SlideShare une entreprise Scribd logo

Webinar – Streamling Your Tech Due Diligence Process for Software Assets

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process. For more information, please visit our website at www.synopsys.com/open-source-audit

Logiciels
1  sur  33
Télécharger pour lire hors ligne
© 2019 Synopsys, Inc.1 Streamlining Your Tech Due Diligence Process for Software Assets Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
© 2019 Synopsys, Inc.2 Billions are spent each year on tech acquisitions Annual worldwide tech and telecom deal flow Source: 451 Research's MSA KnowledgeBase. Includes disclosed and estimated values $573B acquisitions in 2018 68% growth from 2017 to 2018 Top 5 industries software
© 2019 Synopsys, Inc.3 Why acquirers worry • Governance processes vary by company size • Time to market often prioritized over compliance • Deeper pockets may draw compliance fire “In deploying open-source tools, I&O leaders often create dependence on individuals with pockets of tribal knowledge, leading to blind spots in security and license compliance” – Gartner - Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain (2019)
© 2019 Synopsys, Inc.4 Tech due diligence often requires a trusted third party Product / strategy People Process / tools Architecture Code Acquirer DD team or Strategy consultant Third-party audit: Acquirers do not typically get access without a third party Subjective and qualitative Objective and quantitative
© 2019 Synopsys, Inc.5 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
© 2019 Synopsys, Inc.6 Background—Overview of Open Source Understanding why open source development and governance matters
© 2019 Synopsys, Inc.7 So what is “Open Source” anyway? • Open Source Initiative Definition – Open Source software is software that can be freely accessed, used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. • Common Definition – Open source software is software whose source code I have access to outside of a commercial license agreement. • What about commercial software? – Commercial software can easily be created from open source components. Managing and securing open source software is complicated, and open source within commercial software is even more so. Note – Lots of legal nuance here so don’t take this as legal advice!
© 2019 Synopsys, Inc.8 Equifax breach focused attention on open source
© 2019 Synopsys, Inc.9 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict Source: 2019 Synopsys Open Source Security and Risk Report
© 2019 Synopsys, Inc.10 Indeterminate licenses are particularly challenging Contained custom licenses that had the potential to cause conflict or needed legal review Contained components that were “not licensed” Source: 2019 Synopsys Open Source Security and Risk Report
© 2019 Synopsys, Inc.11 Open source components are third-party components
© 2019 Synopsys, Inc.12 Example: Which version of OpenSSL do you have?
© 2019 Synopsys, Inc.13 Being a security target is costly Average cost of data breach: $3.86 Million Lost business: $4.20 Million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Institute
© 2019 Synopsys, Inc.14 Open source vulnerability management is a challenge Source: 2019 Synopsys Open Source Security and Risk Report Components per codebase 257 298 Contained obsolete or unmaintained components Unpatched vulnerabilities decline 23% Contained vulnerabilities over 10 years old
© 2019 Synopsys, Inc.15 So what is a vulnerability? • IETF RFC 2828 Definition – A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy • Taxonomies – There are many classification systems for software vulnerabilities, with the Common Weakness Enumeration (CWE) being a common form. Weakness can be exploited to become vulnerabilities which when disclosed become part of the Common Vulnerabilities and Exposures (CVE) List. • Who can disclose a CVE? – CVE disclosures occur through CVE Numbering Authorities (CNA). Originally only a limited number of vendors participated. As of March 2019 over 90 organizations are CNAs including five governmental ones. MITRE is the root CNA and the National Vulnerability Database (NVD) is the most common query location. I’m omitting a ton of detail here, so consider this the bare minimum
© 2019 Synopsys, Inc.16 1649 Days 7 Days A simple vulnerability: The tale of CVE-2017-5638 Struts 2.5 Released May 2016 Struts 2.3 Forked Struts 2.3 Released November 2012 Commit Merged August 2012 Patches Available March 6 2017 March 7 2017 Disclosure Published NVD Details March 14 2017
© 2019 Synopsys, Inc.17 Requirements to detect an OSS vulnerability 1. Source of security information – Primary research from internal security team – Free NVD data feed – Sub license from third party security vendor – Component distributions – Open source risk analysis 2. Ability to identify components – Versions and forks matter – Open source can be in code or binary form – Embedded within commercial software – Not always managed via package managers 3. Current patch status – Patch must be compatible – Upstream could change behaviors
© 2019 Synopsys, Inc.18 Risk is a function of the full stack – not just app “CNCF Interactive Landscape” application • Cloud Native Computing Foundation provides a web based application to browse for partner technology providers. Application Details • 40K Source Lines of Code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
© 2019 Synopsys, Inc.19 Are there any flaws in the design that could lead to security vulnerabilities? Security risks can be present across the software stack Does the company track and manage open source use and the security risks that come with it? Was the code produced with any defects or security weaknesses? Are there any exploitable vulnerabilities or data protection issues? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
© 2019 Synopsys, Inc.20 Design and process issues pose integration challenges Are there any flaws in the design that could be adding time or cost to the process? Was the code produced with any defects or process flaws? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
© 2019 Synopsys, Inc.21 Dissecting the security design decisions of modern applications Example: An IoT application is more than just firmware
© 2019 Synopsys, Inc.22 IoT security requires multiple disciplines • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA
© 2019 Synopsys, Inc.23 Identify security targets from platform requirements Design Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during developmentConcern: Device instability leading to data disclosure and reputational damage
© 2019 Synopsys, Inc.24 Select development frameworks and environment Role: Development Lead with Product Owner guidance Design Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security reqs 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis Concern: Identify intrinsic security issues and potential rework costs
© 2019 Synopsys, Inc.25 Continuous security assessments during development Role: Developer with Development Lead guidance Development Goal: Identify security weaknesses prior to code commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left Concern: Poor security training and developer engagement
© 2019 Synopsys, Inc.26 Continuous security assessments during build Role: Release Engineer with guidance from QA and Product Owner Release Goal: Ensure release meets quality, security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Centralized security progress tracking Concern: Identify weak code coverage and limited security testing
© 2019 Synopsys, Inc.27 Confirm governance and security target progress Role: Security Architect Governance Goal: Ensure release meets security and functional targets Tasks: 1. Centralized review of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases Concern: Identify whether continuous improvement is part of the culture or if issues recur with each cycle
© 2019 Synopsys, Inc.28 Web services APIs also impact risk profiles API Lifecycle • Twitter API shutdown August 2018 • Google+ shutdown April 2019 • Salesforce API versioning Data usage and control • GDPR data processor vs data controller • Data sovereignty and jurisdiction • Data mashups and inference scenarios Data and privacy breaches • Facebook API tokens • [24]7.io and Delta, Kmart, Sears • Third-party data bleeds • Phone home tracking • CVE-2018-1002105 in Kubernetes API
© 2019 Synopsys, Inc.29 Focus on risk identification Start with open source and account for other development risks
© 2019 Synopsys, Inc.30 Why Black Duck leads Open Source risk management Singular focus on Open Source governance and risk management Powered by a Knowledge Base designed for the realities of open source development Delivering actionable Open Source security information in near real-time
© 2019 Synopsys, Inc.31 Key due diligence questions for open source usage Is there a complete list of open source components in use? How was it created and how is it maintained? How complete and accurate is it? What policies are defined for the use of open source? How are they enforced? Are they compatible with the pace of development? How are open source vulnerabilities being tracked? How disruptive would the next Equifax or Heartbleed scale vulnerability be? Does the application patch strategy include open source awareness? What are the patch and update processes for each component? How are patches vetted? How is open source usage in commercial applications identified? If vulnerable open source components are used in binaries, are vendors addressing patches?
© 2019 Synopsys, Inc.32 Portfolio – Audit Services Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture Open Source and Third-Party Code Audit Open Source Risk Assessment Web Services and API Risk Audit Penetration Test Audit Static Application Security Test Audit Quantitative Code Quality Audit Qualitative Code Quality Audit Security Controls Design Analysis Encryption Algorithm Detection Audit
© 2019 Synopsys, Inc.33 Build secure, high-quality software faster

Recommandé

Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualSynopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingSynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseSynopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 

Recommandé

Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualSynopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingSynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseSynopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportSynopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisCarlos Andrés García
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersSynopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealitySynopsys Software Integrity Group
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...South Tyrol Free Software Conference
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation FinalTony_Clarke
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015Simone Luca Giargia
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisVMware Tanzu
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 

Contenu connexe

Tendances

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisCarlos Andrés García
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...South Tyrol Free Software Conference
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation FinalTony_Clarke
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 

Tendances (19)

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
Escrow Presentation Final
Escrow Presentation FinalEscrow Presentation Final
Escrow Presentation Final
 
HP cyber risk report 2015
HP cyber risk report 2015HP cyber risk report 2015
HP cyber risk report 2015
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 

Similaire à Webinar – Streamling Your Tech Due Diligence Process for Software Assets

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisVMware Tanzu
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Webinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your OrganizationWebinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your OrganizationSynopsys Software Integrity Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Software Integrity Group
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...FinTech Belgium
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Executive Leaders Network
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...hani727151
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Santos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptxSantos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptxMuraliDorai1
 

Similaire à Webinar – Streamling Your Tech Due Diligence Process for Software Assets (20)

Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your OrganizationWebinar–Building A Culture of Secure Programming in Your Organization
Webinar–Building A Culture of Secure Programming in Your Organization
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornet...
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Santos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptxSantos-Ch10_Final(1).pptx
Santos-Ch10_Final(1).pptx
 

Plus de Synopsys Software Integrity Group

Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileSynopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsSynopsys Software Integrity Group
 

Plus de Synopsys Software Integrity Group (9)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Dernier

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 

Dernier (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 

Webinar – Streamling Your Tech Due Diligence Process for Software Assets

  • 1. © 2019 Synopsys, Inc.1 Streamlining Your Tech Due Diligence Process for Software Assets Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
  • 2. © 2019 Synopsys, Inc.2 Billions are spent each year on tech acquisitions Annual worldwide tech and telecom deal flow Source: 451 Research's MSA KnowledgeBase. Includes disclosed and estimated values $573B acquisitions in 2018 68% growth from 2017 to 2018 Top 5 industries software
  • 3. © 2019 Synopsys, Inc.3 Why acquirers worry • Governance processes vary by company size • Time to market often prioritized over compliance • Deeper pockets may draw compliance fire “In deploying open-source tools, I&O leaders often create dependence on individuals with pockets of tribal knowledge, leading to blind spots in security and license compliance” – Gartner - Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain (2019)
  • 4. © 2019 Synopsys, Inc.4 Tech due diligence often requires a trusted third party Product / strategy People Process / tools Architecture Code Acquirer DD team or Strategy consultant Third-party audit: Acquirers do not typically get access without a third party Subjective and qualitative Objective and quantitative
  • 5. © 2019 Synopsys, Inc.5 Modern application = Proprietary code + Open source components + API usage + Application behavior and configuration
  • 6. © 2019 Synopsys, Inc.6 Background—Overview of Open Source Understanding why open source development and governance matters
  • 7. © 2019 Synopsys, Inc.7 So what is “Open Source” anyway? • Open Source Initiative Definition – Open Source software is software that can be freely accessed, used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. • Common Definition – Open source software is software whose source code I have access to outside of a commercial license agreement. • What about commercial software? – Commercial software can easily be created from open source components. Managing and securing open source software is complicated, and open source within commercial software is even more so. Note – Lots of legal nuance here so don’t take this as legal advice!
  • 8. © 2019 Synopsys, Inc.8 Equifax breach focused attention on open source
  • 9. © 2019 Synopsys, Inc.9 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict Source: 2019 Synopsys Open Source Security and Risk Report
  • 10. © 2019 Synopsys, Inc.10 Indeterminate licenses are particularly challenging Contained custom licenses that had the potential to cause conflict or needed legal review Contained components that were “not licensed” Source: 2019 Synopsys Open Source Security and Risk Report
  • 11. © 2019 Synopsys, Inc.11 Open source components are third-party components
  • 12. © 2019 Synopsys, Inc.12 Example: Which version of OpenSSL do you have?
  • 13. © 2019 Synopsys, Inc.13 Being a security target is costly Average cost of data breach: $3.86 Million Lost business: $4.20 Million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Institute
  • 14. © 2019 Synopsys, Inc.14 Open source vulnerability management is a challenge Source: 2019 Synopsys Open Source Security and Risk Report Components per codebase 257 298 Contained obsolete or unmaintained components Unpatched vulnerabilities decline 23% Contained vulnerabilities over 10 years old
  • 15. © 2019 Synopsys, Inc.15 So what is a vulnerability? • IETF RFC 2828 Definition – A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy • Taxonomies – There are many classification systems for software vulnerabilities, with the Common Weakness Enumeration (CWE) being a common form. Weakness can be exploited to become vulnerabilities which when disclosed become part of the Common Vulnerabilities and Exposures (CVE) List. • Who can disclose a CVE? – CVE disclosures occur through CVE Numbering Authorities (CNA). Originally only a limited number of vendors participated. As of March 2019 over 90 organizations are CNAs including five governmental ones. MITRE is the root CNA and the National Vulnerability Database (NVD) is the most common query location. I’m omitting a ton of detail here, so consider this the bare minimum
  • 16. © 2019 Synopsys, Inc.16 1649 Days 7 Days A simple vulnerability: The tale of CVE-2017-5638 Struts 2.5 Released May 2016 Struts 2.3 Forked Struts 2.3 Released November 2012 Commit Merged August 2012 Patches Available March 6 2017 March 7 2017 Disclosure Published NVD Details March 14 2017
  • 17. © 2019 Synopsys, Inc.17 Requirements to detect an OSS vulnerability 1. Source of security information – Primary research from internal security team – Free NVD data feed – Sub license from third party security vendor – Component distributions – Open source risk analysis 2. Ability to identify components – Versions and forks matter – Open source can be in code or binary form – Embedded within commercial software – Not always managed via package managers 3. Current patch status – Patch must be compatible – Upstream could change behaviors
  • 18. © 2019 Synopsys, Inc.18 Risk is a function of the full stack – not just app “CNCF Interactive Landscape” application • Cloud Native Computing Foundation provides a web based application to browse for partner technology providers. Application Details • 40K Source Lines of Code • Node.js application framework • Containerized and deployed on Kubernetes • 0.05% of code in use is custom • 99.5% of code is in the stack • Risks present at all layers of the stack Source: CNCF Presentation: How good is our code?
  • 19. © 2019 Synopsys, Inc.19 Are there any flaws in the design that could lead to security vulnerabilities? Security risks can be present across the software stack Does the company track and manage open source use and the security risks that come with it? Was the code produced with any defects or security weaknesses? Are there any exploitable vulnerabilities or data protection issues? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
  • 20. © 2019 Synopsys, Inc.20 Design and process issues pose integration challenges Are there any flaws in the design that could be adding time or cost to the process? Was the code produced with any defects or process flaws? Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture
  • 21. © 2019 Synopsys, Inc.21 Dissecting the security design decisions of modern applications Example: An IoT application is more than just firmware
  • 22. © 2019 Synopsys, Inc.22 IoT security requires multiple disciplines • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA
  • 23. © 2019 Synopsys, Inc.23 Identify security targets from platform requirements Design Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during developmentConcern: Device instability leading to data disclosure and reputational damage
  • 24. © 2019 Synopsys, Inc.24 Select development frameworks and environment Role: Development Lead with Product Owner guidance Design Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security reqs 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis Concern: Identify intrinsic security issues and potential rework costs
  • 25. © 2019 Synopsys, Inc.25 Continuous security assessments during development Role: Developer with Development Lead guidance Development Goal: Identify security weaknesses prior to code commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left Concern: Poor security training and developer engagement
  • 26. © 2019 Synopsys, Inc.26 Continuous security assessments during build Role: Release Engineer with guidance from QA and Product Owner Release Goal: Ensure release meets quality, security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Centralized security progress tracking Concern: Identify weak code coverage and limited security testing
  • 27. © 2019 Synopsys, Inc.27 Confirm governance and security target progress Role: Security Architect Governance Goal: Ensure release meets security and functional targets Tasks: 1. Centralized review of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases Concern: Identify whether continuous improvement is part of the culture or if issues recur with each cycle
  • 28. © 2019 Synopsys, Inc.28 Web services APIs also impact risk profiles API Lifecycle • Twitter API shutdown August 2018 • Google+ shutdown April 2019 • Salesforce API versioning Data usage and control • GDPR data processor vs data controller • Data sovereignty and jurisdiction • Data mashups and inference scenarios Data and privacy breaches • Facebook API tokens • [24]7.io and Delta, Kmart, Sears • Third-party data bleeds • Phone home tracking • CVE-2018-1002105 in Kubernetes API
  • 29. © 2019 Synopsys, Inc.29 Focus on risk identification Start with open source and account for other development risks
  • 30. © 2019 Synopsys, Inc.30 Why Black Duck leads Open Source risk management Singular focus on Open Source governance and risk management Powered by a Knowledge Base designed for the realities of open source development Delivering actionable Open Source security information in near real-time
  • 31. © 2019 Synopsys, Inc.31 Key due diligence questions for open source usage Is there a complete list of open source components in use? How was it created and how is it maintained? How complete and accurate is it? What policies are defined for the use of open source? How are they enforced? Are they compatible with the pace of development? How are open source vulnerabilities being tracked? How disruptive would the next Equifax or Heartbleed scale vulnerability be? Does the application patch strategy include open source awareness? What are the patch and update processes for each component? How are patches vetted? How is open source usage in commercial applications identified? If vulnerable open source components are used in binaries, are vendors addressing patches?
  • 32. © 2019 Synopsys, Inc.32 Portfolio – Audit Services Proprietary code OSS + third-party code OSS + third-party code OSS + third-party code Architecture Open Source and Third-Party Code Audit Open Source Risk Assessment Web Services and API Risk Audit Penetration Test Audit Static Application Security Test Audit Quantitative Code Quality Audit Qualitative Code Quality Audit Security Controls Design Analysis Encryption Algorithm Detection Audit
  • 33. © 2019 Synopsys, Inc.33 Build secure, high-quality software faster