AppSec 101

Software security is a large and complicated topic, with a bevy of acronyms and inconsistently applied terminology.

In this webinar, Jonathan Knudsen clears the air by providing a bird’s-eye view of software security. You will learn what application security is and what it is not. Topics include

- How the sausage is made
- Which vulnerabilities are most common
- What the secure software development life cycle entails
- What is in the toolbox

A common adage states that “security is only as strong as its weakest link.” Penetration (pen) testing is meant to demonstrate this idea. Through administration of yearly pen tests, these entry points can be identified and patched, providing greater assurance in an application’s defense.

A pen test is a simulated attack on your apps and infrastructure to find exploitable flaws and vulnerabilities. Expert testers use varying and ever-changing tools and techniques to find and demonstrate the business impacts of weaknesses in a system.

In this webinar you will learn:
- Definition and types of pen tests
- The precautions you need to take before you start testing
- Approaches to vulnerability discovery across applications
- How (manual) pen testing fits in with automated tooling
- Development of an example vulnerability

DevSecOps is a trending practice in application security that involves introducing security earlier in the software development life cycle. It expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle.

DevSecOps needs to be risk-based like your application risk indicator. It needs to be able to optimize security testing based on your policies. It should be efficient so not every code change requires a full security analysis.

In this talk, you will learn
• Actionable insights into what DevSecOps is
• What DevSecOps is not
• How DevSecOps works from build to production

Modern applications are no longer created from scratch; instead they are constructed of various components, including open source code that is often developed by individuals outside the organization. Our research reveals that open source code makes up 76% of the average application.

Although leveraging open source software provides access to external expertise, it also entails responsibilities for organizations. Ensuring the security, compliance, and quality of the code is crucial. This is where software composition analysis (SCA) plays a significant role.

Join this discussion that explores the following topics:

o What SCA is and how it functions
o Addressing risks through SCA
o Key elements of an effective SCA solution
o Building a comprehensive open source risk management program with SCA

Cloud adoption is happening at unprecedented pace. In the race to migrate quickly, one aspect that sometimes takes back seat is cloud security. But application security and network security are still relevant on the cloud. Deploying infrastructure and applications on the cloud comes with its own set of challenges such as access controls, vulnerability management, securing the hybrid cloud model, and more. That’s why it has become imperative for organizations to understand cloud security concepts and how to secure cloud workloads.

In this webinar, we will discuss cloud security and some of its concepts.
• Shared responsibility and why it is important (IaaS, PaaS, SaaS)
• Secure deployments on cloud infrastructure (people, process, technology)
• Importance of cloud security (recent cloud security breaches)

Static application security testing (SAST) is a key ingredient of any AppSec program. However, modern applications are built using processes, languages, and tools that didn’t exist when many SAST products were originally designed. This creates challenges for developers and security teams that need to deliver highly secure applications without slowing productivity.

In this webinar, we’ll discuss how SAST can help organizations drive security and quality across all their applications. Topics include

• Understanding how static analysis identifies weaknesses in application code
• Running the right level of SAST analysis for each application
• Integrating SAST throughout the software development life cycle
• Ensuring quality and compliance with policy-based code scans

Organizations encounter challenges in security testing, especially on systems using a variety of technology stacks and protocols. Learn how to uncover system and protocol weaknesses with a technique called fuzzing. The webinar will cover the essentials of using fuzzing solutions to ensure quality and robustness in system and network testing programs.

Learn about OWASP as an organization and its key projects, and dive into the evolution and process of building the OWASP Top 10 list. Learn whether this list should be considered a one-size-fits-all standard for application security and how to use it for your application security activities. We will also discuss if there are any other alternatives.

The key takeaways from this talk include

· What OWASP and the OWASP Top 10 list are
· How the OWASP Top 10 list is defined and monitored
· How to use the OWASP Top 10 list for your application security activities

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore:
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.