Software Integrity Blog

Archive for the 'Software Composition Analysis' Category

 

Everything you need to know about Black Duck Security Advisories

When we released Black Duck 4.4, we announced the creation of our own Black Duck Security Advisories (BDSAs). BDSAs offer a more complete and in-depth view of your vulnerabilities.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Everything you need to know about Black Duck Security Advisories

 

Software composition analysis & the secret ingredients for a successful M&A

Open source is everywhere. Researchers have been tracking its growth for years, but because open source is now so pervasive, they are increasingly concerned about the security of applications built on the foundation of open source components. The only way an organization can be sure of the open source in its codebase, other than by meticulously tracking such use by hand, is by performing software composition analysis (SCA). 451 Research defines software composition analysis as “the identification of third-party, primarily open source, libraries that have been built into an application.” This identification capability helps organizations discover unpatched code, licensing issues, and potential security vulnerabilities that may be present in a codebase owing to open source use. Why software composition analysis? The simplest use case for SCA is an individual company monitoring and identifying its own use of open source components and frameworks. But in the latest study from 451 Research, they detail other use cases for SCA, the primary use case being in the mergers and acquisitions (M&A) space. As young companies bring new applications to market rapidly, they use increasingly more open source. So in M&A transactions, because management of open source is still relatively immature, the onus shifts to acquiring companies to be aware of the potential risks they may be inheriting along with the intellectual property in these codebases. Getting a clear picture of open source in enterprise apps Many statistics out there illustrate how much open source is in the typical software application. However, those stats can be misleading and often tell the wrong story. To get a clearer picture of open source growth for enterprise use, we should look at the percentage of open source in new applications. According to the 2018 Open Source Security and Risk Analysis (OSSRA) report, in more than 1,100 open source audits Black Duck by Synopsys conducted on commercial codebases last year, the average codebase was made up of 57% open source. That means that on average, more than half of each codebase we scanned was made up of open source components. It’s important to note that a key use case for a Black Duck Open Source Audit is M&A due diligence, meaning that the data in the OSSRA report is an excellent indicator of trends in open source in M&A transactions. Faster delivery means more open source As 451 Research states in its brief, the trend toward faster, more iterative delivery of applications is not going to abate anytime soon: “The use of open source components in those applications is no longer a novel idea. There is now a generation of developers for whom using code written by a third party, available at no-cost, is as intuitive as any other part of the development lifecycle, and is driven by the delivery demands placed on them.”

Continue Reading...

Posted in General, Open Source Security, Software Composition Analysis | Comments Off on Software composition analysis & the secret ingredients for a successful M&A

 

Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone the functions and controls used by development and security teams around the globe to establish the most effective tool for the job: to build secure, high-quality software faster. Identify open source code fragment reuse (snippet matching) Let’s start by introducing one of the most-requested enhancements to Black Duck: the ability to find open source code snippets in applications. Snippets are fragments of open source code that compose a larger open source component and that may carry with them license requirements present in their source component. Join the conversation in the Synopsys Community. Now, in Black Duck 4.5, organizations can be assured that they are tracking more open source in their applications than ever before. Users can choose to run an optional snippet scan for nonmatched files following a component scan, identifying components with the highest match prevalence to the detected snippets. Black Duck 4.5’s snippet matching supports nearly 150 file extensions and 75 languages and optimizes performance with delta scanning. Role-based capabilities to support enterprises Modern development and release processes often require the persistent involvement of an array of contributors, each serving a distinct role and requiring access to relevant project information. In enterprise organizations, concerns often arise surrounding unnecessary or unrestricted access to projects or overprovisioning of activity rights.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

 

Customer driven features live in Black Duck 4.4 release

How can you not love customer feedback when it helps you improve your product? At our recent FLIGHT conference, I had the opportunity to speak to a lot of customers, plus detailed discussions with our Customer Advisory Board members. This knowledge helped us build out the latest release of Black Duck with new features that enhance both security and license compliance management.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Customer driven features live in Black Duck 4.4 release

 

Migrating to Docker on Black Duck

Before Black Duck began leveraging Docker, customers utilized the App Manager Install Method to deploy it. Black Duck now deploys as a set of containers, so customers need to install Docker to take advantage of updates to the application. By the end of this guide, you’ll have a basic understanding of how to migrate Black Duck to a containerized environment, as well as the benefits of using containers.

Continue Reading...

Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Migrating to Docker on Black Duck

 

Open source vulnerabilities: Are you prepared to run the race?

Originally posted on SecurityWeek. 

Continue Reading...

Posted in Data Breach, Open Source Security, Software Composition Analysis | Comments Off on Open source vulnerabilities: Are you prepared to run the race?

 

Improving stability, installs, and updates with Docker

We heard our customers loud and clear. Our old AppManager product on which we ran the Hub on wasn’t working for you. That’s why we re-platformed our Black Duck Hub solution on the Docker platform.

Continue Reading...

Posted in Container Security, Open Source Security, Software Composition Analysis | Comments Off on Improving stability, installs, and updates with Docker

 

Devil’s Ivy security vulnerability leaves IoT devices at risk

A vulnerability in a single software component, found in an internet-connected security camera, may leave thousands of different security camera models (and other Internet of Things devices) at risk. But Devil’s Ivy and other such flaws can be avoided with effective software supply chain management.

Continue Reading...

Posted in Internet of Things, Software Composition Analysis | Comments Off on Devil’s Ivy security vulnerability leaves IoT devices at risk

 

How to use FOSS management systems to manage FOSS components

FOSS management systems make it easy for you to track the licenses and vulnerabilities in the free and open source software components you use.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on How to use FOSS management systems to manage FOSS components

 

Webinar: Do you know what’s in your software?

Much of today’s software is created using third-party code, and why not? After all, it’s quicker and more cost effective than building it from scratch. Using third-party software, however, comes with its own challenges. The recent State of Software Composition Analysis 2017 report explores these challenges. The report is based on the analysis of 128,782 software applications uploaded and tested through the Synopsys Software Composition Analysis tool cloud service from January 1 through December 31, 2016. Software composition analysis webinar details

Continue Reading...

Posted in General, Open Source Security, Software Composition Analysis, Webinars | Comments Off on Webinar: Do you know what’s in your software?