RogueWave_Capabilities_Icon_ApplicationSecurity

Key learning moments from our security webinar series

on Jul 22, 15 • by Julia Smith • with No Comments

Take a look back at our series of unique, interactive, and practical webinars which brings you up to date on the latest application security trends and up to speed on the best ways to tackle cybersecurity issues within your software supply chain. ...

Home » Software Security » Key learning moments from our security webinar series

We recently wrapped up our three part webinar series “The secrets to better application security” with an informative webinar using demonstrations of real code security solutions.

Before we review our most recent webinar, let’s take a look back at the first two parts of our series.

Webinar 1: Create code confidence for better application security

In part one of our series we discussed how to secure code with the following methods:

  1. • Perform threat assessment by knowing your environment and system
  2. • Reduce open source risks with scanning, support, and governance tools
  3. • Expect the unexpected, you never know where the vulnerabilities may lie

You can watch the recording here.

Webinar 2: Create Agile confidence for better application security

Now that the foundation is set with some methods to implement for more secure code, we moved on to tackling those security methods in an Agile environment.

With many organizations transforming development efforts from traditional environments toward Agile development, the need to redefine and establish security standards and testing methods is more important than ever.

In part two of our series we explored the consequences of security as a service and discussed how the cost to fix a bug in deployment phase costs 150x more than fixing a bug during the requirements or design phase.

So, how do Agile teams pull their testing earlier in the cycle? We provided five best practices for Agile teams:

  1. • Integrate security and compliance testing
  2. • Enforce standards that relate to the project
  3. • Context for remediation
  4. • Continuous improvement
  5. • Reporting for all stakeholders

You can watch the recording here.

Webinar 3: Answering developer’s questions about application security

Now to the third and final part of our series. Throughout the series we collected questions from our audience and from social media. We took these questions to our sales engineers and created a cohesive webinar with examples that best demonstrate the changes you can make to improve code security for your organization.

We noticed a similar thread in all the questions we received from our participants over the series: managing and mitigating vulnerabilities.

The first question we tackled was “how do you find security vulnerabilities in code?”

Our open source expert, Ed Stewart, opened up the webinar with how you can find these vulnerabilities as it relates to open source software (OSS). It is vital for you to understand what OSS packages are in your software, where those OSS packages are coming from and what risks are associated with all of the OSS. OpenLogic is a solution that can scan software for vulnerabilities while also providing the details for rectifying the issues.

Jamie Torok, our static code analysis master, chimes in to show another solution for scanning software for vulnerabilities. The Klocwork solution scans a portion or an entire code base to track back issues that lie within an organization’s software. Jamie show us how quickly a defect can be found and fixed in just a few minutes. He breaks down the process in this way:

  1. • Scan the code base and located the defect
  2. • Validated it through the Klocwork details pane
  3. • Modified the code with defects
  4. • Recompiled
  5. • Defect has been fixed

As we move into part 2 of the webinar we wanted to focus in on security standards. To get this started we got a pulse from our audience on the following poll question:

Select the standards that currently play a part in your development process
CERT– 33%
OWASP–33%
CWE–33%
MISRA– 0%
Other–67%

Even distribution with the security standards which makes sense because this is a security focused webinar. MISRA is heavily focused on automotive but we have seen a recent uptick in non-automotive companies using MISRA.

Now that you have a basic run down of the solutions for scanning your code base the next step is deciphering how you can measure up to all the security compliance standards. (18:45)

We dive back into the static code analysis tool to take a look at the possibilities of creating a dashboard and reports that are customizable specifically to what security standards you are looking to track as it relates to your code base. With these reports you are able to break apart the issues and get to the ones that are most severe which could be detrimental to your software if not mitigated quickly.

Before we approached the final piece of this webinar and the end of the series we wanted to see what peaked people’s interest and where we could focus future webinars. We asked this question to our audience:

What topics are you interests in learning more about?

Standards compliance – 100%
Static code analysis – 67%
Agile development – 67%
Open source management – 33%

We were quite surprised by the overwhelming interest in standards compliance. We have found that security standards are newer to our customers. In the embedded, automotive, medical, financial standards compliance hasn’t fully caught on and most companies in these spaces are just starting to become aware of how the compliance fit in with their organization’s software.

The final, and most popular question we received relates directly to seeing security issues and trends at the team level. (31:32)

Managers need to be able to track the trending of analysis, reporting, and metrics so that they are able to quickly resolve any vulnerabilities that may be plaguing multiple developers across their team.

So how do managers go about viewing all of these risks at once?

Klocwork has a unique ability to create taxonomies which is a grouping of our defects cross referenced to a specific standard. Taxonomies allows managers to quickly add checkers to specific project for tracking purposes. You can use the standard compliance standards that we have built into Klocwork or you can upload your own list of standards.

Overall this webinar addressed many of the recurring questions we have heard from our webinar audience throughout the series.

You can watch the recording here.

If you are ready to take the next steps in managing and mitigating security vulnerabilities in your code base request a demo for your organization:

  1. • Save time with on-the-fly scanning with Klocwork
  2. • Build open source confidence with OpenLogic

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top