Learn more about modern application security programs, DevOps, and CI/CD, and how to integrate static analysis into your DevSecOps pipeline.
Two Models of Application Security: The DMV and the Fishing Teacher
What if application security testing were like a trip to the DMV? The security and development teams wouldn’t really understand each other, security testing would create long waits for product releases, and the relationship would quickly become antagonistic. Unfortunately, many organizations’ first attempts follow this model.
A better model is the fishing teacher. At too many organizations, the security team is trying to catch enough fish for everyone else in the organization. Instead, the security team should teach everyone how to fish for themselves by spreading the automation and integration of proactive security throughout the rest of the organization, unifying a security-first culture that drives down organizational risk.
A recent report from 451 Research, Designing a Modern Application Security Program, emphasizes the importance of automating and integrating security in your application development processes. This webinar shares best practices from the report and teaches you how to lower your risk without losing your mind.
When: Tuesday, April 21 @ 11:30 a.m. Eastern / 8:30 a.m. Pacific
Who: Jonathan Knudsen, Technical Marketing Manager, Synopsys
Modernizing Your SSI for DevOps and CI/CD
What’s the most pressing issue in software security from the last 20 years? We think it’s how to evolve your software security initiative (SSI) to support a modern DevOps practice and CI/CD pipeline while still meeting your security objectives.
In this talk, Kevin will discuss the key challenges of DevOps and CI/CD and arm you with a simple but effective method to optimize software security efforts. He’ll also highlight the inherent benefits of DevOps and CI/CD for secure software development to ensure nothing is left on the table as your SSI transforms. Key learning points:
- Defining core CI/CD and DevOps SSI capabilities for your organization
- Dimensions of maturity for SSDL gates in modern lifecycles
- Software security culture, DevSecOps, and your SSI
- Key performance indicators and critical SSI telemetry
When: Tuesday, April 21 @ 7 a.m. BST
Who: Kevin Nassery, Senior Principal Consultant, Synopsys
5 Steps to Integrate SAST Into the DevSecOps Pipeline
Even software with a solid architecture and design can harbor vulnerabilities, whether due to mistakes or shortcuts. But limited security staff don’t have the resources to perform code reviews and provide remediation guidance on the entire application portfolio. Static analysis, also known as static application security testing (SAST), is an automated way to find bugs, back doors, and other code-based vulnerabilities so the team can mitigate those risks.
First, though, you must choose a static analysis model that fits your needs. You might have questions such as these:
- How do I manage false positives?
- How do I triage the results?
- What happens to new issues identified?
- My scan takes hours to complete. How can I use this tool in my DevSecOps pipeline?
- What is a “baseline scan”?
Join us as we walk you through the challenges and benefits of integrating a SAST tool into your DevSecOps pipeline and how we’ve helped other organizations with this process.
When: Thursday, April 23 @ 1 p.m. Eastern / 10 a.m. Pacific
Who: Meera Rao, Senior Principal Consultant, Synopsys
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Synopsys Editorial Team. Read the original post at: https://www.synopsys.com/blogs/software-security/webinars-april-20-24/