Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone the functions and controls used by development and security teams around the globe to establish the most effective tool for the job: to build secure, high-quality software faster.
Let’s start by introducing one of the most-requested enhancements to Black Duck: the ability to find open source code snippets in applications. Snippets are fragments of open source code that compose a larger open source component and that may carry with them license requirements present in their source component.
Now, in Black Duck 4.5, organizations can be assured that they are tracking more open source in their applications than ever before. Users can choose to run an optional snippet scan for nonmatched files following a component scan, identifying components with the highest match prevalence to the detected snippets. Black Duck 4.5’s snippet matching supports nearly 150 file extensions and 75 languages and optimizes performance with delta scanning.
Modern development and release processes often require the persistent involvement of an array of contributors, each serving a distinct role and requiring access to relevant project information. In enterprise organizations, concerns often arise surrounding unnecessary or unrestricted access to projects or overprovisioning of activity rights.
Black Duck 4.5 updates and expands the relevance and granularity of role provisioning. With five global roles and six project-level roles, enterprises can better control access and capabilities without impeding productivity. This means streamlining execution, enforcing organizational policies for data proliferation and accessibility, and discouraging unapproved workarounds, which may otherwise result. We are excited to empower enterprises with project roles best suited for their organization structure and workflows, including those for project, bill of materials (BoM), and security managers, and customizations to restrict or enable code scanning rights and policy violation review.
Some open source licenses can be simple, and others can be complex; this much is obvious. I would venture to say that there are few experts on all the 2,500+ open source licenses that we are tracking in the Black Duck KnowledgeBase™. To give organizations better ways to control open source license use and avoid license noncompliance, Black Duck 4.5 continues to augment our license management capabilities with license whitelist and blacklist capabilities and an improved license review status model.
Now, users looking to annotate licenses as part of their review workflow can add detailed notes and guidance to developers for remediation. Black Duck 4.5 introduces new review statuses for licenses to help compliance users structure and track license approvals, and it bolsters this new capability with policy rules that can be structured as a condition of License Status, as well as expiration dates, which can be applied for temporary approval or to indicate the need for recurring review.
To help development teams address application security risks more readily, Black Duck 4.5 adds the ability to query the Black Duck KnowledgeBase for vulnerability remediation guidance via a new REST API. And we are improving performance and scalability by providing additional resources for authentication, alleviating a potential bottleneck during scanning or when using API-based utilities.
Without a doubt, the enhancements and new capabilities Black Duck 4.5 provides to enterprises and organizations worldwide are poised to support modern security and compliance initiatives, without burdening the teams tasked with achieving them.