Name: AWS & Mend.io: Securing Cloud-Native Applications Across the SDLC
Start: 2023-12-07T15:00:00Z
End: 2023-12-07T15:01:00.000Z
Location: BrightTALK
Rating: 0

Mend, formerly known as WhiteSource, effortlessly secures what developers create. Mend uniquely removes the burden of application security, allowing development teams to deliver quality, secure code, faster. With a proven track record of successfully meeting complex and large-scale application security needs, the world’s most demanding software developers rely on Mend. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, link here, the open-source automated dependency update project.  For more information, visit www.mend.io, the Mend blog, and Mend on LinkedIn and Twitter. 

AppSec and software supply chain security require more than a loose collection of tools and a vulnerability remediation process. A holistic approach covers risk assessment, a secure software development life cycle, software composition analysis (SCA), SBOMs, static and dynamic application security testing (SAST/DAST), workflow automation, automated remediation, runtime protections, compliance reporting and more. Successful implementation of this holistic approach enables companies to shrink their overall attack surface and reduce technical and security debt. Our panel of software security experts will discuss practical steps to building a sustainable application and software supply chain security strategy that meets today’s business demands and those that may arise in the future.

Holistic AppSec and Software Supply Chain Security

Learn more about identifying open-source code and the license types being used. And, why you need to identify not just direct dependencies but also transitive dependencies.

This discussion also includes:

Why failure to ensure visibility over open-source software use can be costly
How the problem encompasses both your existing code base and new code in development
How automating software competence enables you to choose which license types you want to allow, decline or examine more

Handling Open Source Context Licensing: Wrong Answers Only

Malicious packages are a growing threat, and they may already have infiltrated your applications. Like any malware, malicious packages can inflict significant damage.

Malicious Packages Special Report Overview

Software supply chain threats and increasing regulatory pressures make supply chain security a top priority for software organizations. While building secure applications is a must for any organization, the path to creating secure software is anything but clear. Software bills of materials (SBOMs) have emerged as an essential  tool and a roadmap for organizations on their secure software journey.

While most of today’s SBOM efforts revolve around tracking software components, versions and licenses, as SBOM technologies and regulations evolve, organizations should be ready to capitalize on new SBOM-related opportunities. Organizations should start building strategies to leverage SBOM data through a process that identifies applications, creates SBOMs and makes them available for the business to deliver repeatable and ongoing value.

- How to create a sustainable software supply chain security strategy,
- How to identify processes and tools for creating SBOMs
- Automating SBOM creation as part of DevOps and application security workflows,
- Keeping up with the latest advances in SBOMs, application and software supply chain security.

SBOMs: A Roadmap for a Secure Software Journey

The ongoing rise in cyberattacks across the software supply chain and a shifting regulatory landscape are forging an unlikely alliance between CISOs, software leaders and legal experts. Privacy, the shifting and diverse regulatory landscape, liability and new AI/ML use cases all present unique challenges and opportunities for risk management, but to best navigate these challenges, legal teams must be involved, too. Why? Because today, software vulnerabilities can represent not just a business risk but a legal risk.

During this live panel roundtable, experts from security, software and legal disciplines discuss some of the top cyberlaw and legal topics affecting software supply chain security, including:
    -  The impact of shifting liability for insecure software onto software developers and away from consumers as proposed in the National Cybersecurity Strategy
    -  How these changes will affect the open source community
    -  Managing open source license risk
    -  The increasing need for technical due diligence in M & A activity
    -  Ensuring the security of third-party software supply chains

Strange Bedfellows: Software, Security and the Law

It might seem obvious that regularly upgrading software and dependencies means your software is inherently more secure, but in practice, this is hard to achieve. Choice Hotels struggled to manually maintain their codebase and remediate all the transitive vulnerabilities lurking in the code. Today’s compositional applications created a complex archeological exploration challenge for developers trying to resolve security issues across a codebase. It was time-consuming, tedious, and imperfect.

In this program, Choice Hotels explains how they overcame these challenges for their development teams with Moderne’s remediation automation. With this solution, they applied the principles and practices of continuous software modernization and kept their code in a more secure state.

You will learn about:

- Choice Hotels' challenges and solutions on the path to continuous modernization
- How automating code remediation can dramatically change the security posture and productivity balance within an organization
- What it takes to automatically remediate vulnerabilities with high accuracy at the enterprise scale
- How Moderne’s next-generation alternative to current SAST tooling is dramatically improving developer velocity

Malicious Package Trend Analysis

Cybersecurity teams and developers continually struggle to reconcile what can seem like two competing priorities. Delivering new capabilities and addressing existing security technical debt. But what if they can do both at the same time? Forward-leaning AppSec programs are finding smart ways to reduce security debt by instituting a strategic approach to managing security vulnerabilities. This approach starts by reducing the attack surface early on and throughout development.

In this webinar, you will learn the following:
- How to automate dependency management so that it runs on autopilot
- Why you should assign a confidence level to updates
- How to mass-update group dependencies given a high confidence rating
- How to prioritize vulnerability remediation and update within the repo

Two Birds, One Stone: Shrinking Security Debt and Attack Surfaces

Security is an increasingly critical aspect of application development. As the volume of applications rapidly expands, so does the volume of source code, components, and dependencies used to create them. With them comes a growth in the potential attack surface and an escalation in the variety of threats to your application security.

Mend.io CEO Rami Sass, Jeff Martin, VP of product management, and CMO Arabella Hallawell recently sat down for a panel discussion on AppSec today to discuss the growing significance of AppSec, why traditional approaches fall short, and how to create a modern, effective AppSec program.

The Importance of Adopting Modern AppSec Practices

Threat actors are after our sensitive data. In 2023, the number of malicious packages published to Node Package Manager (npm) and RubyGems ballooned 315% compared to 2021, and 85% of malicious packages discovered in existing applications were capable of exfiltration – meaning they could cause an unauthorized transmission of information. Software packages containing malicious code are a growing threat, and they may have unknowingly infiltrated your applications.
Join VP of Product Management, Jeff Martin and Principal Product Architect, Maciej Mensfeld as they dig into the findings from the Mend Malicious Packages Special Report and discuss how  Mend.io’s 360-degree malicious package protection can help defend against this insidious threat.

Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities

Spoiler alert: In 2022, audits found open source in 100% of our customer engagements.

Since open source usages are now so pervasive, companies are increasingly concerned about the security of applications built on the foundation of open source components. Consequently, open source security and license compliance are primary concerns of acquirers and targets involved in tech merger and acquisition (M&A) transactions. Acquiring companies must be aware of the potential open source risks they may be inheriting along with the intellectual property in their targets’ codebases, identifying open source in the target’s code base is essential to M&A transactions involving software.

Join this webinar to learn more about:

What’s the risk of not evaluating open source in M&A?
How can companies prepare to avoid legal risks of non-compliance
What is the role of open source license compliance?

What You Don't Know Can Hurt You-Open Source License Compliance and M&A Activity

Supply chain attacks made headlines in 2022, sending shockwaves through the industry as security and business leaders scrambled to reexamine the security of their own supply chains. In this webinar, experts talk through the stages of a supply chain attack and the different types of attacks to look for. You will also learn what tools and strategies you can start using immediately to assess your own supply chain security and put defenses in place to keep your supply chain protected.

During this webinar you will:

Learn about where hidden supply chain vulnerabilities might be lurking in your systems.
Get tactics for how to assess your current supply chain security.
Find out how SBOMs can be most effectively used to shore up the software supply chain.
Presented by featured speakers Jason Clark & Jeffrey Martin. Moderated by Becky Bracken.

How Supply Chain Attacks Work - And What You Can Do to Stop Them

Organizations of all kinds are experiencing increasing volumes, frequency and severity of cyberattacks. 71% of IT and security leaders say that their portfolio of applications has become more vulnerable in the last year alone, and cybercrime is expected to cost companies worldwide around $10.5 trillion annually by 2025. To fight this trend, organizations need a resilient AppSec strategy that can reinforce trust, reliability and security when faced with adverse conditions.

In this program, we'll examine what drives this need, what DevOps can do to strengthen application security, and what are the key principles of effective AppSec programs. You’ll discover:

* Why cyberattacks on applications and the software supply chain have increased
* How increased use of open source software, cloud-based services and custom-built applications contributes to the risks
* The five key principles organizations should follow to optimize their AppSec: Prevention, shifting smart, automation, governance and cultural change

AWS & Mend.io: Five Principles of Modern Application Security Programs

Securing the Software Supply Chain - Key Findings From the Mend Open Source Risk Report:

Open source vulnerabilities are in permanent growth mode. A significant quarterly increase in the number of malicious packages published in registries such as npm and rubygems have shown the increasing need to protect against this trending attack. At the same time, companies that struggle to close the remediation gap on known vulnerable open source code. It’s all in the The Mend Open Source Risk Report, which details these and other significant risks posed by the ongoing rise in open source vulnerabilities and software supply chain attacks.

Join Jeff Martin, Vice President of Product Management at Mend, as he discusses key findings from the report—and why this growing threat is a mounting concern in an app-driven world.

Securing the Software Supply Chain

Threat actors operate by an ironclad rule: If it’s important to businesses, it’s important to them. And they certainly understand the crucial business role of applications. Applications are now the number one attack vector, while software supply chain attacks increased 650 percent in a year. Clearly, if you don’t already have a modern application security program that can support today’s digital world, you need to build one. 
But how do you make sure that your program will be effective? To achieve this, you should answer a set of key questions that we cover in this webinar, where you'll learn:
* What you should know to build an effective AppSec strategy (and probably don’t)
* Why and how to you can ensure that you have buy-in to AppSec from the top down in your organization
* How and why to bake in application security to developers’ working practices
* Why you should think like attackers to beat them
* What tools and strategies enable you to achieve this
* Why AppSec needs to be integrated across the entirety of a development program

The CISO's Guide to AppSec Innovation

Attacks on software supply chains have greatly accelerated the rate at which organizations are now embracing DevSecOps best practices to secure both legacy monolithic and emerging cloud-native applications. Adopting a DevSecOps approach can help maintain the speed of application development and deployment while ensuring the security and stability of applications.

But the range of technologies and best practices required to achieve and maintain application security vary widely, and each organization may choose a combination of different tools to achieve the same result. Each organization will need to determine for themselves how far they want to shift responsibility for application security left toward application developers.

Roundtable Discussion: DevSecOps

Your Bitbucket Cloud repos are key to building best-in-breed applications and a great place to shift left for better open source security. With other software composition analysis (SCA) tools, keeping your repos safe can be a cumbersome process requiring frequent tool-switching. Now, you can integrate world-class open source security that automates remediation and reduces mean time to recovery (MTTR) by 80% or more, all while staying in the Bitbucket Cloud repositories that your teams know and love. 

Join us for a 30-minute webinar to learn:
* Why open source security works better when it shifts left to the repository stage
* How software composition analysis (SCA) tools can help you find and fix vulnerabilities
* How to automatically remediate vulnerabilities without ever leaving the Bitbucket Cloud UI

More Security, Less Tool Switching: Mend SCA for Bitbucket Cloud

AWS and Mend can help support your security strategy - Learn how in our latest fireside chat on application security
A modern AppSec approach includes strategies and technologies that help teams prioritize—giving them tools to zero-in on the security vulnerabilities that present the biggest risk so that they can address them as quickly as possible. Learn how you can implement these strategies in a fireside chat with the experts from Amazon Web Services (AWS) and Mend.

In this conversation, you'll learn:
* How Mend’s comprehensive approach to modern application security can support your organization
* Why the collaboration between Mend and AWS supports enhanced security
* Best practices for application security for cloud-native architectures
* Ways to reduce the software attack surface, decrease the number of security alerts, and save developers’ time

AWS & Mend.io: Building a Modern AppSec Program

Cloud-native applications open a new frontier for application risk from multiple sources. Risk reduction approaches for cloud-native applications need to take a holistic approach to the software development lifecycle to be effective. In this webinar, learn:
* Why this involves finding and remediating risks as they are introduced, from coding with secure practices to evaluating risks with runtime scanning post-deployment.
* How to apply security and risk reduction techniques at each stage of the SDLC
* Why automating risk reduction is the only way to reduce cloud-native application risk at an enterprise scale

AWS & Mend.io: Securing Cloud-Native Applications Across the SDLC

Application Security

DevOps

DevSecOps

Cloud-Native Applications

SDLC

Cyber Security

Cyber Attacks

Risk Reduction

reduce cloud-native application risk

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

AWS & Mend.io: Securing Cloud-Native Applications Across the SDLC

Presented by

About this talk

More from this channel