Connect With Us

CQAA May Webinar: Testing for Privacy and Data Protection at Speed: Integrating AppSec Tools into DevOps Pipelines Without Slowing Down

  • 19 May 2021
  • 12:00 PM - 1:00 PM
  • Webinar

Registration


Register

Testing for Privacy and Data Protection at Speed: Integrating AppSec Tools into DevOps Pipelines Without Slowing Down

Joe Jarzombek and Meera Rao, Synopsys, Inc.

About the Topic

Data protection and privacy are at the top of many organizational priorities. The results of application software testing can provide the basis for defensible quality/security controls to protect sensitive data and confirm effectiveness of relevant data protection controls.  Many organizations undergo process assessments in demonstrating compliance with laws associated with protecting privacy and data.  Scanning code that will run in enterprise network-connected assets that process or transmit data can determine if the systems or devices enable data leakage or lack adequate protections to mitigate unauthorized access to read or modify data. 

       Using the CISQ Automated Source Code Data Protection Measure in software testing can reveal source vectors for data leakage or data corruption; providing indicators for non-compliance with respective Data Protection/Privacy guidelines.

       Derived from the Automated Source Code Quality Measure (ASCQM), recently published as “ISO/IEC 5055 Information technology — Software measurement — Software quality measurement — Automated source code quality measures,” this specification covers common weaknesses (CWEs) that affect the protection of controlled or confidential information and data associated with intellectual property and privacy, such as associated with personal identifiable information (PII), personal health information (PHI), or payment card industry (PCI) data.

Testing for privacy and data protection can be a normal part of quality assurance test regimes.  Integrating security testing as part of quality assurance programs within Continuous Integration (CI)/Continuous Delivery (CD) or Deployment (CD) pipelines requires integrating tool scans for Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), or Software Composition Analysis (SCA), which are performed at different stages in the CI/CD pipeline. These tools each have their own strengths and weaknesses and are complementary to each other. How long each tool takes to complete a scan affects how often and when tools are deployed into a staging or production environment.

Key Learning Objectives

    In this webinar, you’ll learn:

    • How common weaknesses in software can represent source vectors for unauthorized access to read or modify data; putting enterprises and their customers at risk in terms of data loss or data corruption.
    • How quality assurance application testing can incorporate tools with built-in security domain checkers/gates to enable all developers and testers to mitigate relevant software weaknesses and address privacy and data protection.
    • How legacy CI/CD approaches can’t keep up with the speed of DevOps
    • How Intelligent Orchestration helps break down silos and leverages a dedicated pipeline that automatically runs the right security tools at the right time and triggers manual testing activities based on SDLC events and pre-defined policies, while also providing continuous metrics and feedback.
    • How this enables quality/security teams to automate security gates and enforce policies for all applications across their organization, at enterprise scale.

    Attendees will be provided access to acquire free copies of:

    ISO/IEC 5055 Information technology — Software measurement — Software quality measurement — Automated source code quality measures | First edition 2021-03 | Reference number ISO/IEC 5055:2021(E)

    CISO’s Guide to Sensitive Data Protection

    2021 Open Source Security and Risk Analysis (OSSRA) Report open-source-trends

    About the Speakers

    Joe Jarzombek <sjarzom@synopsys.com> is Director for Government & Critical Infrastructure Programs in Synopsys, Inc. He participates in relevant consortia, public-private collaboration groups, trade associations, standards groups, and R&D projects to assist in accelerating technology adoption.  Prior to joining Synopsys, Jarzombek served in the government public sector; collaborating with industry, federal agencies, and international allies in addressing cybersecurity challenges.  He served in the US Department of Homeland Security as the Director for Software & Supply Chain Assurance for over ten years, and in that role, to enable security automation and the sharing of cybersecurity information exchange, he sponsored CVE, along with the initiation and evolution of CWE and CAPEC.

    Meera Rao <mmeera@synopsys.com> is Senior Director of Product Management in the Synopsys Software Integrity Group, has more than 20 years of experience in software development, more recently focusing on DevOps and CI/CD. She is also leading Intelligent Orchestration development at Synopsys.”

    Registration

    REGISTRATION IS REQUIRED TO ATTEND THIS PROGRAM.

    Please register by May 18th at www.cqaa.org. If you have any questions, please contact info@cqaa.org.

    Webinar Access

    A link to the webinar will be added to this announcement before the date of the webinar. Please check back.

     

    Powered by Wild Apricot Membership Software