“This is a significant milestone,” said David Chartier, VP of marketing, Synopsys Software Integrity Group. “This is a strong showing of scalability and widespread adoption of Black Duck Binary Analysis and of its ability to meet the demands of our customers to provide them actionable security information from wide variety of industries, including those working on ICS and medical device firmware, mobile applications, and containerization of services. Not only did we scan our one millionth application, we are peaking at over 1TB of data uploaded daily.”
Software composition analysis recognizes that software today is created by augmenting users’ own code with third-party code and components from various sources. In fact, up to 90% of a software package can originate from sources other than the main author of the software. In some cases, third-party code is commercial code that you licensed, but more often than not, it is some form of open source code. Outdated commercial and open source third-party code integrated into a product may expose it to software vulnerabilities and level the playing field for malicious hackers. Thus OWASP raised “Using components with known vulnerabilities” to its 2013 Top 10 list of the most common and serious sources of vulnerabilities.
Software composition analysis allows you to detect and mitigate these hidden potential time bombs in the software that you create or use. And with binary analysis, you don’t need to have source code. After you upload virtually any software or firmware, Black Duck Binary Analysis scans it in minutes.
Black Duck Binary Analysis examines the binary file to produce a software bill of materials (BoM) and identifies known vulnerabilities against the current Common Vulnerability Enumeration (CVE) from the MITRE organization. Black Duck Binary Analysis provides not only CVEs but also the Common Vulnerability Scoring System (CVSS) rating for each vulnerability it flags. In addition, Black Duck Binary Analysis identifies common license types, such as copyleft, permissive, LGPL, and proprietary. Black Duck Binary Analysis supports a wide variety of architectures, executable formats, compression formats, firmware formats, and file systems, making it a truly universal tool for software composition analysis.