Blog

Webinar Recording- OWASP ASVS

Your balanced AppSec diet
Build strength, fitness and peace of mind!

In this webinar, application security heavy weights Jim Manico (OWASP Top Ten contributor) , Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will talk about the best thing that can happen to you if your application security team is overwhelmed, overworked and over-worried.

The OWASP Application Security Verification Standard (ASVS) is a balanced way for organizations to approach application security and align it with their organizations risk appetite and resources

Watch the video of our webinar on OWASP ASVS from May 11, 2022

Are you thinking of establishing an balanced appsec process, or are you looking at fine-tuning your existing process? Join Jim, Farshad and Julius in this webinar to hear about:

  • The First application security standard by developers for developers!
  • That defines three risk levels with 200+ controls.
  • And gives you similar value to ISO 27034 for a fraction of the hassle

SCA+SAST+DAST+IAST+RASP+.. = JOY ?

spoiler alert: probably not

In this webinar, application security experts Jim Manico (OWASP top 10 contributor) , Farshad Abasi (OWASP Chapter Lead), and Julius Musseau will go over best practices for rolling out an effective Application Security Toolset to your software development and security teams.

How can you best get started and how can you best optimize your AppSec toolset over time? Watch this webinar NOW!

Are you just thinking of implementing AppSec tools, or are you looking at optimizing your existing tool set? Join Jim, Farshad and Julius in this webinar to hear:

  1. What combination of tools give you maximum protection.
  2. What tool gives you the highest value out of the box.
  3. How are threats likely to evolve and how to use your AppSec tool set to stay one step ahead of cyber advisories.

Webinar Wednesdays – When Dependabot Is Worse Than Nothing: Log4J As A Sub-Dependency

Watch if this applies to you and find out how to fix this :).

from the “Webinar Wednesday  from March 30th, 2022, with Jim and Julius

Why should you care? Because if you’re using industry-standard software leader Dependabot, then your devs didn’t fix the recent Log4J problem properly.
If you’re using Dependabot, then the tools you’re using now aren’t getting the job done.
In practice, Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.

In theory Dependabot is exactly what the world needs to keep software dependency chains safe from known vulnerabilities: tightly integrated with Github; auto-generates pull-requests; plugged into Github Security Advisories (GHSA); support for a wide range of programming languages and dependency managers.

But in practice Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.

Do you know any languages that currently DO NOT support lock files?

Java / Maven !

This has some bad implications if you’re using Dependabot to protect yourself from Log4J (since Log4J is a Java library).

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility and popularity.

More on Continuous Protection

Add RunTime Protection

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Run-time Protection

Shift Left Now

CodeGreen is an early-warning defence for your in-house development and integrates directly into GitHub and BitBucket

More on BitBucket and Github apps