AppSec 101

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle. It expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle.

DevSecOps needs to be risk-based like your application risk indicator. It needs to be able to optimize security testing based on your policies. It should be efficient so not every code change requires a full security analysis.

In this talk, you will learn
• Actionable insights into what DevSecOps is
• What DevSecOps is not
• How DevSecOps works from build to production

Cloud adoption is happening at unprecedented pace. In the race to migrate quickly, one aspect that sometimes takes back seat is cloud security. But application security and network security are still relevant on the cloud. Deploying infrastructure and applications on the cloud comes with its own set of challenges such as access controls, vulnerability management, securing the hybrid cloud model, and more. That’s why it has become imperative for organizations to understand cloud security concepts and how to secure cloud workloads.

In this webinar, we will discuss cloud security and some of its concepts.
• Shared responsibility and why it is important (IaaS, PaaS, SaaS)
• Secure deployments on cloud infrastructure (people, process, technology)
• Importance of cloud security (recent cloud security breaches)

Vulnerabilities pose a vast threat to the security of software, systems, and users, and the number of vulnerabilities discovered is increasing year-on-year. Understanding the life cycle of vulnerabilities can help you track, manage, and mitigate these threats effectively.

In this session, you'll gain
• Knowledge of the life cycle of a vulnerability, including examples
• An understanding of why managing vulnerabilities at each stage is crucial
• Awareness of how vulnerabilities are handled in the public and private domains
• Insight into the methods used to manage and fix vulnerabilities

Innovate or perish is the only choice available to tech companies. Innovation ensures a constant state of change—new programming languages, systems, and platforms are introduced often. This constant state of evolution poses new challenges to security.

A penetration (pen) test is a simulated attack on your apps and infrastructure to find exploitable flaws and vulnerabilities. Along with tech and software, pen testing has evolved over the past decade with the introduction of mobile, cloud, big data, IoT, microservices, and more. In this webinar, we will cover

- The new vulnerabilities associated with emerging technologies
- Associated secure coding best practices for developers
- On-premises / cloud network and infrastructure security principles
- Remediation and application of appropriate security controls
- Secure software and environment design

Companies adopt many application security testing (AST) tools to pinpoint where critical fixes are needed and avoid costly postproduction software issues. Yet despite a lot of AppSec investment, they still fail to get an accurate view of risk, and struggle integrate testing, triage, and remediation within developer workflows. This has driven the evolution of application security posture management (ASPM).

In this session, we’ll dive into
- The difference between application security orchestration and correlation (ASOC) and ASPM
- The capabilities that a comprehensive ASPM solution should have
- How ASPM can help your development and security teams mitigate software risk at scale

Python is a fast, platform-agnostic, and easy-to-learn programming language that is suited for beginners and experienced developers alike. Ever since its first release in 1991, Python has had a constant presence in the computer world and has become a go-to language thanks to its easy-to-understand code and versatility. Today, Python can boast a wide array of libraries and frameworks, and they are the cornerstone of fast and easy Python programming—the so-called Pythonic way of development.

But like all programming languages, Python is not immune to security threats. Secure coding best practices must be adopted to avoid risks from attackers. In this webinar, we’ll explore Python security best practices that should employed when building secure application.

Learn about OWASP as an organization and its key projects, and dive into the evolution and process of building the OWASP Top 10 list. Learn whether this list should be considered a one-size-fits-all standard for application security and how to use it for your application security activities. We will also discuss if there are any other alternatives.

The key takeaways from this talk include

· What OWASP and the OWASP Top 10 list are
· How the OWASP Top 10 list is defined and monitored
· How to use the OWASP Top 10 list for your application security activities

Log4Shell, SolarWinds, CodeCov, and the npm package repository are all associated with some type of software supply chain risk or incident, but each represents completely different attack vectors. As we depend more on build and release automation and third- party dependencies, we need to better understand how threat actors exploit them to attack the consumers of software. In this session, you’ll learn
• The riskiest points of your software development life cycle
• The four most common supply chain attacks, with real-world examples
• How to create a firewall around the software supply chain to protect your software and your customers

We all can plainly see that AI is the “next big thing.” Whether your organization is bringing up its skill baseline, integrating LLM chatbots with existing applications, leveraging models to augment existing applications, pulling models off HuggingFace and fine tuning them, or training your own models from scratch, this talk will provide you with a baseline to answer the deceptively basic question: how do I secure it?

Join this webinar to learn
- The basics of GenAI
- Unique risks with AI integration
- Strategies for securely implementing AI
- Lessons from “the field”

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore:
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

Join us for a webinar discussing the challenges organizations face in transitioning to PCI-DSS 4.0 and implementing new security measures. We will explore the updates to the security framework and the critical need to secure APIs to protect sensitive payment information. Don't miss this opportunity to learn about the latest in PCI-DSS 4.0 and how to effectively adapt to these new standards.

The Common Vulnerabilities and Exposures (CVE) system allows interested parties to track all the relevant information about a specific vulnerability. It helps avoid duplication and allows software vendors and users alike to ensure that they are referring to the same vulnerability in their efforts to protect systems against attack.

In this 15 minute session, you’ll gain
• An understanding of what the CVE system is
• Knowledge of the stakeholders involved
• Insight into the elements of a CVE ID
• A walkthrough of the CVE Record Lifecycle

As of October 1, 2024 the Synopsys Software Integrity Group is now Black Duck®

Open source software is at the heart of modern development, but it comes with its own set of challenges. The number of discovered vulnerabilities continues to rise year after year. Staying ahead in this evolving landscape requires not only vigilance but also access to accurate vulnerability data.
Join us for an exclusive webinar with the Black Duck Vulnerability Research team, where you'll gain insights into their cutting-edge approach to identifying and addressing vulnerabilities in open source software. Discover how their innovative methods empower organizations to detect and remediate vulnerabilities quickly and effectively.
In this session, you'll learn:
- How the Black Duck Vulnerability Research team operates and innovates to deliver unparalleled vulnerability insights.
- Why the quality and accuracy of vulnerability reports are critical to security success.
- The latest trends and insights shaping the open source vulnerability landscape.

APIs have become central to the daily operations of most businesses. Their rapid proliferation has exposed significant vulnerabilities that need immediate attention. This presentation provides an in-depth assessment of the current state of API security. We discuss the growth of API-related incidents and provide a framework for improving API security within organizations.

Join this webinar to learn about
• API security challenges due to the increase in API usage, and the resulting vulnerabilities
• Proactive security integrations for incorporating security measures throughout the entire API development life cycle
• A framework for enhancing API security to protect against emerging threats

In February 2024, the NIST Cybersecurity Framework (CSF) 2.0 update was released, featuring the latest advancements. This update brings a host of transformative changes, expanding the framework's scope. It also provides stronger governance and supply chain risk management. There are also refining metrics for assessing cybersecurity effectiveness.

Join this webinar to learn about
• The long-anticipated CSF 2.0 update
• The implications of the changes in the 2.0 update
• Leveraging these changes to improve current cybersecurity programs

Generative AI continues to reshape industries, but with its rapid adoption comes an equally fast-evolving set of security challenges. Infosec teams and organizational leaders are under increasing pressure to address these risks effectively.

Join us for a forward-looking session that draws on Black Duck’s extensive experience with clients and partners to provide valuable insights into managing AI/ML security in the coming year. This webinar will explore the shift from hype to practical implementation of generative AI, the sophisticated threat landscape targeting AI/ML systems, and key updates to the OWASP LLM Top 10 for 2025.

In this high-level discussion, you’ll gain:
- Lessons learned from real-world engagements with AI/ML security in 2024.
- Insights into the evolving threat landscape and its implications for AI/ML systems.
- A deeper understanding of critical changes in the OWASP LLM Top 10 for 2025.