We’ve laid out the challenges of open source vulnerability management, and outlined the necessary elements to help you manage it. But the real key is finding a tool that allows you to achieve this without slowing you down.
We understand the importance of an unimpeded flow of information through the DevOps pipeline. Black Duck® offers Black Duck Security Advisories (BDSAs), which are detailed open source vulnerability records that are sourced, curated, and analyzed by the Synopsys Cybersecurity Research Center (CyRC). BDSAs provide the critical vulnerability information required to manage remediation, delivered directly into the DevOps pipeline.
Black Duck is powered by the most comprehensive KnowledgeBase of open source software, and it contains thousands of Black Duck Security Advisories for known open source vulnerabilities. In addition, the CyRC team is continuously monitoring thousands of security feeds for new vulnerabilities and adding them to the KnowledgeBase, on average two weeks before they appear in the NVD.
To ensure you have a complete Bill of Materials (BoM), Black Duck takes a multifactor approach to open source discovery, finding far more than just what has been declared. Our additional methods for open source discovery help you find undeclared, modified, and even partial open source in your applications. Armed with a complete BoM, you can be sure you are finding and fixing all critical vulnerabilities in the codebase.
Finally, our CyRC team researches each vulnerability and provides this enhanced information directly to your BoM. Critical data like technical descriptions, exploitability, available solutions, CVSS scoring (including temporal metrics critical to understanding true severity), CWE, and reachability are all right at your fingertips. Armed with this information, you can automate the prioritization of remediation activities and ensure you have a viable solution or workaround to get to work fixing the issue and moving on.