Today’s software contains on average more than 50% open source. That’s why organizations with foresight are including software composition analysis in their security plans. FLIGHT East 2018 was full of tips, techniques, applications, and solutions for open source security. Here are some of the presentations.
Today’s software contains significant amounts of open source, on average more than 50%, according to a 2018 Synopsys study. That’s why organizations with foresight are including software composition analysis best practices and solutions in their security plans to protect their applications from open source risks.
In late September, experts from Black Duck, Synopsys, and leading organizations from around the world gathered at FLIGHT East 2018 for three days of technical and educational discussions focused on open source security and open source license compliance.
Were you lucky enough to attend this year’s FLIGHT East? If so, you heard about tips, techniques, applications, and solutions to deliver secure, high-quality software at the speed of DevOps. But if you couldn’t attend FLIGHT East 2018, here’s the next best thing: Many of the presentations are now online.
How to add open source security to your CD pipeline
Learn how DocuSign implements Black Duck in continuous development pipelines—including API integrations, data visualization, and the automatic generation of compliance evidence using DocuSign envelopes—in Black Duck at DocuSign.
How to protect your patents when using open source
Adam Kessel (litigation principal, Fish & Richardson) discusses issues that arise at the intersection of patent protection and open source licensing in his presentation Patents and Open Source: Known and Unknown Risks. Many companies wonder whether it’s still worth pursuing patents on technology they’ve released under open source licenses. Others are concerned that using, contributing to, or distributing open source software will compromise their patent strategy. This presentation covers business and legal strategies for answering both sorts of questions. Adam also looks at existing case law guidance on these risks.
How to succeed at CI
Continuous integration is a development practice where developers integrate code into a shared repository several times a day. Dr. Robert Burnett (director of software engineering, L-3 Communications) examines why continuous integration is a fundamental change in thinking about software development, basic steps to get on the continuous integration path, team responsibilities, and a checklist for success in Continuous Integration—An Overview.
How to handle a data breach under GDPR
Timehop, an app developer, experienced a network intrusion that led to a breach of customer data. In Handling a Data Breach Under GDPR, Timehop representatives cover:
- What they learned from the incident
- Why Timehop chose to be as transparent as possible
- How they responded to the inevitable criticism
- What lessons you can take away to improve your incident response plans
How to use an open source audit report
The universal first step for open source security is performing an audit of a codebase. But what do you do once you have the audit report? In You’ve Got Your Open Source Audit Report, Now What?, top open source legal experts Anthony Decicco (shareholder, GTC Law Group & Affiliates) and Leon Schwartz (associate, GTC Law Group & Affiliates) team up to explain. They discuss best practices and steps you should be taking today for managing open source software in your organization and before and during transactions. Topics covered include the following:
- How do you conduct an open source / third-party software audit?
- How do you get the most out of your Black Duck code scan?
- What are key aspects of an effective open source / third-party software policy for inbound use? What about outbound contributions (including releasing code as open source)?
How to prepare for a data breach
In their presentation Data Breaches and the Law, Georgie Collins and Dan Hedley (Irwin Mitchell, LLP) take a look at the intersection of GDPR and open source software management and the laws. Topics include:
- How organizations must respond to data breaches under different regulations (including GDPR and NISD)
- How to prepare for a data breach
- What to do if the worst happens
How to secure your containers in DevOps
When it comes to adopting containers in the enterprise, security is the highest adoption barrier. Is your organization ready to address the security risks with containers for your DevOps environment? In A DevOps State of Mind, you’ll learn about:
- Best practices for addressing the top container security risks in a container environment, including images, builds, registry, deployment, hosts, network, storage, APIs, monitoring and logging, and federation
- Automating and integrating security vulnerability management and compliance checking for container images in a DevOps CI/CD pipeline
- Deployment strategies for deploying container security updates, including recreate, rolling, blue/green, canary, and A/B testing
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Fred Bals. Read the original post at: https://www.synopsys.com/blogs/software-security/flight-east-2018-open-source-security/