Open Source Application Security
Managing application security is essential in a modern complex IT environment. According to Forrester Research, most third-party code (including open source) is not tested for security vulnerabilities as rigoursly as in-house developed code. At the same time, IDC estimates that 30 percent of deployed software in the Global 2000 is open source. To ensure the security of new applications, products, and services, open source needs to be properly managed and controlled.
To truly protect your software applications from potential vulnerabilities, you need an accurate understanding of:
- What open source components are in your current products and applications.
- Any outstanding, known security vulnerabilities
- If your open source components been validated and if their versions up-to-date before they are deployed.
Black Duck Solutions
The Black Duck Hub helps security and development teams identify and mitigate open source related risks across application portfolios. The Hub’s lightweight scanning, tracking, and monitoring solution:
- Identifies open source throughout your code base
- Automatically maps known vulnerabilities to the open source
- Triages and tracks remediation
- Continuously monitors for newly identified vulnerabilities
The Black Duck® Suite is the industry’s leading OSS Logistics solution for managing security risks posed by open source components. It is customizable to fit your risk profile and size. The Suite helps ensure open source application security by providing ongoing visibility into vulnerabilities throughout the software lifecycle. This works from the early stages of development when components are selected and approved to deployment.
- Open Source Selection – The Suite provides developers with the latest information during the selection process from the National Vulnerability Database, it identifies the security vulnerabilities associated with a potential component.
- Open Source Approvals – Vulnerability data can be factored into the open source approval process, altering workflows based on the potential severity.
- Post-deployment Monitoring – After a component has been selected, the Suite provides a continuous monitoring process. This ensures that future security vulnerabilities are quickly flagged for resolution.
- Remediation - Because open source components are often used in many applications across an organization, the Suite provides a detailed catalog of exactly where they are used. Organizations are then able to locate and resolve issues.
The Black Duck Open Source Risk Assessment
Black Duck’s Open Source Risk Assessment provides an actionable, comprehensive list of security, legal, and operational risks associated with components currently in use within your company’s code base(s). As part of this service, an open source and third-party code audit is performed from which a bill of materials (BOM) is created. The BOM is then compared to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD.) This produces an actionable report that takes into account the types of risk and severity, recommending priorities to guide your remediation efforts.
The Black Duck Open Source Risk Profile
Black Duck’s Open Source Risk Profile provides a quick and thorough analysis of the security, operational, and legal risk associated with open source software (OSS) known to be in use within your organization. This is a FREE sample of our Open Source Risk Assessment audit report.
Ensure Software Container Security Before You Deploy
Find and Fix Open Source Vulnerabilities With Black Duck Hub
Software containers help development and DevOps teams increase agility and accelerate application delivery. Yet, with these benefits comes a loss of visibility and control. Containers often bundle applications with a lot of software and files you may not know about or want in your production environment. As adoption of containers grows, so does the security risk of potential open source vulnerabilities hidden inside them.
Black Duck Hub gives you the visibility and control you need to deploy containers in your environment with confidence that they aren’t delivering unwanted surprises. Black Duck Hub enables you to:
- Fully scan and catalog all container files and software
- Find all open source software in your containers
- Map known vulnerabilities
- Assess security risks and track remediation
- Monitor and be notified when new vulnerabilities are reported