Securing the software supply chain with Black Duck Supply Chain Edition

Black Duck Supply Chain Edition

Enter Black Duck^® Supply Chain Edition. This new offering provides expanded visibility, security controls, and compliance to your existing supply chain security activities. Here are some of the key capabilities.

Comprehensive open source discovery

With the majority of the software supply chain comprised of open source, failure to properly track and manage it equates to a glaring gap in any risk management strategy. Additionally, any required Software Bill of Materials (SBOM) will mandate that all OSS dependencies be listed.

With Black Duck, you can easily identify all open source components using a combination of dependency, CodePrint™, snippet, binary, and container analysis to surface every single dependency, regardless of language or package manager, so you get the most comprehensive view of OSS available.

Third-party SBOM import and analysis

Most commercial and enterprise software teams use third-party code from an outside vendor. And although security teams can perform their own analysis of these third-party artifacts, it is much easier if the software vendor provides their own SBOM.

With Black Duck, security teams can import external SBOMs, and automatically catalog the open source, commercial, and custom components contained within them. This helps expand software supply chain visibility beyond just open source dependencies, and analyzes all dependencies for risk.

Malware detection

Attackers are getting more devious, injecting malicious packages into open source ecosystems, and even directly into applications, making it possible to compromise build environments. Catching this type of malware requires a specialized form of analysis that we are able to offer with built-in malware analysis, powered by our partnership with ReversingLabs. 

Continuous risk identification and monitoring

Just because something is secure when it enters the SDLC does not mean it will remain secure further down the development pipeline. Black Duck continuously analyzes dependencies in both generated and imported SBOMs, monitoring for open source vulnerabilities, secrets, malware, and malicious packages, giving you the insight you need, quickly.

IP risk and license compliance management

Nearly all third-party software, and especially OSS, includes some form of IP or license obligation. Failing to comply with these obligations can result in costly outcomes, especially for organizations that distribute software.

Black Duck automatically identifies any open source licenses associated with dependencies and offers guidance on any conflicts with how the application is licensed, deployed, or distributed, regardless of how the OSS entered the codebase—including via AI coding assistants.

Support for industry SBOM standards

Most software providers deliver to a wide range of customers across different industries. Each of these customers often have their own SBOM requirements for their vendors.

Black Duck provides out-of-the-box and custom SBOM export templates so that customers can determine the right amount of visibility and align their SBOMs to meet those requirements, on a repeatable basis.