Securing Open Source Code in Enterprise

•

0 recomendaciones•210 vistas

This document discusses securing open source code in enterprise applications. It notes that the number of open source libraries used is growing exponentially and the complexity has exploded, making it difficult to control what code is being used. It outlines threats from vulnerabilities, malicious libraries, typosquatting packages, and data exfiltration or command execution during builds. It then describes software composition analysis as a way to discover vulnerabilities and licenses in open source components through scanning applications and dependencies. It provides examples of scanning technologies and discusses mining for unidentified vulnerabilities using NLP and machine learning. Finally, it advocates integrating scanning into the CI/CD pipeline and following rules for responsible use of third party code.

Tecnología

Securing Open Source
Code in Enterprise
Asankhaya Sharma

Complexity of Libraries has exploded
For every 1 Java
library you add to
your projects, 4
others are added
For every one
library you add to a
Node.js project, 9
others are added

Control Over What is in Your Code Has Changed
Reference : http://anvaka.github.io/allnpmviz.an/
From YOU to:
- Developer Tools
- Open-Source Code
- 3rd
Party Developers

Threats using open source code
- Vulnerabilities in open source libraries
- Malicious libraries
- Typosquatting package names
- Data exfiltration
- Command execution during build

Software Composition Analysis (SCA)
Discover and identify software vulnerabilities and
expose licenses for open source components
Scanner Data

Scanning Technology
App
A v1.0 B v2.0 C v1.0
B v2.0 B v2.0
App
A v1.0
B v2.0
C v1.0
Dependency Locked File Dependency GraphSCA Scanner

Scanning Technology
App
A v1.0 B v1.0 C v1.0 App
A v1.0
B v2.0
C v1.0
Dependency File
Dependency Graph
App
A v1.0 B v2.0 C v1.0
B v2.0 B v2.0
Resolved DependenciesSCA Scanner

System Dependencies Scanning
SCA Scanner
container ID
A 1.0 amd64 B 1.0 all C 1.0
pod name
A 1.0 amd64 B 1.0 all C 1.0
pod name
A 1.0 amd64 B 1.0 all C 1.0
pod name
A 1.0 amd64 B 1.0 all C 1.0

Vulnerabilities in Open Source Libraries
● Known Sources
○ CVEs / NVD
○ Advisories
○ Mailing list disclosures
● Unidentified issues
○ Commit logs
○ Bug reports
○ Change logs
○ Pull Requests
Security Issues are
often not reported or
publicly mentioned
How do we get the data?

NLP and Machine Learning for Harvesting Data
https://asankhaya.github.io/pdf/automated-identification-of-security-issues-fr
om-commit-messages-and-bug-reports.pdf

Evaluation Framework For Dependency Analysis
EFDA is an open source project that allows users to test
the dependency analysis tool of their choice and see how
accurate the tool is.
https://github.com/devsecops-community/efda

Software Supply Chain
Source Control Management Continuous Delivery (CI/CD) ProductionDeveloper
Software Composition Analysis

DevSecOps
- Integrate SCA scanning in your CI pipeline
- Create open source usage policy
- Fail builds on high severity vulnerabilities
- Gather data on open source libraries, vulnerabilities and licenses
- Review bill of material (BOM) reports on what’s running in your
applications

Rules for using 3rd party code
1. Know what you are using
2. Think about where it came from
3. Understand what it is doing
4. Avoid using vulnerable libraries

Thank you!
● Questions?
● Contact
○ Twitter: @asankhaya

Más contenido relacionado

La actualidad más candente

Rise of software supply chain attack

Yadnyawalkya Tale

Digital Forensic Assignment Help

Global Web Tutors

Speech of Tetiana Chupryna, Backend developer at GitLab, at Ruby Meditation #26 Kyiv 16.02.2019 Next conference - http://www.rubymeditation.com/ We’ll talk about different types of vulnerabilities, scanning tools and the whole process per se. Announcements and conference materials https://www.fb.me/RubyMeditation News https://twitter.com/RubyMeditation Photos https://www.instagram.com/RubyMeditation The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation

Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26

Ruby Meditation

Outpost24 webinar mastering container security in modern day dev ops

Outpost24

Analysis Of Adverarial Code - The Role of Malware Kits

Rahul Mohandas

Malware forensics

Sameera Amjad

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...

SegInfo

Next Generation Infrastructure - Devops Enterprise Summit 2018

John Willis

Analyzing Packages in Docker images hosted On DockerHub

Ahmed Zerouali

MOSP Walkthrough 2009

Andrew Roughan

Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...

Sam Bowne

Reverse Engineering Malware Workshop

Mustafa Qasim

Breaking iOS Apps using Cycript

n|u - The Open Security Community

Complete python toolbox for modern developers

Jan Giacomelli

Apache ManifoldCF

Piergiorgio Lucidi

Materials Project Validation, Provenance, and Sandboxes by Dan Gunter

Dan Gunter

The talk will be about modern development infrastructure from an attacker's perspective. As all we know, developers is rulers of the software world. Therefore, the one who can gain control of development infrastructure can control software thus can control its users. In the talk, we’ll cover a number of attack scenarios on the infrastructure (including repos, CI tools, bug trackers etc.) using simple (or sometimes not so simple) security bugs. Also, we'll list the most valuable targets inside development environment.

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs

PROIDEA

Linux server penetration testing project

Emad Soltani

ownR extended technical introduction

Functional Analytics

Towards a Census of Free and Open Source Licenses

dmgerman

La actualidad más candente (20)

Rise of software supply chain attack

Digital Forensic Assignment Help

Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26

Outpost24 webinar mastering container security in modern day dev ops

Analysis Of Adverarial Code - The Role of Malware Kits

Malware forensics

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...

Next Generation Infrastructure - Devops Enterprise Summit 2018

Analyzing Packages in Docker images hosted On DockerHub

MOSP Walkthrough 2009

Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...

Reverse Engineering Malware Workshop

Breaking iOS Apps using Cycript

Complete python toolbox for modern developers

Apache ManifoldCF

Materials Project Validation, Provenance, and Sandboxes by Dan Gunter

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs

Linux server penetration testing project

ownR extended technical introduction

Towards a Census of Free and Open Source Licenses

Similar a Securing Open Source Code in Enterprise

Open source technology

aparnaz1

All You need to Know about Secure Coding with Open Source Software

Javier Perez

OWASP Dependency-Track Introduction

Sergey Sotnikov

This talk "What is the secure software supply chain and the current state of the PHP ecosystem" discusses the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...

sparkfabrik

Analysis of-quality-of-pkgs-in-packagist-univ-20171024

Clark Everetts

In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts. There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.

What is the Secure Supply Chain and the Current State of the PHP Ecosystem

sparkfabrik

These are the slides of my Kafka talk at Apache: Big Data Europe in Budapest, Hungary. Enjoy! --Michael Apache Kafka is a high-throughput distributed messaging system that has become a mission-critical infrastructure component for modern data platforms. Kafka is used across a wide range of industries by thousands of companies such as Twitter, Netflix, Cisco, PayPal, and many others. After a brief introduction to Kafka this talk will provide an update on the growth and status of the Kafka project community. Rest of the talk will focus on walking the audience through what's required to put Kafka in production. We’ll give an overview of the current ecosystem of Kafka, including: client libraries for creating your own apps; operational tools; peripheral components required for running Kafka in production and for integration with other systems like Hadoop. We will cover the upcoming project roadmap, which adds key features to make Kafka even more convenient to use and more robust in production.

Being Ready for Apache Kafka - Apache: Big Data Europe 2015

Michael Noll

Software Composition Analysis Deep Dive

Ulisses Albuquerque

Software Analytics: Data Analytics for Software Engineering and Security

Tao Xie

Vulnerability Intelligence and Assessment with vulners.com

Alexander Leonov

The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you: - Understand latest trends in open source security threats and what it means to your organization in 2016 - Simple steps to quickly find and protect yourself from newly reported threats - Prepare your organization to respond to new vulnerabilities in open source projects

Q1 2016 Open Source Security Report: Glibc and Beyond

Black Duck by Synopsys

The intensive use of generative programming techniques provides an elegant engineering solution to deal with the heterogeneity of platforms and technological stacks. The use of domain-specific languages for example, leads to the creation of numerous code generators that automatically translate high-level system specifications into multi-target executable code. Producing correct and efficient code generator is complex and error-prone. Although software designers provide generally high-level test suites to verify the functional outcome of generated code, it remains challenging and tedious to verify the behavior of produced code in terms of non-functional properties. This paper describes a practical approach based on a runtime monitoring infrastructure to automatically check the potential inefficient code generators. This infrastructure, based on system containers as execution platforms, allows code-generator developers to evaluate the generated code performance. We evaluate our approach by analyzing the performance of Haxe, a popular high-level programming language that involves a set of cross-platform code generators. Experimental results show that our approach is able to detect some performance inconsistencies that reveal real issues in Haxe code generators.

GPCE16: Automatic Non-functional Testing of Code Generators Families

Mohamed BOUSSAA

Demystify Information Security & Threats for Data-Driven Platforms With Cheta...

Chetan Khatri

Transforming your Security Products at the Endpoint

Ivanti

Developers use Question and Answer (Q&A) websites to exchange knowledge and expertise. Stack Overflow is a popular Q&A website where developers discuss coding problems and share code examples. Although all Stack Overflow posts are free to access, code examples on Stack Overflow are governed by the Creative Commons Attribute-ShareAlike 3.0 Unported license that developers should obey when reusing code from Stack Overflow or posting code to Stack Overflow. In this talk, I will present the results of our recent study that investigated whether developers respect license terms when reusing code from Stack Overflow posts (and the other way around). We found 232 code snippets in 62 Android apps from a dataset of 399 Android apps, that were potentially reused from Stack Overflow, and 1,226 Stack Overflow posts containing code examples that are clones of code released in 68 Android apps, suggesting that developers may have copied the code of these apps to answer Stack Overflow questions. We investigated the licenses of these pieces of code and observed 1,279 cases of potential license violations (related to code posting to Stack overflow or code reuse from Stack overflow). These findings suggest that developers do not pay enough attention to copyright terms when reusing code from Stack Overflow or sharing code on Stack Overflow.

Stack overflow code_laundering

Foutse Khomh

Effective DevSecOps

Pawel Krawczyk

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. Securing APIs with Open Standards Tips for makingandbreaking APIs that scale from theSynack Red Team Ryan Rutan, Sr. Director of Community at Synack Red Team Vitthal Shinde, Security Engineer at FICO & Synack Red Team

2022 APIsecure_Securing APIs with Open Standards

APIsecure_ Official

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Automation and containerization can help you build faster and deliver continuously, but can also make managing what’s inside your containers challenging. By integrating Black Duck with Red Hat OpenShift Enterprise, you can scan all images that materialize into OpenShift automatically regardless of registry source. This integration provides visibility into all of the 3rd party open source software that compose your containers. Images and Pods are labelled with Black Duck vulnerability and policy information and are continuously updated as new vulnerabilities are published. Join experts from Black Duck by Synopsys and Red Hat as we explore how to build containers safely without sacrificing agility, visibility, or control. In this webinar we will: Discuss the Container Security Tool Landscape How Synopsys fits in Software Quality Why Open Source Management Matters Black Duck Architecture Black Duck OpsSight 2.0 Integration Architecture Black Duck OpsSight Demonstration

Know What’s in Your Containers! Manage and Secure all Open Source that Compos...

DevOps.com

Modern businesses have data at their core, and this data is changing continuously. How can we harness this torrent of information in real-time? The answer is stream processing, and the technology that has since become the core platform for streaming data is Apache Kafka. Among the thousands of companies that use Kafka to transform and reshape their industries are the likes of Netflix, Uber, PayPal, and AirBnB, but also established players such as Goldman Sachs, Cisco, and Oracle. Unfortunately, today’s common architectures for real-time data processing at scale suffer from complexity: there are many technologies that need to be stitched and operated together, and each individual technology is often complex by itself. This has led to a strong discrepancy between how we, as engineers, would like to work vs. how we actually end up working in practice. In this session we talk about how Apache Kafka helps you to radically simplify your data processing architectures. We cover how you can now build normal applications to serve your real-time processing needs — rather than building clusters or similar special-purpose infrastructure — and still benefit from properties such as high scalability, distributed computing, and fault-tolerance, which are typically associated exclusively with cluster technologies. Notably, we introduce Kafka’s Streams API, its abstractions for streams and tables, and its recently introduced Interactive Queries functionality. As we will see, Kafka makes such architectures equally viable for small, medium, and large scale use cases.

Introducing Kafka's Streams API

confluent

Similar a Securing Open Source Code in Enterprise (20)

Open source technology

All You need to Know about Secure Coding with Open Source Software

OWASP Dependency-Track Introduction

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...

Analysis of-quality-of-pkgs-in-packagist-univ-20171024

What is the Secure Supply Chain and the Current State of the PHP Ecosystem

Being Ready for Apache Kafka - Apache: Big Data Europe 2015

Software Composition Analysis Deep Dive

Software Analytics: Data Analytics for Software Engineering and Security

Vulnerability Intelligence and Assessment with vulners.com

Q1 2016 Open Source Security Report: Glibc and Beyond

GPCE16: Automatic Non-functional Testing of Code Generators Families

Demystify Information Security & Threats for Data-Driven Platforms With Cheta...

Transforming your Security Products at the Endpoint

Stack overflow code_laundering

Effective DevSecOps

2022 APIsecure_Securing APIs with Open Standards

Software Security Assurance for DevOps

Know What’s in Your Containers! Manage and Secure all Open Source that Compos...

Introducing Kafka's Streams API

Más de Asankhaya Sharma

9 types of people you find on your team

Asankhaya Sharma

Today software is built in fundamentally different ways from how it was a decade ago. It is increasingly common for applications to be assembled out of open-source components, resulting in the use of large amounts of third-party code. This third-party code is a means for vulnerabilities to make their way downstream into applications. Recent vulnerabilities such as Heartbleed, FREAK SSL/TLS, GHOST, and the Equifax data breach (due to a flaw in Apache Struts) were ultimately caused by third-party components. We argue that an automated way to audit the open-source ecosystem, catalog existing vulnerabilities, and discover new flaws is essential to using open-source safely. To this end, we describe the Security Graph Language (SGL), a domain-specific language for analysing graph-structured datasets of open-source code and cataloguing vulnerabilities. SGL allows users to express complex queries on relations between libraries and vulnerabilities in the style of a program analysis language. SGL queries double as an executable representation for vulnerabilities, allowing vulnerabilities to be automatically checked against a database and deduplicated using a canonical representation. We outline a novel optimisation for SGL queries based on regular path query containment, improving query performance up to 3 orders of magnitude. We also demonstrate the effectiveness of SGL in practice to find zero-day vulnerabilities by identifying sever

Design and Implementation of the Security Graph Language

Asankhaya Sharma

Secure Software Development

Asankhaya Sharma

Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them.

Verified Subtyping with Traits and Mixins

Asankhaya Sharma

Automated verification of programs that utilize data structures with intrinsic sharing is a challenging problem. We develop an extension to separation logic that can reason about aliasing in heaps using a notion of compatible sharing. Compatible sharing can model a variety of fine grained sharing and aliasing scenarios with concise specifications. Given these specifications, our entailment procedure enables fully automated verification of a number of challenging programs manipulating data structures with non-trivial sharing. We benchmarked our prototype with examples derived from practical algorithms found in systems code, such as those using threaded trees and overlaid data structures.

Specifying compatible sharing in data structures

Asankhaya Sharma

Symbolic execution is an important and popular technique used in several software engineering tools for test case generation, debugging and program analysis. As such improving the performance of symbolic execution can have huge impact on the effectiveness of such tools. In this paper, we present a technique to systematically introduce undefined behaviors during compilation to speed up the subsequent symbolic execution of the program. We have implemented our technique inside LLVM and tested with an existing symbolic execution engine (Pathgrind). Preliminary results on the SIR repository benchmark are encouraging and show 48% speed up in time and 30% reduction in the number of constraints.

Exploiting undefined behaviors for efficient symbolic execution

Asankhaya Sharma

In this project we present a new architecture for database intrusion detection. We implement this framework called DIDAR (Database Intrusion Detection with Automated Recovery) and discuss the performance issues. Recently there has been considerable interest in the design of intrusion detection system for databases. Most of the current systems take a laid back approach and concentrate more on containment and recovery once the database has been infected by malicious transaction. We propose a more proactive solution; DIDAR aims to detect the intrusions as soon as possible with support for damage containment and auto recovery as well. DIDAR provides intrusion tolerance by working in two phases – learning and detection. During the learning phase we build a model of the legitimate queries for each user based on the currently executing transactions and later use that model to detect the malicious transactions. DIDAR guarantees quality of information assurance at four different levels for each user. We have positive results based on our prototype and preliminary testing on synthetic database. With almost no load to the database DIDAR achieves high detection rates, quick damage containment and full recovery.

DIDAR: Database Intrusion Detection with Automated Recovery

Asankhaya Sharma

Over the past few years, the way we build software has changed a lot. These days, developers make heavy use of open-source libraries and 3rd party components to design and assembly software. Unfortunately, reusable components also mean reusable vulnerabilities. Hackers have shifted their attention from exploiting applications to exploiting vulnerabilities in libraries. In this talk, we will review some of the popular security vulnerabilities that affected open-source libraries recently. We will also look at how current security products and techniques do not focus on vulnerabilities in libraries and components. Detecting vulnerabilities in libraries and remediating them requires a change in thinking about software security. Developers are the key stakeholders in the security of the software they build and empowering them with the right tools and information can help them build secure software. We will take a look at a XSS (Cross-site Scripting) vulnerability in the popular JavaScript library Handlebars.js and the impact it had on other libraries and applications. We will then show how developers can make use of secure HTTP headers and content security policy to prevent XSS, clickjacking and other code injection attacks. Integrating security features directly in software development can enable developers to build software safely.

Developer-focused Software Security

Asankhaya Sharma

Visualizing Symbolic Execution with Bokeh

Asankhaya Sharma

Crafting a Successful Engineering Career

Asankhaya Sharma

Formal methods help improve the quality and reliability of software by providing proof of correctness. However, ensuring the correctness of verification tools that apply these formal methods, is itself a much harder problem. A typical way to justify the correctness is to provide soundness proofs based on semantic models. For program verifiers these soundness proofs are quite large and complex. In this thesis, we introduce certified reasoning to provide machine checked proofs of various components of an automated verification system. We develop new certified decision procedures (Omega++) and certified proofs (for compatible sharing) and integrate with an existing automated verification system (HIP/SLEEK). We show that certified reasoning improves the correctness and expressivity of automated verification without sacrificing on performance.

Certified Reasoning for Automated Verification

Asankhaya Sharma

Last Days of Academy

Asankhaya Sharma

SayCheese Ad

Asankhaya Sharma

Más de Asankhaya Sharma (13)

9 types of people you find on your team

Design and Implementation of the Security Graph Language

Secure Software Development

Verified Subtyping with Traits and Mixins

Specifying compatible sharing in data structures

Exploiting undefined behaviors for efficient symbolic execution

DIDAR: Database Intrusion Detection with Automated Recovery

Developer-focused Software Security

Visualizing Symbolic Execution with Bokeh

Crafting a Successful Engineering Career

Certified Reasoning for Automated Verification

Last Days of Academy

SayCheese Ad

Último

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Securing Open Source Code in Enterprise

1. Securing Open Source Code in Enterprise Asankhaya Sharma

2. Open-Source Library Growth

3. Projection: > 400M Libraries by 2026

4. Complexity of Libraries has exploded For every 1 Java library you add to your projects, 4 others are added For every one library you add to a Node.js project, 9 others are added

5. SourceClear Scan of apache/spark

6. The Code Cocktail

7. Control Over What is in Your Code Has Changed Reference : http://anvaka.github.io/allnpmviz.an/ From YOU to: - Developer Tools - Open-Source Code - 3rd Party Developers

8. Threats using open source code - Vulnerabilities in open source libraries - Malicious libraries - Typosquatting package names - Data exfiltration - Command execution during build

10.

11.

12.

13.

14. Software Composition Analysis (SCA) Discover and identify software vulnerabilities and expose licenses for open source components Scanner Data

15. Scanning Technology App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 App A v1.0 B v2.0 C v1.0 Dependency Locked File Dependency GraphSCA Scanner

16. Scanning Technology App A v1.0 B v1.0 C v1.0 App A v1.0 B v2.0 C v1.0 Dependency File Dependency Graph App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 Resolved DependenciesSCA Scanner

17. System Dependencies Scanning SCA Scanner container ID A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0

18. Vulnerabilities in Open Source Libraries ● Known Sources ○ CVEs / NVD ○ Advisories ○ Mailing list disclosures ● Unidentified issues ○ Commit logs ○ Bug reports ○ Change logs ○ Pull Requests Security Issues are often not reported or publicly mentioned How do we get the data?

19. Mining for unidentified vulnerabilities

20. NLP and Machine Learning for Harvesting Data https://asankhaya.github.io/pdf/automated-identification-of-security-issues-fr om-commit-messages-and-bug-reports.pdf

21. SCA Vendors

22. Evaluation Framework For Dependency Analysis EFDA is an open source project that allows users to test the dependency analysis tool of their choice and see how accurate the tool is. https://github.com/devsecops-community/efda

23. Software Supply Chain Source Control Management Continuous Delivery (CI/CD) ProductionDeveloper Software Composition Analysis

24. DevSecOps - Integrate SCA scanning in your CI pipeline - Create open source usage policy - Fail builds on high severity vulnerabilities - Gather data on open source libraries, vulnerabilities and licenses - Review bill of material (BOM) reports on what’s running in your applications

25. Rules for using 3rd party code 1. Know what you are using 2. Think about where it came from 3. Understand what it is doing 4. Avoid using vulnerable libraries

26. Thank you! ● Questions? ● Contact ○ Twitter: @asankhaya

Securing Open Source Code in Enterprise

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Securing Open Source Code in Enterprise

Similar a Securing Open Source Code in Enterprise (20)

Más de Asankhaya Sharma

Más de Asankhaya Sharma (13)

Último

Último (20)

Securing Open Source Code in Enterprise