AppSec Decoded

Listen as Tim Mackey to discusses the future of IoT devices and what it means for security and privacy.

Listen as Tim Mackey discusses why manufacturers should consider building security into their IoT devices.

Listen as Tim Mackey discusses how to secure connected devices and why the responsibility falls on the manufacturer.

Listen as Tim Macke discusses how the new executive order from the Biden administration will change the way government entities or the heads of those entities operate to adjust to the surge of security threats.

Listen as Tim Mackey discusses what proactive steps both technology suppliers and buyers should consider in the wake of the new E.O.

Biden’s executive order (EO), announced earlier this spring, outlines cyber security standards and best practices that will apply to federal departments, agencies, and their technology suppliers. Although the EO’s goal is to secure the U.S. government, implications are expected to be broader and could be adopted by the commercial sector. Listen as Tim Mackey, explains how Biden’s EO differs from prior EOs and why it should be on everyone’s radar.

Listen as Sammy Migues, Tim Mackey, and Taylor Armerding discuss why the software supply chain is an inviting target for hackers and how companies can implement a proactive approach to software supply chain security with security activities that won’t slow down innovation.

Listen as Sammy Migues, Tim Mackey, and Taylor Armerding discuss the do’s and don’ts of ransomware prevention and mitigation.

In this episode Sammy Migues, Tim Mackey, and Taylor Armerding we explore the shifts in processes and effective management of AppSec tools in CI/CD pipelines. Our experts also discuss how DevSecOps teams can make sense of their data to effectively manage their business risk.

In this episode of AppSec Decoded, we discuss the compelling open source trends uncovered in this year’s OSSRA report.

Listen as Tim Mackey and Taylor Armerding discuss the value of Black Duck® by Synopsys audit services in the M&A world, and ways to reap the benefits of your open source software without falling victim to the risks.

In this episode of AppSec Decoded, Tim Mackey and Taylor Armerding continue their conversation on how the guidance from NIST can help any organization.

In this episode Tim Mackey and Taylor Armerding discuss how organizations can address the new supply chain risk management guidance from NIST.

In this episode Jonathan Knudsen talks with Taylor Armerding about CyRC’s major annual reports, including the “Open Source Software and Risk Analysis”(OSSRA) report, which uses anonymized data from M&A audits to develop a profile of how much open source is in the software ecosystem, how organizations are using it, and whether they’re keeping it up-to-date.

In this episode Anita D’Amico and Taylor Armerding discuss the specific functions and benefits of ASOC tools.

In this episode Natasha Gupta, security solutions manager at Synopsys, and Taylor Armerding, security advocate at Synopsys, discuss pandemic-accelerated improvements in DevSecOps.

Secure software requires more than just tools. Organizations need a security strategy, and plan, and skilled developers to minimize risks in their software. Learn how to build a holistic AppSec program that builds trust in your software.

President Biden’s executive order calls for agencies to buy only software products that have a software Bill of Materials (SBOM). Listen as Mike McGuire and Taylor Armerding discuss the role SBOMs will play in application security and what tools and methods organizations can leverage to create a comprehensive SBOM.

In this episode Mike McGuire and Taylor Armerding discuss why supply chain attacks have become low-hanging fruit for cybercriminals and what organizations need to understand about their supply chain to avoid becoming the next target.

In this episode of AppSec Decoded, we provide an overview of a software bill of materials (SBOM) in the context of software supply chain security. Explore the range of organizational challenges that stem from their SBOM.

In this episode Natasha Gupta, security solutions manager at Synopsys, and Taylor Armerding, security advocate of Synopsys, discuss why DevSecOps initiatives stall or fail and what organizations can do to build security into their development processes at the speed their business demands.

In this episode of AppSec Decoded, we explore how rapid development creates a larger attack surface for security teams to defend. Without the right tools vulnerabilities may go undetected which is why a DAST solution may be a good investment,

In this episode —the first of two conversations on the report—Chai Bhat, security solutions manager discusses the research and purpose behind the report.

Watch the second episode to uncover the major takeaways including the so-called low-risk software vulnerabilities to common software supply chain attacks, and more.

In this episode of AppSec Decoded, we discuss the role IAST plays in DevSecOps and how it can strengthen your API security strategy.

Discover what the 2023 OSSRA report tells us about the popularity of open source and the risks it brings.

Learn about the crucial elements to managing open source risks as highlighted in the 2023 OSSRA report.

Hear from Debrup Ghosh as he discusses new enhancements to the Polaris Software Integrity Platform® which makes it easy for organizations to onboard developers so they can start scanning their code in minutes with this cloud-based solution.

Debrup Ghosh talks about the importance of security tools working in harmony with developers and how that was a central thought in the new Polaris Software Integrity Platform®.

The Polaris Software Integrity Platform® offers developer-focused features that enable frictionless application security for developers.

Learn why it’s critical for organizations to focus on software supply chain risks. Hear from Anita D’Amico, vice president of cross-portfolio solutions and strategy at Synopsys, on her predictions for the software supply chain.

Listen to this conversation with Matias Madou, Co-Founder Secure Code Warrior on adding the Sec into DevSecOps and why upskilling your security and development teams is critical.

Listen as Bruce Schneier offers his take on AI and how it can be used as a creative problem-solver in part 1 of this discussion series.

Listen as Bruce Schneier offers his take on AI and how it can be used as a creative problem-solver in part 2 of this discussion series.

Listen as Taylor and Buu talk about how the speed of application releases impacts application security and what a security utopia could look like.

Learn how to handle scoping and data gathering, two of five necessary steps in creating a useful threat modeling.

Pillar three of the United States National Cybersecurity Strategy calls for the executive and legislative branches to shape market forces to drive security and resilience. Within this pillar, it calls for vendors to be held liable for damages caused by their products if they haven’t built reasonable security measures into them. Learn which important security standards will become part of these reasonable security measures, and how the safe harbor clause protects organizations that experience a cyberattack despite their best efforts to secure their products.

Pillar three of the National Cybersecurity Strategy, released in March 2023, includes a liability provision. This provision calls for vendors to be held liable for damages caused by their products if they weren’t built with reasonable security measures. It also establishes a baseline for cybersecurity measures for all companies doing business with the government, but implementation will require help from legislation.

Tanya Janaca, a keynote speaker at the 2023 RSA Conference, addresses some of the worst
DevSecOps practices she has witnessed while working in IT for over 25 years.

AI-generated code is easier and faster to implement into applications, but development teams must take the same risk mitigation approach used with open source and proprietary code to ensure it’s secure and compliant.

Learn how a system model helps guide the discussion and present results in threat modeling.

AppSec and AppSec teams have evolved over the last decade to keep pace with the speed and demands of the ever-changing cybersecurity landscape. Clint Gibler, head of security research at Semgrep, discusses some of these changes, as well as takeaways for modern, forward-thinking security teams.

Tracking the right metrics is essential in DevSecOps as it helps measure the effectiveness of your security program. Listen as Taylor and Clint, discuss how teams can raise their security bar with useful measurement metrics, as well as how to identify high ROI security investments for their DevSecOps program.

Learn more about how to use an attack model in threat modeling to answer the question of how well your assets are protected against threats.