TO RSA Conference 2023 addresses several important questions and trends in the cyber security industry. Generative AI was an important topic of discussion, with participants, executives and legislators selling its potential both in non-attack and in defense of the cyber security arms race. The National Cybersecurity Strategy of Casa Branca was also the subject of discussion in the forums, proposing new regulations to establish basic cyber security standards and increase public-private collaboration in the defense of cyber security and the interruption of services.

In this article, we summarize the three main topics of RSAC, as well as two trending topics addressed during our individual conversations with the DevSecOps community present.

AI is a two-way process in software development

Modern organizations with modern infrastructure work at high speed to develop critically missed applications. To keep pace, developers use AI and ChatGPT to help them detect codes, which can inadvertently introduce malicious packages and CVEs into their software. AI can also be part of the solution, with machine learning algorithms used as part of the automated vulnerability identification. Since AI can play an important role in software development, its risks should not be neglected and should be used with caution by software development teams.

Companies favor platforms instead of pontuais solutions

The participants and security specialists will emphasize the increasing complexity of the cyber security scenario and the proliferation of pontuais solutions. However, we agree that platforms are the best option for companies, helping to minimize “tool expansion”. It is becoming evident that there is a need to rely on pontuais solutions to protect the entire software delivery chain. An excellent example is that even the most technically experienced teams are struggling to connect complex and disparate security solutions in their DevOps work flows and software supply chains. Complexity may result in unintentional gaps in coverage and represent your own safety risk. A platform solution can also facilitate the consolidation of hardware.

Security experience incorporated into the software delivery chain

Another point of conversation in some of the lectures and painel sessions was a shortage of talent in cyber security, which is a major concern. Many executives and policy makers express the need for startups to develop solutions that make advanced cyber security accessible to non-specialists and that require fewer resources for implementation by small businesses and common users.

Community feedback

Between the main sessions, we have the opportunity to talk as the participants and here are some topics you may notice that will arise from these 1:1 connections.

Developers, product security engineers and DevOps are facing difficulties such as:

Many vulnerabilities to fix (including false positives)

Heavy manual efforts required for safety specialists

Developers use OSS from public repositories and other sources you don't trust

Using various AST safety tools with possible blind spots

We managed to demonstrate how to address these problematic points and how we approach the security of the software supply chain from a different and contextual perspective. We understand that code-source analysis is not sufficient to truly analyze the context of the CVEs and discover a true contextual understanding. This can only be achieved by observing the software bin, which contains much more information than just the source code.

Here are the three main safety resources that keep the attention of both participants:

• Contextual analysis to reduce false positives and remediation workloads with a focus on exploited CVEs. This involves a detailed analysis of the vulnerability and its applicability to the application. The resource also provides specific email advice for users.
• Go beyond the code-source and two CVEs and identify hidden vulnerabilities with detection of secrets with a focus on binaries.
• Understand the impact of the exploit rate of vulnerabilities with the JFrog platform, providing a true understanding of what you need to correct.

JFrog was recognized by Cyber Defense Magazine for its most open DevSecOps offering – winning the Global InfoSec Award in 2023. Cyber Defense Magazine received more than 4,300 entries for this award from companies around the world that manage, create and offer security products and services. information. Less than 10% two indicated foram chosen as WINNERS by terem an incredibly innovative product with focus on the prevention of human violations. Parabens team!

With more than 600 suppliers, more than 700 participants and more than 26,000 participants, RSAC '23 was an important indicator that protecting our data, infrastructure, networks, applications and identity is a common goal in the developer, DevOps and security communities. The JFrog Software Supply Chain platform was built to meet the modern demands of developers, operations and security teams.

Content originally posted in: JFrog Blog

We are Software.com.br, Official Representative of Minitab Engageno Brazil and also a reference in technology solutions for the corporate world in Latin America. Count on our consultants specialized in Software Licensing, Cybersecurity, DevOps, Infrastructure and Data Analytics.

See more about JFrog on our site: Software.com.br