their software development, but also an active open source contributor with the release of Warrior (http://warriorframework.org). In this session, FNC Open Source champion, Karan Marjara will walk through FNC's move toward embracing the open source model as a strategic benefit, and demonstrate how they are leveraging open source with Warrior.

Making the Strategic Shift to Open Source at Fujitsu Network Communication

Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Black Duck by Synopsys

Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.

Integrating Black Duck into Your Environment with Hub APIs

Black Duck by Synopsys

A Brief Insight into Penetration Testing

Vikram Khanna

Customer Case Study: ScienceLogic - Many Paths to Compliance

Black Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Black Duck by Synopsys

Continuous and Visible Security Testing with BDD-Security

Stephen de Vries

Proactive Security AppSec Case Study

Andy Hoernecke

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Kyle Lai

September 13, 2016: Security in the Age of Open Source:

Black Duck by Synopsys

Devops security-An Insight into Secure-SDLC

Suman Sourav

Perforce on Tour 2015 - Grab Testing By the Horns and Move

Perforce

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Black Duck by Synopsys

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource

WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...

WhiteSource

Open Source and Cyber Security: Open Source Software's Role in Government Cyb...

Great Wide Open

Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations. David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.

Buyer and Seller Perspectives on Open Source in Tech Contracts

Black Duck by Synopsys

Was ist angesagt? (20)

PCI and Vulnerability Assessments - What’s Missing

Software Security Assurance for DevOps

Myths and Misperceptions of Open Source Security

Making the Strategic Shift to Open Source at Fujitsu Network Communication

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...

Integrating Black Duck into Your Environment with Hub APIs

A Brief Insight into Penetration Testing

Customer Case Study: ScienceLogic - Many Paths to Compliance

Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why

Continuous and Visible Security Testing with BDD-Security

Proactive Security AppSec Case Study

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

September 13, 2016: Security in the Age of Open Source:

Devops security-An Insight into Secure-SDLC

Perforce on Tour 2015 - Grab Testing By the Horns and Move

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...

Automating Open Source Security: A SANS Review of WhiteSource

WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...

Open Source and Cyber Security: Open Source Software's Role in Government Cyb...

Buyer and Seller Perspectives on Open Source in Tech Contracts

Ähnlich wie FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline

Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications. With this presentation you'll learn how to: -Protect your systems from risk -Comply with security standards -Ensure the entire codebase is bulletproof

Create code confidence for better application security

Rogue Wave Software

Zero-bug Software, Mathematically Guaranteed

Ashley Zupkus

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Tim Mackey

Security in the Age of Open Source

Black Duck by Synopsys

CI/CD pipelines help DevOps teams automate and drive scalability of mobile app releases. However, teams still experience friction from all kinds of testing. To speed the flow, organizations are now turning to automated continuous testing (CT) in the pipeline by engaging the test automation and security teams. The latest advancements in functional and performance testing enable organizations to run faster, friction-free pipelines with CI/CD/CT. Join Perfecto by Perforce Chief Evangelist and author, Eran Kinsbruner, and NowSecure Chief Mobility Officer, Brian Reed, in this webinar. Understand how successful organizations optimize their CI/CD pipelines with automated CT tools for functional and security testing in their build process. Watch this webinar to learn the following: - Fundamentals of continuous testing (CT) strategy for CI/CD/CT pipelines. - How to fit automated security and functional testing together inside a DevOps process. - Common pitfalls in mobile app security and how to overcome them.

Deliver Flawless Mobile Apps Faster with CI/CD & CT

Perfecto by Perforce

Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next. Join this webinar presentation to learn: - Why DevOps cannot effectively work in waterfall - How to use DevOps tools to optimize processes in either development or operations through automation We will also discuss what is needed to support full DevOps

How to go from waterfall app dev to secure agile development in 2 weeks

Ulf Mattsson

Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.

Cyber security - It starts with the embedded system

Rogue Wave Software

DevOps puts an intense focus on automation – taking humans out of the loop whenever possible to allow frequent, incremental updates to production systems. However, thorough application testing often has multiple components – much of this can be automated, but manual testing is also required. This is inconvenient and not “DevOps-y,” but is unfortunately an unavoidable requirement in the real world. In addition, managing these multiple sources of application vulnerability intelligence often requires manual interaction – to clear false positives, de-duplicate repeated results, and make decisions about triage and remediation. Axway has rolled out an application security program that incorporates automated static and dynamic testing, attack surface analysis, component analysis, as well as inputs from 3rd parties including manual penetration testing, automated and manual dynamic testing, automated and manual static testing, and test results from vendors providing test data on their products. Automation has allowed Axway to increase the frequency of web application testing, thus reducing the cycle time in the application vulnerability “OODA loop.” Moving beyond the identification of vulnerabilities, Axway has deployed ThreadFix to automatically aggregate the results of the automated testing and de-duplicate findings. 3rd party penetration testers are also finding vulnerabilities and reporting them in reasonably structured CSV files requiring Axway to convert this manual test data and incorporate it into the aggregated vulnerability model in ThreadFix. Centralizing this pipeline allows for metric tracking – both for the application security program as a whole as well as on a per-vulnerability-source basis. This automation and consolidation now covers 50% of Axway’s application vulnerability review process - with plans to extend further. This presentation walks through Axway’s construction of their application security-testing pipeline and the decisions they were forced to make along the way to best maximize the use of automation while accommodating the reality of manual testing requirements. It then looks at how this testing regimen and the associated automation have allowed them to impact deployment practices as well as collect metrics on their assurance program. Finally, it looks at lessons learned along the way – the good and the bad – and identifies targeted next steps Axway plans to take to increase the depth and frequency of application security testing while dealing with the deployment realities placed on them to remain agile and responsive to business requirements.

Blending Automated and Manual Testing

Denim Group

Jason Kent - AppSec Without Additional Tools

centralohioissa

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products. During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

Digital Product Security

SoftServe

DevSecOps - It can change your life (cycle)

Qualitest

This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.

Programming languages and techniques for today’s embedded andIoT world

Rogue Wave Software

When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective. In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions. Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception

Shifting the conversation from active interception to proactive neutralization

Rogue Wave Software

Good Security Starts with Software Assurance - Software Assurance Market Plac...

Phil Agcaoili

Continuous integration

hugo lu

Service based apps using open source components and containers for continuous deployment in DevOp teams need to react fast and deploy often. With increasing complexity of software systems and the need for agility and flexibility the demand for security increases. These slides show an approach for DevSecOp automation and present the results of a survey about the current status of security automation in software development companies. If you want to see the resulting concept which was developed during the study, please contact me on linked in.

How to automate your DevSecOps successfully

Manuel Pistner

Freedom and Responsibility

Mike Ruangutai

The Continuous delivery value - Funaro

Codemotion

The Continuous delivery Value @ codemotion 2014

David Funaro

Ähnlich wie FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline (20)

Create code confidence for better application security

Zero-bug Software, Mathematically Guaranteed

Secure application deployment in the age of continuous delivery

Security in the Age of Open Source

Deliver Flawless Mobile Apps Faster with CI/CD & CT

How to go from waterfall app dev to secure agile development in 2 weeks

Cyber security - It starts with the embedded system

Blending Automated and Manual Testing

Jason Kent - AppSec Without Additional Tools

Digital Product Security

DevSecOps - It can change your life (cycle)

Programming languages and techniques for today’s embedded andIoT world

Shifting the conversation from active interception to proactive neutralization

Good Security Starts with Software Assurance - Software Assurance Market Plac...

Continuous integration

How to automate your DevSecOps successfully

Freedom and Responsibility

The Continuous delivery value - Funaro

The Continuous delivery Value @ codemotion 2014

Mehr von Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018

Black Duck by Synopsys

At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

Black Duck by Synopsys

Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Black Duck by Synopsys

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Black Duck by Synopsys

Open Source Rookies and Community

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans. Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Black Duck by Synopsys

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Black Duck by Synopsys

This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions. Read on for all the open source security and cybersecurity news you need to know this week.

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Black Duck by Synopsys

Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk. Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Black Duck by Synopsys

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

20 Billion Reasons for IoT Security

Black Duck by Synopsys

A grab-bag of open source security and cybersecurity news is in this week’s edition of Open Source Insight. Is “many eyeballs” not enough? Some security researchers think Linus’ Law doesn’t work anymore. Black Duck by Synopsys kicks off a new video series with MITRE IoT expert, Bob Martin. Learn how open source tech due diligence helped one company close a deal securely. Should “Privacy Day” be renamed to “Lack of Privacy” day? Plus, an eye-catching infographic on how too little software security training is putting many companies at risk.

Open Source Insight:IoT Security, Tech Due Diligence, and Software Security ...

Black Duck by Synopsys

Cybercriminals are expected to extend their threat deeper into ransomware and IoT. In a just-released report, Synopsys examines the four “tribes” of CISOs, and the characteristics of each. A link to the complimentary report is below. And with the GDPR going into force in just four months, businesses are scrambling for compliance. All these cybersecurity stories and more in the January 19th edition of Open Source Insight.

Open Source Insight:Banking and Open Source, 2018 CISO Report, GDPR Looming

Black Duck by Synopsys

Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio. Read on for this week’s cybersecurity and open source security news in Open Source Insight!

Open Source Insight: Balancing Agility and Open Source Security for DevOps

Black Duck by Synopsys

Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.” In other cybersecurity news, we look at 10 open source technologies you need to know about, cybersecurity predictions for 2018, and an interesting white paper published by the University of Michigan on identifying cybersecurity threats in connected vehicles.

Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”

Black Duck by Synopsys

We’re winding up 2017 with the leading security stories of the year, as well as what 2018 might bring in terms of open source and cybersecurity. Several Black Duck and Synopsys’ bloggers weigh in with articles ranging from the need of SCA (software composition analysis), through how developers can navigate the sometimes stormy seas of software security, to addressing the issues of open source in tech contracts. From Black Duck Software and Synopsys, we wish you a happy holiday season and will see you again in 2018!

Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...

Black Duck by Synopsys

Black Duck is now a part of Synopsys, with the acquisition complete this week. Dr. Andreas Kuehlmann, General Manager of the Synopsys Software Integrity Group provides some background of how Synopsys and Black Duck joining forces will enhance the company’s efforts in the software security market by broadening our product offering and strengthening the Software Integrity Platform. Tim Mackey, technical evangelist for Black Duck, tackles the tricky issue of container security. Mike Pittenger, vice president of security strategy for Black Duck, discusses open source security, the Equifax breach, OpenSSL and Heartbleed, and why a “software parts list” will become increasing important to organisations wanting to stay secure. This week’s open source security and cybersecurity news follows in Open Source Insight.

Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...

Black Duck by Synopsys

Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News. Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security threat we face in 2018. Artifex and Hancom settle their long-running open source licensing dispute, and the hidden costs of open source security. Read all the hottest open source security and cybersecurity news in this week’s Open Source Insight.

Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...

Black Duck by Synopsys

Mehr von Black Duck by Synopsys (20)

Open-Source- Sicherheits- und Risikoanalyse 2018

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...

Open Source Rookies and Community

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...

Open Source Insight: Happy Birthday Open Source and Application Security for ...

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

20 Billion Reasons for IoT Security

Open Source Insight:IoT Security, Tech Due Diligence, and Software Security ...

Open Source Insight:Banking and Open Source, 2018 CISO Report, GDPR Looming

Open Source Insight: Balancing Agility and Open Source Security for DevOps

Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”

Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...

Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...

Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...

Kürzlich hochgeladen

Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

Software Engineering - Part 1 which describes the following topics: Introduction: The evolving role of software, The changing nature of software, Software engineering, A Process Framework, Process Patterns, Process Assessment, Personal and Team Process Models, Process Technology, Product and Process. Process Models: Prescriptive models, Waterfall model, Incremental process models, Evolutionary process models, Specialized process models. Requirements Engineering: Requirements Engineering Task, Initiating the Requirement Engineering process, Eliciting Requirements, developing use cases, Building the analysis model, Negotiating Requirements, Validating Requirements, Software Requirement Document.

Software Engineering - Introduction + Process Models + Requirements Engineering

Prakhyath Rai

Nearly a decade ago, a small group of menders (and one maker) found community with each other at a conference and Legacy Code Rocks was born. Since then, the Legacy Code Rocks community has grown to over 1000 people, 150 podcast episodes, a weekly meetup and of course, MenderCon. In this talk, Andrea Goulet, the maker who kindled the spark, will take us back to those early days and reflect on how the bedrock of the Legacy Code Rocks community has always been creating a sense of belonging. Compassion and empathy are at the core of being a mender. Mending is caring deeply, seeing potential, and being willing to work through the frustration of making things better one small step at a time. This commitment to helping others feel seen instead of shame is why the Legacy Code Rocks community is so special — and it’s exactly why having the heart of the mender is what our world needs now more than ever.

Community is Just as Important as Code by Andrea Goulet

Andrea Goulet

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan

Neo4j

Microsoft365_Dev_Security_2024_05_16.pdf

Markus Moeller

Unlock the secrets to success in the competitive world of food delivery app development with our comprehensive guide for 2024. From innovative features to cutting-edge technologies, discover the strategies that will elevate your food delivery business to new heights. Download now for expert insights and actionable tips for more visit, https://foodorderingwebsite.com/food-delivery-app-development/.

Food Delivery Business App Development Guide 2024

Chirag Panchal

Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

The Mythical Technical Debt (Brooke, please, forgive me.) <This talk is designed for a technical audience> In software-intensive systems development, we often face trade-offs between speed and long-term maintainability. These trade-offs accumulate as technical debt, the hidden cost of short-term decisions that can impact future development. Technical debt goes beyond the initial choices made when creating software. It encompasses design decisions, coding practices, or anything that might hinder future development efforts. By effectively identifying and managing this debt, we can build robust and scalable software systems. In this talk, we'll explore different types of technical debt and their impact on projects. We'll delve into practical methods to identify, measure, and reduce it. Finally, we'll see how to turn technical debt into an advantage, using it as a springboard for innovation with real-world examples.

The mythical technical debt. (Brooke, please, forgive me)

Roberto Bettazzoni

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA

Shane Coughlan

Test Automation Design Patterns_ A Comprehensive Guide.pdf

kalichargn70th171

architecting-ai-in-the-enterprise-apis-and-applications.pdf

WSO2

QUICCK 100% in Gauteng/Western Cape *[☎️+27737758557]]@ @# SOWETO@+27737758557 ABORTION PILLS FOR SALE IN STELLENBOSCH CLINIC/WESTERN CAPE cape … CAPE TOWN CLINIC/WESTERN CAPE BELLVILLE LANGA PAROW cape town bellville cape town bellville langa parow khayelitsha gugulethu elies river kraaifontein good wood capetown DR.SINDY +27737758557// abortion clinics// pills WOMEN ABORTION CLINICS PAINFREE,SAFE,QUICCK 100% in western cape +27737758557 Sindy @ABORTION PILLS FOR SALE IN STELLENBOSCH CLINIC/WESTERN CAPE cape … CAPE TOWN CLINIC/WESTERN CAPE BELLVILLE LANGA PAROW cape town bellville cape town bellville langa parow khayelitsha gugulethu elies river kraaifontein good wood capetown bellville.maitland.belhar. aarl, Wellington, Betty’s Bay, Atlantis, Blue Down, Brackenfell, Crossroads, Eerste Rivier, Elsie’s River, Fish Hoek, Goodwood, Gordon’s Bay, Gugulethu,DR EVE +27737758557 // abortion clinics// pills WOMEN ABORTION CLINICS PAINFREE,SAFE,QUICCK 100% in western cape +27737758557 JAULANI@ABORTION PILLS FOR SALE IN STELLENBOSCH CLINIC/WESTERN CAPE cape … CAPE TOWN CLINIC/WESTERN CAPE BELLVILLE LANGA PAROW cape town bellville cape town bellville langa parow khayelitsha gugulethu elies river kraaifontein good wood capetown bellville.maitland.belhar. aarl, Wellington, Betty’s Bay, Atlantis, Blue Down, Brackenfell, Crossroads, Eerste Rivier, Elsie’s River, Fish Hoek, Goodwood, Gordon’s Bay, Gugulethu, Hout Bay, Khayelitsha, Kraainfontein, Kuils River, Langa, Melkbosstrand, Mfuleni, Milnerton, Mitchell’s Plain, Noordhoek, Nyanga, Parow, Kleinmond, Simon’s town, Somerset west, stellenbosch, Ashton Bonnievale Ceres De Doorns Denneburg Franschhoek Gouda Kayamandi Klapmuts Kylemore Languedo cMcGregor Montagu Op-die-Berg Paarl Pniel Prince Alfred Hamlet Rawsonville Robertson Robertsvlei Rozendal Saron Stellenbosch Touws River Tulbagh Wellington Wemmershoek Wolseley Worcester langa parow khayelitsha gugulethu elies river kraaifontein good wood capetown bellville. Ashton Bonnievale Ceres De Doorns Denneburg Franschhoek Gouda Kayamandi Klapmuts Kylemore Languedoc McGregor Montagu Op-die-Berg Paarl Pniel Prince Alfred Hamlet Rawsonville Robertson Robertsvlei Rozendal Saron Stellenbosch Touws River Tulbagh Wellington Alexandra · Diepsloot · Ennerdale ; Alberton · Bedfordview · Benoni ; Atteridgeville · Bronberg · Mogapeng · Mogodumo · Mogwadi · Mohlake · Mohlarekoma · Mohlatsengwane · Mohlopi · Mohlopi · Mohlakeng · Mohwelere · Mokgoatsane · Mokopane. Makhado · Bela-Bela · Hoedspruit · Haenertsburg · Lephalale (Ellisras) · Phalaborwa · Polokwane (Pietersburg) · Tzaneen.Hoedspruit · Hoedspruit. #1 – Hoedspruit ; Haenertsburg · Haenertsburg. #2 – Haenertsburg ; Tzaneen · Tzaneen. Polokwane, Louis Trichardt, Mahwelereng, Giyani, Limpopo,

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...

drm1699

Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024

SimonedeGijt

Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

It's quite ironic that to interact with the most advanced AI in our history - Large Language Models: ChatGPT, etc. - we must use human language, not programming one. But how to get the most out of this dialogue i.e. how to create robust and efficient prompts so AI returns exactly what's needed for your solution on the first try? After my session, you can add the Junior (at least) Prompt Engineer skill to your CV: I will introduce Prompt Engineering as an emerging discipline with its own methodologies, tools, and best practices. Expect lots of examples that will help you to write ideal prompts for all occasions. This session is based on my research and experiments in Prompt Engineering and is 100% relevant for cloud developers who investigate adding some LLM-powered features to their solutions. It's a guide to building proper prompts for AI to get desired results fast and cost-efficient.

Prompt Engineering - an Art, a Science, or your next Job Title?

Maxim Salnikov

Evolving Data Governance for the Real-time Streaming and AI Era

confluent

This session unveils the multifaceted horizontal scaling strategies that power Wix's robust infrastructure. From Kafka consumer scaling and dynamic traffic routing for site segments to DynamoDB sharding and MySQL clusters custom routing with ProxySQL, we dissect the mechanisms that ensure scalability and performance at Wix. Attendees will learn about the art of sharding and routing key selection across different systems, and how to apply these strategies to their own infrastructure. We'll share insights into choosing the right scaling strategy for various scenarios, balancing between managed services and custom solutions. Key Takeaways: - Grasp various sharding techniques and routing strategies used at Wix. - Understand key considerations for sharding key and routing rule selection. - Learn when and why to choose specific horizontal scaling strategies. - Gain practical knowledge for applying these strategies to achieve scalability and high availability. Join us to gain a blueprint for scaling your systems horizontally, drawing from Wix's proven practices.

Effective Strategies for Wix's Scaling challenges - GeeCon

Natan Silnitsky

Transformer Neural Network Use Cases with Links

JinanKordab

Kürzlich hochgeladen (20)

Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...

Software Engineering - Introduction + Process Models + Requirements Engineering

Community is Just as Important as Code by Andrea Goulet

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan

Microsoft365_Dev_Security_2024_05_16.pdf

Food Delivery Business App Development Guide 2024

Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...

Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...

The mythical technical debt. (Brooke, please, forgive me)

OpenChain Webinar: AboutCode and Beyond - End-to-End SCA

Test Automation Design Patterns_ A Comprehensive Guide.pdf

architecting-ai-in-the-enterprise-apis-and-applications.pdf

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...

Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024

Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...

Prompt Engineering - an Art, a Science, or your next Job Title?

Evolving Data Governance for the Real-time Streaming and AI Era

Effective Strategies for Wix's Scaling challenges - GeeCon

Transformer Neural Network Use Cases with Links

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline

1. Continuous Monitoring of Open Source Components in the CI Pipeline Basma Shahadat Lead Release Engineer at Proofpoint

2. • Introduction • Importance of software security • Challenges • What did we learn • Our journey with Black Duck • Q&A Agenda

3. About Proofpoint

4. Importance of Software Security • Digital transformation in all industries is powered by software • The nature of the threat is changing more rapidly with the concurrent rise in cybercrime

5. Up to 90% Open Source TODAY 50% Open Source 2010 20% Open Source 20051998 10% Open Source Today, most application code is open source *Source: Black Duck Software

6. Had Known Vulnerabilities67% Of Those Were Rated as Severe52% Were Out Of License Compliance85% 96% of audited apps contain open source… *Source: Black Duck Software

7. • Commitment to security • Desire to continuously monitor application security • Desire to automate process so it was scalable Challenges

8. Do it often Do it continuously Do it frequently What Did We Learn?

9. Continuous Integration Flow Black Duck: Each Build Build Code with Unit test (Send Result to Code Coverage tools) Scan Artifact with Black Duck Deploy Code to QA stack Run Integration test QA Promotes for production Coverity: Weekly Scan Code with Coverity Notify the Committer about new code flaws

10. Get everybody on-boarded right away! • Internal Tech Talks on Black Duck ongoing • Train to understand value • Periodic training Cultivating a Security Community in Development

11. Our Journey with Black Duck • Development team: It is part of our Continuous Integration process • Operation: Scan for all third party libraries included in our system • Integrate with development workflow through Jenkins, JIRA and Hipchat

12. • Get the developers engaged with the findings • Work on the findings: Ongoing training • Minimize false positives: Working with Black Duck to update KnowledgeBase • An appropriate job configuration must run relatively fast in CI-CD pipeline • Better notification to team about the scanned project Challenges with Black Duck

13. Q&A

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline

Ähnlich wie FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline (20)

Mehr von Black Duck by Synopsys

Mehr von Black Duck by Synopsys (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Components in the CI Pipeline