Hello, my name is Brian Murphy. I run sales at Now Secure and I am excited today to join my good friend and partner at BlackDuck to talk about our partnership and how we can be helpful to our community. So, I'd like without further ado to introduce Vish and Vish maybe you can introduce yourself and then take it away. Thanks Brian. So, hi everybody. I'm Vishenar. I'm the senior product marketing manager at Black Blackduck and I am pretty excited to be here today. Uh for what we're doing today in our in our session today, we'll be examining how rapid growth of AI generated code, heightened compliance demands and specialized mobile apps risks have fundamentally reshaped application security. We'll explore how Blackduck's true scale application security strategy in combination with now secures mobile application security testing provides a complete scalable coverage across all application layers. So without further ado, let's just jump right in. Uh to begin, it's critical to acknowledge that modern software is no longer just written. It's assembled. Applications today integrate custom code. your teams write internally, open-source libraries and dependencies, um, third-party commercial SDKs and APIs, and increasingly AI generated code. Each source introduces unique vulnerabilities significantly expanding the attack surface and complicate comp and complicating governance and risk management. Understanding this composite nature demands a shift in how we approach software security. Among these assembled code sources, a generated code stands out due to its unprecedented growth. Generative AI tools such as chat GPT and GitHub copilot are accelerating software development at an exponential rate. However, this speed introduces substantial risk. Most concerning is the rise of so-called citizen developers, individuals generating code through AI tools who lack formal security training. This phenomenon creates potential security blind spots, unwedded code, and vulnerabilities at a scale previously unseen. This elevated risk exposure from AI isn't merely a technical issue. It's increasingly a strategic boat level concern. Regulations such as EU cyber resilience act, GDPR, and sector specific mandates now require demonstrable proof of software security and compliance. Failing to effectively manage these com compliance demands can lead to severe consequences such as operational disruption, financial penalties, reputational damage, and loss of market access. Therefore, security governance and visibility have become a core strategic responsibility at an executive level. Clearly, a more robust approach to application security is essential to address these growing risks and compliance pressures. These that's precisely why we've developed true scale application security. True scale is a unified strategy designed to eliminate traditional trade-offs between speed, accuracy, and compliance rigor. It provides the right tests at the right depth for every stage of the software life cycle. It provides flexible deployment combinations such as SAS based solutions for rapid scalability and on-premise solutions for deeper compliance-driven testing. And at last, comprehensive coverage that spans code quality, licenses, security, and regulatory compliance. True scale isn't just about coverage. It's about en enabling innovation without friction. Our true scale approach is delivered through a robust integrated portfolio which includes Polaris, our SAS platform offering that integrates static dynamic for pre-production and pro and production environments and software composition analysis for rapid continuous testing. Coveret and black duck SCA they are on premise compliance focused static and composition analysis tool crucial for regulated industries. Seeker is our is offering. It offers interactive real-time application security testing for runtime environments. Defensics provides specialized first testing for critical protocol level validation and black tech assist which provides AI powered remediation guidance proactively addressing risk introduced by AI generated code itself. Together these tools delivered the scalable comprehensive risk management across your entire codebase. Furthermore, our portfolio isn't just theoretical. It's proven at enterprise scale. For five consecutive years, Gartner has positioned Black Duck in its top right quadrant of its magic quadrant for application security testing, highlighting both our capabilities and vision. In practice, our customers routinely conduct application security testing at massive scale, validating true scale capacity to handle the exponential growth of AI generated code. Yet, even with the comprehensive appseck coverage, one critical layer often remains underested. Mobile applications. Mobile apps are frequently the most visible part of your business. handling sensitive data, integrating third-party SDKs, and updating at rapid cycles. To address this unique risk, we've partnered with Now Secure, whose deep expertise in mobile application security testing fills this critical security gap. Uh now, let me hand it over to to Brian uh from Navse Secure to discuss their technology thoughts and their latest Deepseek iOS research. Brian. All right. Well, thanks Vish. You're right. The unseen layer is all about mobile and that's something that I wanted to talk to us a little bit about today and why our partnership makes so much sense. One of the things for sure and you can't really argue is the value of mobile continues to go up. Uh you know the numbers are something like 6.3 million smartphones are out there and 90% of the time spent on a smartphone is with a mobile app. uh we've actually hit the tipping point back in December of 2024 where 59% of all e-commerce actually went across the mobile uh ecosystem. It's kind of staggering when you think about that and the point that you were making is that there's all this value but are we really taking care of it and you think about the more value for mobile also increases the risk factor and our partnership is really about trying to address this risk and when we think about the risk is that you know there's all kind of risk there's the there's risk of data loss privacy data uh transactional data all of these things uh and no matter what when you think about a mobile app The mobile app is using the same many of the same back-end APIs. It's using the same API keys. It's got authentication, same credentials are being used. We really need to think about this uh interface and this attack surface. And you know, many people are starting to recognize that this attack surface is somewhat unique. Um I was talking to Ed Amaroso recently and we were talking about mobile. And what's interesting about mobile is that it's always on and it's always connected and it's outside your organization. You know, the app the mobile apps are out there in the public app stores. You can pull them down. You don't really have control of who gets to use your app all the time. Um who can pull it down, who can look at it. And there's a dependency that we have maybe a I think Ed mentioned this in one of my discussions that there's a maybe an expectation the the uh Google and Apple are doing you know a great job of doing security testing. They do some level they do some testing but they're not thinking about deep security. They run an app store. Um you also mentioned V uh the idea of how fast we're developing especially when you start thinking about developing with AI and perhaps you have different types of people that are building apps or who can build apps now because of the power of AI. What's also happening without a doubt is there's increasing regulatory pressure. You look across organizations where you're looking at privacy and GDPR. You're looking at uh what's happening in the financial industry. you look at what what's happening just around FDA has heightened their uh role in making sure that medical systems that include software and hardware are safe and secure. All of this is happening and all of this drives to the need for um thinking about mobile and what we love about the partnership between BlackDuck and now secure is that all of the best practices that you Vish and your team profess all of the the the approaches that you take we think are excellent and we think it's a simple story just add mobile. We think that a lot of mobile pipelines are just or development pipelines are just missing this or they're not thinking about hey I should or could be doing the same thing for mobile that I do for any other app and as a result there are these gaps and uh while static testing is great you know we you you guys all have great uh solutions in this area but you've also invested in dynamic technologies dynamic testing technologies and that's an area that now secure really stands out and we did this we built this based on feedback from our customers and their need to look beyond static, but really what's happening from a dynamic perspective. There are lots of things that I can't capture about my mobile app if I'm not seeing it in action. And so that's really, you know, the big difference is what now Secure can do from a dynamic perspective. You know, we take apps, we load them on real devices, we run them through, we do uh testing of that, we collect the data, we do everything that you would expect uh from a dynamic testing of enterprise apps, web apps. We do that for mobile. One of the reasons why the dynamic testing is so important is that static testing tells you what apps are going to do but doesn't necessarily tell you what they are doing. Um a good example as you mentioned before was uh Deepseek. So we recently did uh Deepseek research on the iOS app and that iOS app and the Android apps are very very popular in Google Play and the Apple App Store. They went through some level of testing, but they didn't go through dynamic testing. Once you go through and look at the dynamic testing, you start to see some pretty scary things in the Deep Seek app. And Andrew Hogue, our founder, talked about this. Uh he was couple of uh different blog posts. I think Krebs on security picked us up. We picked up by a few news stations. But um and I think even cited in uh some congressional paperwork and discussions about the importance of mobile and increasing the security considerations around things like Deepseek. But what we found in the iOS app was that uh encryption keys were not protected, sensitive data was unprotected and that a lot of this data was actually being transmitted to China. Lots of reasons why this is risky. We don't have to go through them. But the point is that without doing dynamic testing, it's very hard to see some of these things. And so you know our approach uh which dovtales very nicely with the black duck overarching best practices and your solutions is to test the mobile app in the same way and that it tests the app as it's operating not just in terms of what it says it's going to do. So that leads into the broader question is that you know AI SDKs when you really think about mobile apps mobile apps are 60 to 70% of a mobile app isn't written by the actual publisher. The publishers are really as was said earlier are really assembling applications. They're using third-party libraries. And these third-party libraries are really where a lot of the hidden risks are for mobile applications. When developers build apps, they build secure apps, but they use libraries. And those libraries use libraries. And it's really this complex supply chain that's really concerning. And when you do a dynamic test of a mobile app, you're able to see this. You're able to see the impact of those libraries and those nested libraries. And that's why we recommend our approach and our solution. And many of you that are attending this and listening to this already know the benefits of it. And for some of you that have not yet tried uh now secure, you know, we're we're uh simple and easy to use, but to be able to do dynamic testing in near real time is really a powerful capability that should be added to the arsenal. And we really think it's important because um when you think about mobile as it grows in importance not taking this step is acting in a way that's not prudent. So we need to think about incorporating uh testing dynamic testing in the development process. We need to think about as well the apps that we're using, right? So, not just the apps that we build and publish and what that may mean to our customers uh and partners, but also about the apps that we bring into our businesses. And that's another area where I think we partner with Blackduck very well. Not only are we looking at the app that you publish on the app store, but you know, what apps are your executives using, what apps are your employees bringing to business? That sort of hidden it. There's a lot of data about your business that's going out over those apps. As an example would be Deep Seek. You know, I'm sure there are employees in your organization that grabbed Deep Seek and were using it. What kind of data were they putting into Deepseek and where did it go? Is that something that you need to worry about or not? So, raising the profile on mobile, do the things that you would do for any other app, but do those for mobile. Think about the apps that you use and you bring in and take care and look at those. We have a capability for that. A good example that we have and this is really where I'll wrap things up before I turn back to to Vish is uh a joint customer of ours and had a chance to speak to CISO of that organization a couple weeks ago and it was a great conversation because I was asking how do you look at mobile? What's mobile in terms of your priority? And he really said that for him, mobile had been somewhat underserved. He had invested quite a bit of his budget in testing the web app. But what he started to see was that the mobile app was starting to become a more popular interface for their system and that more and more traffic and more and more usage, more and more time was happening over the mobile uh the mobile application. and he started to see a disconnect between his investment and they really need to sort of rep prioritize and start to include more mobile testing because of the potential uh risks associated with that. And so as he started to do that he invested in the now secure capability along with his uh black duck you know capabilities and he what he was able to identify were certain risks and actually improve the mobile application and doing it on a consistent basis. He feels like he's removed a lot of risk from his overall environment. While doing all that, he hasn't slowed down his innovation. And that's one of the things he really likes because of the efficiency and effectiveness of this kind of testing approach that's consistent across BlackDuck and now secure. This CESO felt like he's able to make available web apps and mobile apps that are highly in innovative, competitive out in the marketplace, but also he's able to rely on his brand of trust. And so I thought it was a great story. I also thought it was interesting the way he talked about it and I'm going to share this. He said that uh we're all kind of like banks. You know, I know we talk about every company is a software company, but he said we're all kind of like banks. And what I mean by that is that our customers are in investing in us their data. They put their data in our bank and we give them back something with that data. We do something interesting with that data and we return that back to them. And if if the bank can't be trusted to keep the data safe, the bank goes out of business. And that was how he described to me how important this mission was. When you think about mobile apps, it's all about collecting data, getting it back into the the backend systems, and then presenting it back out to their customers so they can do work, they can receive a benefit. And so I think that a combination of uh a black duck solution and a now secure solution taking care of your entire estate of enterprise apps and mobile apps. That's a really great way to go. So with that, uh, Vish, I will turn things back over to you. All right. So, yeah, once again, thanks for that, Brian. That was an that was a very insightful look into why mobile specific uh risks matter, right? These findings underscore precisely why specialized mobile testing is integral to a comprehensive application security strategy. So by combining BlackDuck's true scale application security approach with now secures dedicated mast capabilities, organizations can achieve an unparalleled visibility and governance across their full application spectrum from development through to runtime. Together, BlackDuck and NASA Kuro provide an end-to-end coverage from custom code, open-source third-party AI generated code to continuous mobile application security. We offer hybrid flexibility, SAS to onremise or hybrid deployment models match exactly to your needs. Uh we are AI ready and scalable. the capabilities to manage exponential increase in AI generated code and emerging regulatory demands and we offer real time risk visibility immediate insights uh enable proactive risk management across all application layers for you. So to summarize key points from today um starting with AIdriven developments significantly expands the risk surface making comprehensive application security absolutely necessary. Regulatory compliance and security governance are now board level imperatives directly influencing strategic business decisions. Specialized mobile security testing as demonstrated by now secure's deepseek research is crucial given mobile's distinct and dynamic risk profile and a unified approach combining black ducks true scale with now secures mast delivers an unmatched breath depth and enterprise readiness and as you consider your next steps we We recommend the following immediate actions. Review your current application security practices and ensure it covers uh and its coverage includes AI generated code and mobile code. Um integrate continuous mobile testing mast into your CI/CD pipeline and follow now secures best practices best practice recommendations. uh plan strategically for the ongoing growth of AI generated code in your organization's risk management strategy. And at last, engage with BlackDuck and now secure to tailor a security strategy aligned specifically to your organizational needs. So I know that was a lot u and you might at least have a few questions for us. So we look forward to answering them. Uh feel free to type your questions into the chat. We have experts from BlackTech and now secure available to provide further details and answer them. But as we conclude today's webinar, thank you once again for your time and engagement. Black and NAS secure are here to support you as trusted partners. And once again for detailed followup um to have any further discussions or even schedule a call, please reach out to us using the contact information provided. Um we look forward to assisting you confidently navigating and managing enterprise application risks in this AI era. Thank you once again and have a great day. Hey Vish, thank you so much for your time uh your partnership and your friendship. Really appreciate it and I you know I I hope uh everybody that gets to listen to this can feel the authenticity of what we're talking about. You know, we really uh believe we can help you and um we hope we shared some interesting insights. So have a great day and enjoy the rest of the conference. Likewise, Brian. Thank you. What does a healthy DevOps regimen look like? How should my security team and my development team work together to limit business risk and ensure the safety and security of business critical applications? The answer by implementing an efficient workflow that allows all teams to work together continuously without impacting the productivity of others. Let's walk through this example. Developers complete code review on a new feature and automatically kick off a scan via the CI/CD pipeline. Now secure platform performs static and dynamic binary analysis in minutes. In this example, the automation produces 42 finding. These findings are then filtered through now secures policy engine which the security team customizes to ensure that all high and critical findings immediately and automatically generate tickets into the developer ticketing system. Assuming five findings were high and critical, the remaining 37 findings are then manually reviewed by the security team to triage and assigned to the appropriate queue for remediation. This workflow assures that high severity tickets are provided as soon as they are discovered and less severe tickets are triaged appropriately by security teams. Using the integrated workflow with Now Secure's policy engine is the fastest way to prioritize and remediate issues in your mobile application suite. [Music] Hello and welcome to your MARM minute. I'm Alan Snyder and today we're going to talk about the first step in the MARM program. We're going to talk about how you classify apps and put them into business impact tiers. The business impact tier is super simple. It's basically saying how important is this app to my business and what is the impact to my business if there is a cyber security incident be that a data breach be that a vulnerability privacy issue operational disruption all sorts of things that can cause harm to the business. So let's dive right in and let's take a look at some of the characteristics that we recommend. Now what's important to understand about what we're going through here is that each company is going to come up with what is appropriate for them. We've created a best practice document to help you define these and serve as a template, but based on your threat model and based on your operations organization, it's probably going to vary a little bit, but you need to look at things like sensitive information. Does it have PII, health information, financial transactions? Does it have your brand on it? Is it the primary path to business? Does it collect geolocation data? Maybe have access to contacts and microphone and camera. So, it's collecting information that you have an obligation to protect. How many uh connections and endpoints does it have? In essence, where could that data that it's collecting be distributed to with or maybe without your knowledge? All of these things go into that factor in terms of how much of an impact, therefore, how much of a risk is it to your business. So, this has been the MARM minute. Super quick, but hopefully it helps you put together a better program. [Music] Hi, I'm Michael Krueger and here to talk to you about traditional pen testing versus pen testing as a service. Standalone pen testing is our traditional application of pen testing for mobile apps. experts uh conduct rigorous security testing against the application, provide a final report and then ultimately remediation consultation. However, there is a problem with that. Uh in this example, there may be an application that has uh three major releases throughout the year as well as a number of minor releases. Uh and we're conducting an annual pen test as well. The annual pen test in March, as you can see, may catch one of four bugs throughout the year. However, those other three bugs may introduce vulnerabilities that may not be caught until the following annual pen test if it's not uncovered during other rigorous testing. How do we fix this sort of application? Well, that's where we bring in pen testing as a service. Pen testing as a service modernizes the pen testing approach by utilizing SDLC integrations to allow and reduce developer friction by uploading binaries directly into uh a software as a service platform. Allow you to dynamically request pentest on demand from experts. Go through that typical expertled pentesting cycle. export reports on demand but also feed that report information back into a more continuous monitoring program can also conduct retesting. But as we as we ingest into the continuous monitoring continuous testing program we start this continuous cycle of uploading new releases for assessment automated assessments occurring throughout the year. constant reporting and notification out to vault management and uh bug tracking systems and of course that remediation consultation all happening in a continuous application. As you can see here, we've now taken that that annual pen test. We've introduced another more prescriptive pen test throughout the year, but we've also introduced this concept of a continuous monitoring, continuous testing program so that uh those bugs throughout the year can be addressed in a much uh much more reduced time frame. Uh finally, I'll leave you with uh some benefits to PEZ. uh continuous testing really does ensure that new releases don't go untested for long periods of time. It reduces that developer friction by enabling binaries and results to be provided directly via CI/CD. Uh ideally, it's an application of progressive testing for your mobile app risk management program. Reduces cost by allowing flexibility in the frequency and the types of continuous testing. And finally, it allows trend analysis and a view of all of your assessments despite their type in a single platform to get a overall view of your entire mobile portfolio. [Applause] [Music] Hello and welcome to the Mar. I'm Alan Snder and today we're going to talk about the second step in the MARM program. It is basically asset inventory. It's understanding the mobile apps that are in your environment that need to be secured and protected. It comes in a couple different groups. The first relatively straightforward to uh understand a little bit harder to identify that is all the mobile apps that you or a vendor develops on your behalf. typically is going to have a brand usually going to be in uh public app store maybe in your internal enterprise app store. The second category is uh apps that are approved for use. So this is one that you didn't develop but a third party vendor developed with their brand but you're putting your intellectual property or uh PII or other such information that needs to be protected in it. So, think of things like maybe Slack or some other uh messaging uh platform teams that you didn't build it, but you're using it. It's super sensitive. Uh those are typically going to be in your MDM and they are approved for use apps that get pushed out to new employees. The third category is going to be BYOD and this really depends on your security posture about how important it is to protect, but that's your big categories there to go and find.