Featured
By the Numbers: Software Supply Chain Security Risks
Larry Ponemon, Ponemon Institute and Shandra Gemmiti, Synopsys
In a survey of your peers, the Ponemon Institute uncovered a stark reality:
Teams are struggling to secure software supply chains as fast as advances in things like AI are increasing developments ability to produce it. For example, 52% of organizations leverage AI tools to generate code. Yet only 32% say they have processes in place to evaluate it. And less than half say they are effective in securing open source or evaluating the security of commercial software in their supply chain.
Where do you rank?
Join the webinar to understand the state of software supply chain security and how you can help your team keep pace with managing it. We’ll cover:
• How prepared organization are for supply chain attacks
• How to secure and manage open source and commercial software in your applications
• How things like AI and SBOM mandates are impacting security readiness
All episodes
-
Benefits of an SBOM Across the Software Supply Chain
Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency (CISA)
Software is everywhere. And for organizations dependent on software, understanding and managing the software supply chain is vital. Changes to your software supply chain may have ripple effects for your business. How do you manage that?
Join us for this Synopsys webinar to learn why a software Bill of Materials (SBOM) is an important tool in managing your software supply chain. We’ll cover:
• What an SBOM is and what role it plays in the supply chain
• How to efficiently manage the software supply chain
• What happens when something goes wrong with a link in the chain -
Methods and tools for SBOM generation
Taylor Armerding, Security Advocate | Mike McGuire, Security Solutions Manager
President Biden’s executive order calls for agencies to buy only software products that have a software Bill of Materials (SBOM). Listen as Mike McGuire and Taylor Armerding discuss the role SBOMs will play in application security and what tools and methods organizations can leverage to create a comprehensive SBOM.
-
Securing the Software Supply Chain: More Than Just an SBOM?
Guest: Sandy Carielli, Forrester Research | David London, Chertoff Group | Tim Mackey, Synopsys | Patrick Carey, Synopsys
Gone are the days when you only had to worry about the code your developers are writing. Now you have to think about a complex supply chain, which includes everything from open source dependencies and APIs to containers, infrastructure-as-code, and CI/CD toolchains. Recent supply chain attacks, along with the U.S. executive order on cybersecurity, have organizations re-evaluating the security of their software supply chains.
In this webinar, our expert panelists will discuss
• Why securing your supply chain means more than having an accurate software Bill of Materials (SBOM)
• What the executive order and other initiatives mean for software producers and consumers
• What security and development teams need to do to manage new and evolving supply chain threatsLearn what you can do to enhance the security of your software supply chain. Register now.
-
Managing software supply chain risks
Taylor Armerding, Security Advocate | Mike McGuire, Security Solutions Manager
In this episode Mike McGuire and Taylor Armerding discuss why supply chain attacks have become low-hanging fruit for cybercriminals and what organizations need to understand about their supply chain to avoid becoming the next target.
-
Is an SBOM a silver bullet for software supply chain security?
Taylor Armerding, Security Advocate | Tim Mackey, Principal Security Strategist
In this episode of AppSec Decoded, we provide an overview of a software bill of materials (SBOM) in the context of software supply chain security. Explore the range of organizational challenges that stem from their SBOM.
-
Demystifying SBOM: More Than Just an Artifact?
Mike McGuire, Senior Software Solutions Manager | Michael White, Technical Director and Principal Architect
Software supply chain risk and software Bills of Materials (SBOMs) are top of mind across almost industry today. You’ve probably been bombarded with massive streams of information about what an SBOM is and what you can do to get one. What you might not have seen, though, is what an SBOM is not, and what type of information it does not provide. To truly mitigate risk across the software supply chain and maintain the trust of customers, it’s crucial that SBOMs are treated as part of a larger process, rather than a simple silver bullet artifact.
Join our Synopsys webinar to discover:
- What to expect from the SBOM process
- How to get the most out of your SBOM
- How to make an SBOM part of your software development and procurement life cycles -
How to Easily Generate An Accurate SBOM with Black Duck
Mike McGuire, Senior Software Solutions Manager
Did you know that open source code constitutes up to 95% of the code in your applications? This creates a web of dependencies that can pose security, quality, and compliance risks. Black Duck provides a solution by helping you generate an accurate software bill of materials (SBOM) in minutes, giving you visibility into your software supply chain. Watch the video to streamline your SBOM generation process and take control of your software supply chain.
-
Open source trends uncovered in the 2023 OSSRA
Taylor Armerding, Security Advocate | Mike McGuire, Security Solutions Manager
Discover what the 2023 OSSRA report tells us about the popularity of open source and the risks it brings.
-
Managing your open source risks
Taylor Armerding, Security Advocate | Mike McGuire, Security Solutions Manager
Learn about the crucial elements to managing open source risks as highlighted in the 2023 OSSRA report.
-
Supply Chain Security Snags
Tim Mackey, Principal Security Strategist
The executive order issued by the White House last year calls for more robust software supply chain protections for federal agencies. Meanwhile, companies are also taking steps toward securing their supply chains. And they are now facing many of the same struggles that government bodies have endured while attempting to adhere to the executive order. So what are the challenges? They include:
- Improving visibility into the global partners from which you’re sourcing components
- Instituting and operationalizing software bills of materials (SBOMs)
- Establishing the required scope of your supply chain security program* determining what your testing procedures will entail
Join us as Tim Mackey, principal security strategist at Synopsys, offers inside analysis into the U.S. government’s foray into supply chain security. He will then reveal what lessons businesses can apply toward their own efforts in this space.
-
Take Action: Putting Open Source Risk Management Policies to Work
Aditi Sharma, Dell; Patricia Tarro, Dell; Mike Phillips, Dell & Anthony Decicco, GTC Law Group
Once you have a grasp on how open source can both benefit and introduce risk to your organization, your next consideration should be learning to manage it. How can you build open source risk management governance into your development pipelines, and prove to your customers that you’re doing your part in protecting your software supply chain?
Join our talk as open source experts from Dell and GTC Law Group discuss:
• Determining which open source is the best fit for your company’s software
• Managing risk without slowing development and delivery
• Digitizing and automating open source risk governance
• Generating and utilizing compliant software Bills of Materials (SBOMs) -
Takeaways from Recent Software Supply Chain Developments
Anthony Decicco, GTC Law Group
Modern application development and deployment models make for a software supply chain that’s more complicated than ever before. While managing the open source dependencies brought in by developers and package managers is a crucial consideration, you must begin looking further.
- Which dependencies are being included in containers after you’ve scanned the base image?
- What business, security and compliance risks are introduced by the web services you leverage?
- What are the license obligations of the code snippets automatically added by intelligent IDEs?Join us as we discuss how to stay on top the newest application development technologies and the risks that come along with them.
-
Don’t let your software supply chain poison your apps
Taylor Armerding, Security Advocate | Anita D’Amico, Vice President Cross-Portfolio Solutions
Learn why it’s critical for organizations to focus on software supply chain risks. Hear from Anita D’Amico, vice president of cross-portfolio solutions and strategy at Synopsys, on her predictions for the software supply chain.
-
Addressing software liability in the public sector
Taylor Armerding, Security Advocate | Tim Mackey, Principal Security Strategist
Pillar three of the National Cybersecurity Strategy, released in March 2023, includes a liability provision. This provision calls for vendors to be held liable for damages caused by their products if they weren’t built with reasonable security measures. It also establishes a baseline for cybersecurity measures for all companies doing business with the government, but implementation will require help from legislation.
-
Coffee with a Slice of SBOM
Mike McGuire, Senior Software Solutions Manager, Synopsys
For a variety of reasons, everyone is talking about software Bills of Materials (SBOMs). Some organizations are being required to generate and provide them, while others are asking for them from their vendors. One thing is for certain though - there is a lot of noise surrounding SBOMs, and it's not making it any easier to understand what must be done, what should be done, and what can be done.
Join Mike McGuire, security solutions manager with the Synopsys Software Integrity Group, as he cuts through the noise and simplifies the concept of the modern SBOM. Mike will address some of the market’s lingering questions, including:
- Why there is a heightened focus on SBOM
- What SBOM is and is not
- How to build and use an SBOM
- How they can help you secure your software supply chain. -
Software Supply Chain Risk Management: The New EU and US SBOM Regulation
Matthew Brady, Senior Manager Sales Engineering, Synopsys
There is a lot of talk about SBOMs (Software Bills of Materials) and Software Supply Chains, as well as emerging software security requirements being developed in the US and EU. At the same time many organizations continue to be caught unprepared to respond when new OSS vulnerabilities like those in Log4J are disclosed. Confused on where to focus?
You are not alone. In this session, we’ll help you navigate the path from SCA to SBOM management to Software Supply Chain Security.
-
What Is Software Composition Analysis?
Mike McGuire, Senior Software Solutions Manager, Synopsys
Modern applications are no longer created from scratch; instead they are constructed of various components, including open source code that is often developed by individuals outside the organization. Our research reveals that open source code makes up 76% of the average application.
Although leveraging open source software provides access to external expertise, it also entails responsibilities for organizations. Ensuring the security, compliance, and quality of the code is crucial. This is where software composition analysis (SCA) plays a significant role.
Join this discussion that explores the following topics:
o What SCA is and how it functions
o Addressing risks through SCA
o Key elements of an effective SCA solution
o Building a comprehensive open source risk management program with SCA -
SBOMS and the Modern Enterprise Software Supply Chain
Jason Clark, Independent Security Researcher & Mike McGuire, Senior Software Solutions Manager, Synopsys
The Log4j debacle highlighted just how difficult it is for security teams to find vulnerable software, and the recent executive order around a software bill of materials is highlighting the importance of knowing what software the organization is using. How can a software bill of materials help security teams with detection and response? In this webinar, experts discuss how organizations can use the software bill of materials as part of their enterprise security strategy. Learn how to implement a software bill of materials, identify controls and processes that need to be implemented alongside it, and understand potential challenges to be aware of. Organizations rarely have a clear picture of what software is running in their organization, but it doesn't have to be that way.
During this webinar you will:
- Unpack the potential, as well as limitations of a SBOM.
- Find out what you should look for in an SBOM, and how to ask for one.
- Get the facts about how security teams have successfully implemented SBOMs into their overall security strategy. -
What the EU Cyber Resilience Act Means for AppSec
Michael White, Technical Director and Principal Architect & Per-Olof Persson, Principal Solution Advisor Europe, Synopsys
With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?
Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore:
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined todayThe CRA is currently a draft, as such opinions and insights from presenters are subject to change.
-
SBOMs and SPDX: Now and in the Future
Gary O'Neall, Source Auditor and Phil Odence, Synopsys
If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).
Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project).
With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format.
SPDX is a standard format for SBOMs. Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models.
In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification. We will touch on what goes into making a quality SBOM.
At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).
-
How Many Types of SBOM Are There?
Mike McGuire, Senior Software Solution Manager, Synopsys
As far as the Cybersecurity and Infrastructure Security Agency (CISA) is concerned, there are six types of SBOMs that can be created for a single application or piece of software; neither of which will be identical. While CISA doesn’t have a favorite type of SBOM, you may find that your organization, vendors, or customers prefer some over others. As such, it’s important to understand what to expect from each type, how to generate them, and be prepared to reconcile the differences across them.
Learning objectives:
• Become familiar with the six types of SBOM
• Understand the benefits and limitations of each type
• Know the methods and tools required to generate each type -
The Four Truths of Securing Your Software Supply Chain
Matthew Brady, Senior Manager Sales Engineering and Mike McGuire, Security Solutions Manager at Synopsys
In the realm of secure software supply chains, it's evident that each one possesses its unique characteristics. Consequently, the strategies for ensuring their security are equally diverse. This variance often contributes to the widespread confusion surrounding the subject. But what if we could pinpoint the shared elements among all supply chain security endeavors?
Join us for a discussion on four fundamental truths observed across every secure software supply chain. Discover how these principles can propel your security initiatives forward.
Prepare to gain insights into:
- The impact of open source software on contemporary supply chains
- The significance of consistent and reliable risk assessment
- The role of automation in facilitating effective governance
- Establishing consumer trust through vendor practices -
Demystifying SBOMs: Navigating Legislation and Processes
Matthew Brady, Synopsys | Karel Kohout, Accenture | Martin Schleicher, Continental
Explore the current hype around software Bills of Materials (SBOMs), driven by new and upcoming legislation in the EU and elsewhere mandating their use across vendors, suppliers, and customers. Delve into the diverse capabilities required for SBOMs, varying by sector, jurisdiction, and supply chain position. This presentation will highlight key aspects of SBOM compliance, featuring crucial insights and a roundtable discussion with industry leaders IBM and Continental.
Together, we’ll address
- How to decipher legislative implication for SBOMs
- Streamlining effective SBOM processes
- Strategic insights for successful implementation -
By the Numbers: Software Supply Chain Security Risks
Larry Ponemon, Ponemon Institute and Shandra Gemmiti, Synopsys
In a survey of your peers, the Ponemon Institute uncovered a stark reality:
Teams are struggling to secure software supply chains as fast as advances in things like AI are increasing developments ability to produce it. For example, 52% of organizations leverage AI tools to generate code. Yet only 32% say they have processes in place to evaluate it. And less than half say they are effective in securing open source or evaluating the security of commercial software in their supply chain.
Where do you rank?
Join the webinar to understand the state of software supply chain security and how you can help your team keep pace with managing it. We’ll cover:
• How prepared organization are for supply chain attacks
• How to secure and manage open source and commercial software in your applications
• How things like AI and SBOM mandates are impacting security readiness