Archived: Integrating Application Security: Reengineering AppSec as a business catalyst

On-Demand Event

(Aired on June 22, 2021)
Earn up to 3 CPE’s

Here’s the challenge: Web applications are progressively extending the range of critical business operations they support. But software development for cloud-native environments requires continuous security oversight. Against this backdrop, cybersecurity leaders and strategists must strike a balance between accelerating a business’s go-to-market and safeguarding the applications that fuel its growth and productivity.

Producing quality code quickly and securely is always the goal. But efforts to integrate security into the software development cycle is more often perceived as a roadblock than a catalyst. Hear from top experts in a series of discussions and presentations focused on application security, topics include:

How to map application security requirements to compliance frameworks
Embracing and extending DevSecOps principles
Standardizing application security policies within business lines

Discover how modern application security programs can operate at the speed and scale that’s required to empower, not deter, the business.


11:00 AM ET
KEYNOTE | Preventing the exhaust ports: How not to build a Death Star with your SDLC
Kevin Johnson, CEO, Secure Ideas
Millions of stormtroopers and galactic empire citizens were lost because engineers didn’t understand their design flaws. While this is a great movie reference, the reality is that organizations are deploying applications with their version of this fatal flaw every day. In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various examples of application flaws, using real applications he and his team have tested. He will then discuss how the flaws happened and methods for improving your SDLC and security integration to prevent them in the future. 

11:55 AM ET
Beyond DAST: A DAST-first tool with IAST depth 
Mark Schembri, Technical Solutions Engineer, Invicti
The versatility of modern dynamic tools brings advantages that extend far beyond the typical vulnerability scanning functionality. The inclusion of True IAST functionality maintains the advantages of a DAST solution while going deeper than ever to identify and verify more vulnerabilities with access to the application code. You will learn how Netsparker’s IAST capabilities will help you:

  • Find more vulnerabilities 
  • Further reduce false positives 
  • Simplify remediation

12:35 PM ET
Embed sophisticated bot detection into your CI/CD pipeline with a single line of code.
Peter Craig, Director of Product Marketing, Human Security
Enterprises find it increasingly difficult to defend web applications from automated attacks. Even when apps function as intended, they are vulnerable to criminals using sophisticated bots that mimic human behavior using mouse movements, keystrokes, and fake browser behaviors. Solution: By embedding effective, multilayered, bot detection and mitigation, you can protect your application from automated attacks while providing insight to development on the tactics your adversaries used and the resources they targeted. Learn how you can: 

  • Detect even the most sophisticated, dynamic bots and gain full transparency into each detection 
  • Mitigate malicious bots and nonstandard traffic in real-time 
  • Enhance your application user experience with minimal performance impact

1:15 PM ET
KEYNOTE | Scorched earth: Empirical research in hacking and securing APIs 
Alissa Knight, Partner, Knight Ink
Application programming interfaces (APIs) are now everywhere, powering the way we live, work and play. But when authentication and authorization is broken, it opens everything up from the data these APIs are serving to remote control of connected passenger vehicles. Unfortunately, many organizations are using the wrong security control to secure their APIs, akin to using a hammer to nail in a screw.
Cybersecurity professionals must ensure that APIs are secured correctly, so every request is authenticated and authorized. Solutions should interdict the traffic and ensure the traffic destined for the API is not synthetically generated by malicious tools. In this keynote session, Alissa Knight will share:

  • Several years of empirical data gleaned from her hacking of banks, automobile manufacturers, and healthcare providers and payers through their APIs
  • What her research produced when the wrong security control was used to secure these APIs
  • What you should be looking for in your API threat management solution
  • Most importantly, what the indicators of compromise are to the specific tactics and techniques used to breach APIs

1:55 PM ET
Between the chair and keyboard
J. Wolfgang Goerlich, Advisory CISO, Duo Security at Cisco
People ultimately decide our security posture. The dreaded end-users. People performing conscientiously and consistently is a lofty goal. Risk management gives us the process to follow. Control frameworks give us the standards to set and meet. Yet it is people who ultimately decide our security posture. In this presentation, we look at the psychology and behavior science of individuals making risk decisions and leaders affecting culture change, and how it affects the security of organizations and the applications on which they rely. Attendees will leave with insights and pragmatic tactics for improving the human element in risk and compliance.

2:35 PM ET
How to determine what your open-source risks look like 
David Lindner, CISO, Contrast Security 
Studies show that upwards of 80% of software code is comprised of open-source libraries. But the reality is that less than 10% of classes within active libraries are ever invoked by the application. Yet, open-source libraries contain significant vulnerability and licensing risks with 34 CVEs per application on average and 35% of applications containing a copyleft license. Attend this session to learn what open-source risks matter and how to focus on fixing them quickly and easily.

3:15 PM ET
Best practices for developers for master security 
Anna Rozin, Director of R&D, WhiteSource
Shiri Arad Ivtsan, Director of Product, WhiteSource
When you ask developers what they think of security, they will likely go into the situation without much enthusiasm as in their mind – security is slowing them down and holding them back from doing their “actual” job. But – it doesn’t necessarily have to be that way. The friction between developers and security teams can be reduced if the right tools and processes are in place. Want to learn how handling security can be quick, efficient and integrate into daily workflows? Join Anna Rozin, director of R&D at WhiteSource, and Shiri Arad Ivtsan, director of product at WhiteSource, who will share their hands-on experience in managing open source components with WhiteSource tools. In this session you’ll learn:

  • Practical advice on testing, managing and fixing vulnerabilities in open source code packages 
  • The tools and processes to handle security in a fast and effective way 
  • How to empower developers with security data through prioritization and remediation tips 

3:55 PM ET
KEYNOTE | Preventing the next SolarWinds: A look at the evolving app security landscape
Keith Hoodlet, Director, Application Experience, Thermo Fisher Scientific
Attackers targeting vulnerabilities in applications are growing more sophisticated – looking beyond the low hanging fruit of consumer apps to enterprise software that provides an avenue in for widespread network compromise across an expansive supply chain. Keith Hoodlet, director of application experience at Thermo Fisher Scientific, speaks about the evolving tactics for infiltrating the network via gaps in software security, and must-do-defensive strategies to prevent the next SolarWinds or Accellion hack.