Black Duck ranks highest in Strategy and receives highest possible scores in Product Vision, Market Approach, and Corporate Culture criteria.
This week, Synopsys was named a Leader in “The Forrester Wave™: Software Composition Analysis, Q3, 2021,” by Forrester based on its evaluation of Black Duck, our Software Composition Analysis solution.
Forrester evaluated 10 of the most significant SCA providers against 37 criteria. We are proud to be recognized as a leader, and to receive the highest score in the strategy category.
We are writing today to provide more in-depth context as to why we believe we received these rankings, and to expand upon how Black Duck specifically delivers critical capabilities where they are needed most.
The Forrester report noted that “Synopsys’s vulnerability detection capabilities are among the strongest in this Forrester Wave.”
Black Duck’s multifactor scanning, coupled with support for over 100 languages, delivers dependency analysis, binary analysis, codeprint analysis, code snippet detection, and custom component detection. By discovering both declared and undeclared dependencies in your applications, we are able to provide the most complete and dynamic inventory of your applications’ contents and associated vulnerabilities and licenses.
While completeness is crucial when evaluating risk, so is accuracy. The Forrester report noted that, “Customer references appreciated the accuracy: ‘If Black Duck is reporting something as a problem, it’s a problem.’” Part of providing users with trust in their applications involves assuring them that the issues identified are the ones that pose actual risk.
Identifying vulnerabilities is just one step in securing an application. Once you find vulnerabilities, they then have to actually be addressed. To this end, Black Duck offers Black Duck Security Advisories (BDSAs). BDSAs provide all of the information needed to understand, prioritize, and remediate vulnerabilities. BDSAs include severity scoring, reachability, vulnerability descriptions, details on affected versions, and critical guidance on upgrades, patches, and workarounds. These powerful details are all handwritten by Synopsys’ own Cybersecurity Research Center (CyRC). The CyRC leverages Synopsys’ open source KnowledgeBase, the industry’s most comprehensive database of open source project, license, and security information, covering more than 3.9 million open source projects from over 20,000 forges and repositories.
We believe Forrester’s findings aligned with this level of depth, with the report stating, “References also rated Synopsys highly for vulnerability remediation guidance and prioritization.”
Black Duck’s flexible policy management helps to define and capture an organization’s unique risk tolerance that can then be automatically enforced by Black Duck in conjunction with tools used throughout the SDLC: IDEs, Jenkins, Slack, Artifactory, and so on. This capability helps to reduce the amount of noise that can be produced by AppSec tools by targeting the focus on what matters most to organizations.
With Black Duck, you can configure your open source security and use policies based on any array of criteria: license type, vulnerability severity, open source component version, and more. You can then enforce these policies with automatic workflow triggers, automated notifications, and seamless integrations with applications like Jira to help accelerate your remediation efforts.
Black Duck provides a complete picture of license risk posed by associated license obligations. With deep license data, license, and copyright identification, Black Duck delivers a total view of your license obligations. Accelerating this capability is our code snippet analysis, that identifies partial bits of open source code that may have been pasted into projects but still carry license obligations. After identifying the licenses in your applications, Black Duck further categorizes these findings, ranking them as declared, deep, or discovered. This helps you understand your level of risk and which obligations you need to address first. In addition to open source licenses, Black Duck also offers the ability to map and identify closed source/third-party licenses.
Our vision of where application security is headed in the future, backed by our full portfolio of AppSec tools, is why we believe we received the highest score in the strategy category. The Forrester report stated, “Synopsys envisions embedding the full range of application security testing (AST) tools into developer workflows and tools so that development teams can uniformly prioritize and remediate flaws across proprietary, open source, and third-party components.”
SCA is one of the several steps necessary to securing applications, and it plays an important role in our vision of a holistic AppSec solution. In Synopsys’ future vision of AppSec, SCA analysis will uncover issues in dependencies before merging into release branches with CodeSight and Rapid Scan. Full scans integrated with CI and CD tools will identify issues that dependency analysis cannot, both before and after deployment. Intelligent progressive analysis will leverage policy-as-code to define when, and at what depth, SCA scans should occur—depending on variables such as code change, risk calculation, and dev phase—to run the right scan at the right time. Bringing it all together, CodeDx will then aggregate and correlate the results from SCA and other AppSec tools to reduce noise and give the most accurate picture of risk in a manner that’s consumable to all stakeholders across the entire organization. This is how Synopsys will define the “Sec” in DevSecOps.