Name: How Does Malicious Code Enter Applications?
Start: 2023-12-14T06:00:00Z
End: 2023-12-14T06:00:33.000Z
Location: BrightTALK
Rating: 4

Black Duck® offers the most comprehensive, powerful, and trusted portfolio of application security solutions in the industry. We have an unmatched track record of helping organizations around the world secure their software quickly, integrate security efficiently in their development environments, and safely innovate with new technologies. As the recognized leaders, experts, and innovators in software security, Black Duck has everything you need to build trust in your software.

As of October 1, 2024 the Synopsys Software Integrity Group is now Black Duck®

Gain insights into important legal developments from two of the leading open source legal experts, Tony Decicco, Principal at GTC Law Group & Affiliates and Chris Stevenson, Of Counsel at DLA Piper.

This annual review will highlight the most significant legal developments related to open source software in 2024, focusing on topics that were resolved, those that got started and what we can expect to see in coming years.

The 2024 Open Source Year in Review

Securing your software supply chain requires that you analyze dependencies for risk, harden your development pipeline, and secure the artifacts that you deploy or ship to customers. Are you prepared for the four common attack vectors that bad actors exploit?  

In this webinar, we’ll look at different types of software supply chain attacks and discuss:    

• The riskiest points of your software development lifecycle 
• Real-world examples of how attackers take advantage of upstream dependencies and build automation 
• Crucial tools and processes to help you avoid falling victim to supply chain attacks

Don’t Take the Bait: Four Software Supply Chain Attacks

Just as most software assets contain open source, modern software applications commonly include third party software functionality via calls to external web services via APIs. By using web services, developers may be inadvertently signing their companies up to terms of service or using a web service without a suitable agreement. Using these services can expose a company to compliance, security, data privacy, and operational risks that could disrupt or severely affect the business. As part of the tech M&A due diligence process, you should be aware of these web services-related risks so that you can make informed decisions about deal valuation and remediation.
 
Join us for a discussion about web services and how they can affect M&A and other transactions. We’ll cover:
 
• The legal compliance, data privacy, security, and business risks that come with web services
• Typical terms of service and common pitfalls
• Real-world examples of these risks
• How a buyer can get a better understanding of these risks in a target’s codebase or how a seller can prepare for diligence to avoid risks
 
Don’t miss this informative webinar. Register today.

Web Services & APIs: Impact on M&A and Other Transactions

As of October 1, 2024, Black Duck has taken flight as an independent company. The Black Duck team is extremely excited to not only take flight but to soar along with our customers. We understand that questions arise from change, so please join us for a webinar to learn what’s next for Black Duck Audits.
 
In this 30-minute webinar, we’ll discuss:
 
• The journey to becoming an independent company
• Why it’s important to understand process and code risks in M&A
• How Black Duck Audits is poised for success now and in the future

What’s Next: Black Duck Audits

Open source software is at the heart of modern development, but it comes with its own set of challenges. The number of discovered vulnerabilities continues to rise year after year. Staying ahead in this evolving landscape requires not only vigilance but also access to accurate vulnerability data. 
Join us for an exclusive webinar with the Black Duck Vulnerability Research team, where you'll gain insights into their cutting-edge approach to identifying and addressing vulnerabilities in open source software. Discover how their innovative methods empower organizations to detect and remediate vulnerabilities quickly and effectively. 
In this session, you'll learn: 
- How the Black Duck Vulnerability Research team operates and innovates to deliver unparalleled vulnerability insights. 
- Why the quality and accuracy of vulnerability reports are critical to security success. 
- The latest trends and insights shaping the open source vulnerability landscape.

Black Duck Vulnerability Research

Python is a fast, platform-agnostic, and easy-to-learn programming language that is suited for beginners and experienced developers alike. Ever since its first release in 1991, Python has had a constant presence in the computer world and has become a go-to language thanks to its easy-to-understand code and versatility. Today, Python can boast a wide array of libraries and frameworks, and they are the cornerstone of fast and easy Python programming—the so-called Pythonic way of development.
 
But like all programming languages, Python is not immune to security threats. Secure coding best practices must be adopted to avoid risks from attackers. In this webinar, we’ll explore Python security best practices that should employed when building secure application.

Python 101

The EU created the Digital Operational Resilience Act (DORA) to help the financial sector withstand, respond to, and recover from Information and Communication Technology (ICT) disruptions.  But what does that mean from a security testing perspective?
 
Join this webinar to get practical and tactical advice on how to address testing requirements. We’ll cover:
 
• An in-depth look at DORA with a focus on articles 25 and 26 (testing)
• It’s impact on the financial sector and vendors that support them
• Best security testing practices to satisfy DORA requirements

DORA and Software Security

Software vendors and development teams that build their applications on low-level languages like C and C++ are aware of the complexity that comes along with using these versatile and adaptable languages. As such, most teams have processes in place to review code for security and quality issues. 

However, most teams are missing a glaring blind spot, and that’s the open source used in their applications. Despite making up 77% of the average application, open source can be difficult to track in C and C++ applications because of the lack of standardization around package manager use.   

Join us to learn how you can make open source risk management a part of your application security program. We will discuss:  

- How open source dependencies are used in C and C++ development 
- Security, quality, and IP compliance risk of untracked open source dependencies 
- How Black Duck SCA handles open source in C and C++ where others fall short

How to Score an A+ on C++ in Open Source Security

Explore key insights from the “2024 Vulnerability Snapshot” report, which is based on data from over 200,000 application security scans. This webinar will explore critical findings, such as the prevalence of injection vulnerabilities, and highlight evolving threat landscapes impacting organizations today. Our expert panel will also discuss how strategic use of dynamic application security testing (DAST) and other methodologies can address these challenges. 
 In this webinar you will learn
• Emerging threat patterns and which vulnerabilities pose the greatest risk across industries
• Why DAST is essential for uncovering complex, runtime vulnerabilities that traditional testing might miss
• Practical recommendations, backed by comprehensive data, to enhance your security practices
 Join us to deepen your understanding of today’s security landscape and learn how data-driven insights can inform better security decisions.

Essential Vulnerability Insights for AppSec

This year’s DevSecOps report defines a vivid image of organizations’ journey to secure their software development pipelines. It provides intriguing conclusions about operational challenges, AppSec efficiency, and evolving risk exposure amid the rise of AI-assisted development. Did you know that although 85% of respondents have some measures in place to address the challenges posed by AI-generated code, only 24% are “very confident” in their policies and processes for testing such code? 

Join us as we examine the key findings from the Black Duck 2024 DevSecOps report and discuss

• The state of DevSecOps across roles and technologies in light of AI-assisted development
• What a maturing DevSecOps program looks like, and which tools and practices foster growth
• How to integrate application security without impeding DevOps

DevSecOps in the Wild: Examining Global Security Factors in 2024

Legislation requiring stringent software security practices by software producers is being passed around the globe. This requires organizations to rethink their approach to software security, which industry standards they follow, and the best practices for their software development teams.

NIST has produced guidance known as the Secure Software Development Framework (SSDF). The SSDF is a series of practices and associated tasks that serve as a baseline for teams seeking to securely develop software in a standardized way. Attestation to conformance with a subset of the SSDF has been signaled by the U.S.

In this webinar, you will learn the best practices for performing an SSDF readiness assessment including:

• Whether your organization’s software development practices align with the SSDF
• How to determine which controls are lacking for conformance with guidelines
• How to perform associated corrective recommendations on time
• Case studies of successful U.S. government attestations

Best Practices for Leveraging the SSDF

AI coding assistants, such as Microsoft CoPilot and ChatGPT, will fundamentally change the way teams build software, much like open source software has over the last decade. As with open source, teams seeking the benefits of AI will also need to take precautions to address the security, quality, and intellectual property risks that come with the use of AI-generated code. Is your team ready for AI? 

In this webinar, we'll explore: 

Key risks teams might encounter using coding assistants 

Safeguards needed for confident use of AI-generated code

Keeping Pace: Managing the risks of AI-generated code

AI-powered development has greatly increased the rate at which software evolves. But using artificial intelligence as a proxy for security-aware developers introduces a variety of risks to the business.

Organizations must prepare for the complexities of AI-powered development. This requires establishing consistent and scalable DevSecOps initiatives. The discussion will cover

• Innovation and trends in AI-powered software development
• The inherent risks to application security and business operations of using AI and third-party digital artifacts
• Best practices for establishing application security testing and issue remediation within DevOps workflows that include AI
• Ways to use AI to empower developers and reduce the opportunity of an attack

Artificial Intelligence, Real Security: Preparing DevSecOps for AI Development

DevSecOps and cloud services are driving container adoption in software. As container architectures get complex, they're increasingly exploited. This talk aims to clarify containerization and infrastructure-as-code (IaC) for beginners. We'll cover container technologies, key terms, their value, popularity, challenges, and security issues. We'll discuss common threats, vulnerabilities, attack vectors, and provide real-world attack examples. We'll reference standards and resources like OWASP Docker Top 10, Container Security Verification Standard, NIST Application Container Security guide, and CIS Benchmarks. Finally, we'll provide guidelines and best practices for securing containers.

Finding Your Way in Container Security

As the popularity of cloud-native applications continues to surge, containers are becoming the preferred option to package and deploy these applications because of the agility and scalability they deliver. According to Gartner, “by 2022, more than 90% of global organizations will be running containerized applications in production by 2026 or 2027,up from less than 40% in 2021.”

The popularity of containers has also attracted the attention of hackers who are constantly looking for new ways to exploit them. Containers expand an organization’s attack surface and increase the risk to the applications they house. A comprehensive approach for container security is required to mitigate the risk to containerized applications and infrastructure.

In this webinar, we’ll outline the essential elements required to secure your container environments, including:
• Understanding what containers are (and aren’t)
• How to look at container security holistically
• The top threats to container landscapes
• Relevant case studies

Container Security Essentials

Securing software takes teamwork—a unified approach from development through testing and into production. But each team has a distinct set of requirements and workflows that need to align to realize a concerted push for security. And while developers influence risk posture, they are often not trained in or focused on software security practices.

How can you make the effort that developers and DevOps teams are already putting in more valuable to the business? What's the best way to cultivate highly security-conscious developers so your software becomes more secure over time? Is there a way to derive tangible benefits for the business, the team, and the individual?

Join us as we break down a five-step process with real-world applicability. Topics include

• The critical distinction between developers' security awareness and their security capability
• Mechanisms to automate risk detection and accelerate remediation across the pipeline, including at the developer desktop
• How to establish security gates in DevOps pipelines in a way that doesn't derail development or lead to missed shipping deadlines
• How to create a DevSecOps initiative that can evolve with the business and enable developers to sustain security requirements as part of their day-to-day
• Ways to maximize security's value to the business and its customers

AppSec Automation: Five Steps to Achieving Developer-First Security

Organizations face a variety of threats from malicious actors. With the proliferation of web services, APIs are the fastest-growing attack surface in the industry. It's time to act. Join this webinar to get answers to some of the most pressing questions, such as

• What are the current industry trends on API usage?
• What are the challenges in dealing with application and API security?
• What are the solutions to API security challenges?
• What is an example of a firm that has adopted an IAST tool for API security?

Addressing API Security in Your DevSecOps Life Cycle

Technology drives business value and understanding the intricacies of software due diligence has become paramount in M&A. While mitigating risk has always been the priority, the risk landscape has changed over time, the risk categories have expanded, and the diligence process has evolved. 
 
Join us for this webinar to learn how the software risk landscape has evolved and how Black Duck has evolved along with it. We’ll cover:

• Key software trends over time and implications for software due diligence
• Types of software risks and how to mitigate them 
• How Black Duck’s audit offerings have evolved to address software risk

Register today.

The Evolution of Software Due Diligence in M&A

Generative AI, Training Data, Open Source, and GitHub Copilot, Oh My!

Best Practices for Using AI in Software Development

Embracing the Future of Cybersecurity with NIST CSF 2.0

PCI-DSS 4.0 Explained: Enhancements, Challenges, and APIs

AI Strategy, Security, and Governance: The View from the Top

What the EU Cyber Resilience Act Means for AppSec

Four Types of Supply Chain Attacks Development Teams Should Worry About

Securing Tomorrow - Navigating Trends in Application Security

The 2024 Guide to Open Source Security and Risk

By the Numbers: Software Supply Chain Security Risks

How Many Types of SBOM Are There?

Deep Dive: Software Supply Chain Threats

Demystifying SBOMs: Navigating Legislation and Processes

AI and Software Development: IP and Governance

Your Software Supply Chain is Only as Secure as its Weakest Link

SBOMs and SPDX: Now and in the Future

Zero to Hero: Improving Your Container Security Strategy

Automagic API Security Testing

How to Address API Security in 2023?

Securing your Software Supply Chain

Malicious code has been making headlines over the past years. The type of attacks may vary, but the consequences are real. We’ve seen a spate of malicious open source components identified within the NPM repository, or an ethical hacker gaining access to the systems of several notable tech companies using publicly hosted packages. 

Today, threat actors are looking beyond exploiting weaknesses in the application layer. Now they have started taking advantage of the inherent trust associated with open source software. Inadvertently building code with these weaknesses into applications leaves businesses and their customers prime targets of supply chain attacks.  

Join us as we discuss

• What can be classified as malicious code or malware 
• Some of the techniques that attackers use to inject malicious code into the supply chain 
• Methods for identifying malicious code and open source components

How Does Malicious Code Enter Applications?

Malicious Code

Open Source

Threat Assessment

Supply Chain

Information Security

Cyber Attacks

Hackers

Application Security

OWASP

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Internal audit and compliance professionals are facing increasingly stringent regulatory requirements when it comes to compliance reporting and internal control procedures. Join the audit and compliance community to learn best practices from thought leaders on topics such as regulatory compliance, internal audit checklists and audit program strategies.

Audit and Compliance

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

How Does Malicious Code Enter Applications?

Presented by

About this talk

More from this channel