We’ve listened to customer needs and pain points: Developers need a way to triage open source vulnerabilities within the application security tools they’re already using. That’s why we’ve established best practices and a secure development workflow integrating Black Duck Binary Analysis and Coverity Connect.
In today’s fast-paced world with rapid technological advancements, few people need any introduction to the dangers of security vulnerabilities lurking in open source and third-party code.
Open source software has come a long way from being a techno-hippie dream in the late ’80s. Today, it exists nearly everywhere and is a pervasive component of all current major technological innovation. We find open source software components in our Linux operating systems, Apache web servers, Android mobile environments, and Hadoop big data frameworks, among others. Consequently, many companies, both enterprises and startups alike, must figure out ways to incorporate more open source modules into their proprietary code—or at the very least, expose capabilities in their software to interact with open source code.
But this transition toward the widespread use of open source code has not been without risks, and we don’t have to look far to understand that. In September 2017, Equifax, a major consumer credit reporting agency and a Fortune 100 firm, was hacked by cyber criminals. Its data was compromised owing to a flaw in the open source software the company used, leading to severe financial repercussions for the company and loss of consumer trust.
In light of such imposing threats, companies are scrambling for approaches to better manage and use their open source and third-party code more securely. Synopsys has been helping companies manage risk and legal compliance with Black Duck Binary Analysis, an advanced automated software composition analysis tool. Black Duck Binary Analysis continually monitors and updates the ability to detect newer security vulnerabilities and license definitions for open source software. Organizations can also gain substantial efficiency by taking a two-pronged approach:
Coverity is a comprehensive static application security testing (SAST) platform that finds critical defects and security weaknesses in code before they become vulnerabilities or crashes, or degrade the overall quality of your software.
After listening to our customers’ needs and pain points, Synopsys has established a set of best practices and a secure development workflow that integrates Black Duck Binary Analysis and Coverity Connect. Black Duck Binary Analysis identifies the open source security vulnerabilities, and the Coverity Connect interface is used to triage them. This approach makes it possible to customize triaging for specific software group needs, set up charts, track vulnerability trends, and establish a baseline to manage and triage open source security vulnerabilities.
For groups who have already deployed the Coverity platform, the integration will be able to leverage an existing software development life cycle (SDLC) workflow around Coverity, saving time and cost. There’s no need for additional resources to design and set up a new workflow. In addition, team and company supervisors can simplify code complexity by using a common interface to monitor all security-related defects requiring developer attention. This ability is especially useful when open source code is spread across many applications and engineering divisions.
The Black Duck Binary Analysis / Coverity Connect integration is facilitated by Python scripts. Additionally, it can be deployed as a plug-and-play feature within any operating environment that supports Coverity Analysis. You can configure the integration results via the Coverity Connect interface, and you can also layer on custom features. For example, you can organize results with CVSS ratings and scores, and customize technical description to comply to a specific industry standard. You can also support more tailored workflows for individual development teams. In summary, the integration offers three key benefits for software organizations from a security standpoint:
A sample customization. The interface links the identified vulnerability to the National Vulnerability Database (NVD) and displays relevant triage information, such as the CVSS score, rating, and so on.