SCA helps companies manage the proliferation of open source vulnerabilities, both known and unknown. Black Duck® SCA offers customizable policy settings, so you can create prioritized and fine-grained policies to streamline security activities. Drawing upon Black Duck’s proprietary security research team, Black Duck Security Advisories (BDSAs) provide enhanced security research above and beyond what public sources provide. Each BDSA contains actionable remediation guidance, deep technical information, CVSS scoring (including temporal metrics), and where available, vulnerability impact analysis to help determine if the vulnerable code is being called by the application. Pairing this with advanced policy management enables teams to prioritize vulnerabilities for remediation based on multiple key attributes.
Open source carries strict license requirements and obligations that are often overlooked by development teams. But failure to identify and comply with these obligations can expose your organization to legal risk. Black Duck SCA tracks over 2,700 open source licenses, helping you avoid license violations and comply with license terms that could otherwise result in costly litigation or compromise your valuable intellectual property. Black Duck’s multifactor scanning approach works in conjunction with its robust license database to go beyond what’s declared by package managers and pick up on partial, modified, and undeclared open source, providing a complete picture of license risk.
Software supply chain risks
Black Duck Binary Analysis (BDBA) can generate a complete open source software Bill of Materials (BOM) that tracks third-party and open source components and identifies known security vulnerabilities without requiring access to source code. BDBA enables teams to scan almost anything, including desktop and mobile applications, embedded system firmware, and more. This empowers procurement, operations, and development teams with visibility and insight into the composition of commercial applications, vendor-supplied binaries, and other third-party software.
Because BDBA identifies open source components in binary files, teams get insight into not only their own software development but also into what has increasingly become a complex software supply chain. BDBA adds a layer of open source discovery that you can’t afford to skip in your software supply chain.
There’s no guarantee that the community behind any given open source project will continue maintaining the code for as long as your application depends on it. All software ages and as it does, it can lose support. And decreasing support can mean updates—including feature improvements, security, and stability updates—may not happen.
Black Duck SCA provides this information to teams so they can understand and update open source in accordance with the latest versions and the healthiest communities. And it provides policies to manage the risks that legacy open source can create.