AppSec 101

Software security is a large and complicated topic, with a bevy of acronyms and inconsistently applied terminology.

In this webinar, Jonathan Knudsen clears the air by providing a bird’s-eye view of software security. You will learn what application security is and what it is not. Topics include

- How the sausage is made
- Which vulnerabilities are most common
- What the secure software development life cycle entails
- What is in the toolbox

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle. It expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle.

DevSecOps needs to be risk-based like your application risk indicator. It needs to be able to optimize security testing based on your policies. It should be efficient so not every code change requires a full security analysis.

In this talk, you will learn
• Actionable insights into what DevSecOps is
• What DevSecOps is not
• How DevSecOps works from build to production

Modern applications are no longer created from scratch; instead they are constructed of various components, including open source code that is often developed by individuals outside the organization. Our research reveals that open source code makes up 76% of the average application.

Although leveraging open source software provides access to external expertise, it also entails responsibilities for organizations. Ensuring the security, compliance, and quality of the code is crucial. This is where software composition analysis (SCA) plays a significant role.

Join this discussion that explores the following topics:

o What SCA is and how it functions
o Addressing risks through SCA
o Key elements of an effective SCA solution
o Building a comprehensive open source risk management program with SCA

Cloud adoption is happening at unprecedented pace. In the race to migrate quickly, one aspect that sometimes takes back seat is cloud security. But application security and network security are still relevant on the cloud. Deploying infrastructure and applications on the cloud comes with its own set of challenges such as access controls, vulnerability management, securing the hybrid cloud model, and more. That’s why it has become imperative for organizations to understand cloud security concepts and how to secure cloud workloads.

In this webinar, we will discuss cloud security and some of its concepts.
• Shared responsibility and why it is important (IaaS, PaaS, SaaS)
• Secure deployments on cloud infrastructure (people, process, technology)
• Importance of cloud security (recent cloud security breaches)

Static application security testing (SAST) is a key ingredient of any AppSec program. However, modern applications are built using processes, languages, and tools that didn’t exist when many SAST products were originally designed. This creates challenges for developers and security teams that need to deliver highly secure applications without slowing productivity.

In this webinar, we’ll discuss how SAST can help organizations drive security and quality across all their applications. Topics include

• Understanding how static analysis identifies weaknesses in application code
• Running the right level of SAST analysis for each application
• Integrating SAST throughout the software development life cycle
• Ensuring quality and compliance with policy-based code scans

Organizations encounter challenges in security testing, especially on systems using a variety of technology stacks and protocols. Learn how to uncover system and protocol weaknesses with a technique called fuzzing. The webinar will cover the essentials of using fuzzing solutions to ensure quality and robustness in system and network testing programs.

Learn about OWASP as an organization and its key projects, and dive into the evolution and process of building the OWASP Top 10 list. Learn whether this list should be considered a one-size-fits-all standard for application security and how to use it for your application security activities. We will also discuss if there are any other alternatives.

The key takeaways from this talk include

· What OWASP and the OWASP Top 10 list are
· How the OWASP Top 10 list is defined and monitored
· How to use the OWASP Top 10 list for your application security activities

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore:
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

DevSecOps and cloud services are driving container adoption in software. As container architectures get complex, they're increasingly exploited. This talk aims to clarify containerization and infrastructure-as-code (IaC) for beginners. We'll cover container technologies, key terms, their value, popularity, challenges, and security issues. We'll discuss common threats, vulnerabilities, attack vectors, and provide real-world attack examples. We'll reference standards and resources like OWASP Docker Top 10, Container Security Verification Standard, NIST Application Container Security guide, and CIS Benchmarks. Finally, we'll provide guidelines and best practices for securing containers.

The Common Vulnerabilities and Exposures (CVE) system allows interested parties to track all the relevant information about a specific vulnerability. It helps avoid duplication and allows software vendors and users alike to ensure that they are referring to the same vulnerability in their efforts to protect systems against attack.

In this 15 minute session, you’ll gain
• An understanding of what the CVE system is
• Knowledge of the stakeholders involved
• Insight into the elements of a CVE ID
• A walkthrough of the CVE Record Lifecycle

Vulnerabilities pose a vast threat to the security of software, systems, and users, and the number of vulnerabilities discovered is increasing year-on-year. Understanding the life cycle of vulnerabilities can help you track, manage, and mitigate these threats effectively.

In this session, you'll gain
• Knowledge of the life cycle of a vulnerability, including examples
• An understanding of why managing vulnerabilities at each stage is crucial
• Awareness of how vulnerabilities are handled in the public and private domains
• Insight into the methods used to manage and fix vulnerabilities

In February 2024, the NIST Cybersecurity Framework (CSF) 2.0 update was released, featuring the latest advancements. This update brings a host of transformative changes, expanding the framework's scope. It also provides stronger governance and supply chain risk management. There are also refining metrics for assessing cybersecurity effectiveness.

Join this webinar to learn about
• The long-anticipated CSF 2.0 update
• The implications of the changes in the 2.0 update
• Leveraging these changes to improve current cybersecurity programs

We all can plainly see that AI is the “next big thing.” Whether your organization is bringing up its skill baseline, integrating LLM chatbots with existing applications, leveraging models to augment existing applications, pulling models off HuggingFace and fine tuning them, or training your own models from scratch, this talk will provide you with a baseline to answer the deceptively basic question: how do I secure it?

Join this webinar to learn
- The basics of GenAI
- Unique risks with AI integration
- Strategies for securely implementing AI
- Lessons from “the field”

The Common Vulnerability Scoring System (CVSS) helps you decide which vulnerabilities you should be most concerned about. This isn’t to say that the CVSS will make prioritization decisions for you, but it will give you one piece of information you need to make informed decisions that are best for your organization.

In this session, you'll gain:
• An understanding of CVSS, its metrics, and scoring process
• Insight into CVSS's history and role in vulnerability management
• A walkthrough of scoring a vulnerability's severity
• Knowledge of how CVSS is used in vulnerability management

Join us for a webinar discussing the challenges organizations face in transitioning to PCI-DSS 4.0 and implementing new security measures. We will explore the updates to the security framework and the critical need to secure APIs to protect sensitive payment information. Don't miss this opportunity to learn about the latest in PCI-DSS 4.0 and how to effectively adapt to these new standards.

Innovate or perish is the only choice available to tech companies. Innovation ensures a constant state of change—new programming languages, systems, and platforms are introduced often. This constant state of evolution poses new challenges to security.

A penetration (pen) test is a simulated attack on your apps and infrastructure to find exploitable flaws and vulnerabilities. Along with tech and software, pen testing has evolved over the past decade with the introduction of mobile, cloud, big data, IoT, microservices, and more. In this webinar, we will cover

- The new vulnerabilities associated with emerging technologies
- Associated secure coding best practices for developers
- On-premises / cloud network and infrastructure security principles
- Remediation and application of appropriate security controls
- Secure software and environment design

In today's fast-paced and ever-evolving cloud landscape, security is not just a necessity but a strategic enabler. To empower organizations to proactively prevent, detect, and respond to cloud security threats with precision and agility, cloud security solutions must scale on demand. Automation in detection and remediation efforts must be in place to meet this requirement.

In this webinar, you’ll learn
- Why cloud detection and response (CDR) is necessary
- How CDR is typically performed
- What business outcomes and benefits CDR provides

As with all things tech, software development has been in a constant state of evolution since its infancy. Generative AI, however, has the potential to disrupt software development as we know it.
There are significant benefits offered by generative AI, but there are risks as well, including security risks. In its brief history, AI has generated buggy code, taken code from open source repositories without licensing considerations, and generated incorrect code.
In this webinar, you will learn
• What AI is and how it is used in the SDLC
• The ways AI is changing how software is being built
• The risks, drawbacks, and concerns of using AI
• How to benefit from AI while managing risks