In modern software organizations such as those adhering to a DevSecOps methodology, everyone is accountable for security. Some form of security should be included at every stage of the software development life cycle (SDLC). This makes the developer the first line of defense against application security and compliance issues.
Despite this, developers often find themselves unknowingly writing and merging code that violates their company’s risk mitigation policies. But they typically aren’t notified of these issues until the last minute, requiring fixes to be made under a tight deadline. To address this problem, developers must be notified of policy violations as early in the SDLC as possible.
Initiating a full SCA scan against every build of every software component after every merge can meet this need. With Black Duck, a full scan can include any combination of dependency, code print, snippet, and binary analysis. While this will certainly identify all open source components, build a complete BOM, and flag policy violations—highly recommended before releasing any application—there should be another option that better fits the situation—one that provides just enough information for the current job to be done.
Black Duck’s Rapid Scan feature strikes a balance between agility and the open source risk management developers need. It enables developers to evaluate the open source code they include against company policy before promoting their code to release branches—all at the same speed and scale of other development and operational tasks.