The new Black Duck SCA release offers enhancements to help organizations to better understand the potential risks in their software supply chain.
Black Duck® software composition analysis (SCA) started the new year off strong and got a running start on its resolution to better help teams secure their software supply chain at the speed of modern software development. Let’s look at some of the highlights of the 2023.1.0 release.
Bugs, defects, and security vulnerabilities are an unavoidable cost of doing business in the software industry, and open source code is no exception. Ideally, these defects are discovered by a responsible party, disclosed properly, assigned a CVE number, and communicated to impacted organizations. This process remains a crucial aspect of open source risk management. But as modern development depends more and more on open source, how can we get more proactive in avoiding potential risk introduced further up the supply chain?
With its latest release, Black Duck now provides users with enhanced component intelligence to enable them to look beyond known vulnerabilities and get ahead of potential security risks. Overseen by the Synopsys Cybersecurity Research Center (CyRC), this fully automated process uses static analysis to analyze component behavior and flag issues for review by security and development teams. Potentially malicious component behavior identified by this process includes
Confusingly, this type of malicious component behavior is sometimes a crucial aspect of a trustworthy component, we’re finding that security teams are becoming more risk adverse as they depend more on third-party code and prefer to take the “trust but verify” route. Any noteworthy component intelligence findings can be accessed by users for review from within Black Duck’s tool (see Figure 1).
Malicious package detection comes at an opportune time, with threat actors becoming increasingly aware of the trust that organizations are putting into their upstream dependencies. Throughout 2022, we saw several headlines on malicious packages within the ecosystem posing as trustworthy projects as they slipped into unsuspecting codebases. This is why Black Duck’s component intelligence is currently focused on NPM packages, even though there are plans to continually expand coverage in future releases.
Figure 1: Black Duck’s component intelligence results
In our latest analysis of modern software applications, we found that the average codebase contained 508 open source components. The caveat to this number is that only a small number of dependencies found were intentionally included by development teams. A more common sight was dependencies of chosen dependencies, or transitive dependencies. When you factor them in, you can see why the software supply chain can easily become so complex, especially when you consider that a vulnerability in any of these dependencies, direct or transitive, can introduce significant risk to an application.
Luckily, modern tooling—such as Black Duck SCA—tracks all these dependencies and alerts teams about the vulnerabilities within them. While Black Duck has always guided users in the resolution of transitive dependencies, this latest release simplifies the process even more: instead of having to resolve vulnerabilities in individual transitive dependencies one by one, users can now make one simple upgrade to the direct dependency and resolve all transitive dependency vulnerabilities therein.
The number of vulnerabilities that teams are dealing with today can be overwhelming, so this enhancement is crucial in cutting through the noise, saving time, and reducing the number of components to fix from numbers in the hundreds to numbers in the tens.
Figure 2: Dependency tree in Black Duck
Figure 3: Upgrading the direct dependency to resolve transitive dependency vulnerabilities
At Synopsys, we have the privilege of working with customers of all different sizes in a broad and diverse set of industries. Some of these customers release software once a year, some once a quarter, and others once a day. However, the customers that have really motivated us to be innovative in our product development are those that release—and perform SCA scans on—hundreds or thousands of applications a day.
To support these use cases—and to enable DevOps teams to transition into DevSecOps teams—Black Duck has always fit seamlessly into the development life cycle via integrations, with tooling used for development, builds, issue tracking, artifact storage, etc. Just last year, Black Duck introduced significant enhancements to scan speed, which means that security is never the bottleneck in the release process. In this latest release, Black Duck now gives teams the ability to visualize their scanning volume throughout the day.
Let’s say a company has a thousand SaaS applications in its portfolio, which, with the explosive adoption of microservices, is not all that uncommon. To stay on top of dependency upgrades, security patches, performance improvements, and bug fixes, this company releases several new versions of most of these applications every day. Even on a slow day, this means completing an SCA scan for each build and/or deployed artifact several hundreds of times. Given this release velocity, any process—including security—has the potential for becoming the bottleneck that slows everything else down.
To help mitigate this type of problem, Black Duck’s scan volume heatmap gives teams a literal picture of where their release process has the potential of being bogged down by SCA scans (see Figure 4). Should scan volume be extremely heavy one hour and very light the next, teams can take the steps necessary to reconfigure their pipelines and avoid slowdowns. Teams can also use the tool simply as an indication that additional instances are needed. Whatever the cause, software companies are moving at speeds never seen before, and Synopsys is determined to not let them leave security behind.
Figure 4: Black Duck’s scan volume heatmap
In addition to these enhancements, Black Duck users have plenty more to be excited about when upgrading to 2023.1.0, including GitLab project onboarding, additional software bill of materials (SBOM) fields, and further architectural improvements that make scans even faster and less resource intensive.
If you’re not familiar with Black Duck and how it can reduce security and license compliance risks associated with open source usage, we’ve put together some materials that we think will get you just as enthusiastic about it as the countless development, security, and compliance teams that we work with today are.
Mike McGuire is a senior software solutions manager at Synopsys where he has spent several years leading go-to-market efforts for open source risk and software supply chain security solutions. After beginning his career as a software engineer, Mike transitioned into product management and strategy roles, as he enjoyed interfacing with the buyers and users of the products he worked on. Leveraging several years of development experience, Mike enjoys connecting the market’s complex AppSec problems with Synopsys’ comprehensive solutions.