Extending a Secure SDLC to Remediate Open Source Security Issues

The challenge: If a vulnerability can’t be found, it can’t be patched

As with many organizations in the business of building software, JDA’s portfolio of 100+ applications contains a mix of custom-built codebases and commercial and open source components. Analysts such as Forrester and Gartner note that over 90% of IT organizations use open source software for mission-critical workloads and that open source components often compose up to 90% of some applications.

While the number of vulnerabilities in open source is small compared to proprietary software, over 7,000 open source vulnerabilities were discovered in 2018 alone. Over 50,000 have emerged over the past two decades. Of the codebases reviewed by the Synopsys Black Duck Audit Services team in 2018, 60% contained at least one open source vulnerability. Over 40% contained high-risk vulnerabilities, and 68% contained components with license conflicts.

From a license compliance perspective, whether an open source license is one of the most popular licenses or a one-off variant, unless an organization is aware of the rights, obligations, and restrictions of using a specific open source component, they can’t be sure whether they comply with those obligations. Noncompliant organizations could theoretically lose rights to their proprietary code or call into question the ownership of their IP.

From a security standpoint, all software, be it proprietary or open source, has weaknesses that may become security vulnerabilities. Only a handful of open source vulnerabilities—such as those infamously affecting Apache Struts or OpenSSL—are ever likely to be widely exploited. But when such an exploit occurs, the need for open source security management becomes front-page news—as it did with the Equifax data security breach of 2017.

A report by the U.S. Senate Permanent Subcommittee on Investigations noted that Equifax’s lack of a complete software inventory was a major contributing factor to its massive security breach. “Equifax lacked a comprehensive IT asset inventory—meaning it lacked a complete understanding of the assets it owned,” the report states. “This made it difficult, if not impossible, for Equifax to know if vulnerabilities existed on its networks. If a vulnerability cannot be found, it cannot be patched.”

We needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative."

John Vrankovich

|

JDA Software

Many companies don’t formally manage their developers’ use of open source, and few can produce an accurate, up-to-date inventory (also known as a bill of materials, or BOM) of open source components, licenses, versions, and patch status. In consequence, these organizations open themselves and their customers to risk. “Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses,” says John Vrankovich, Principal Architect at JDA Software.

“We have over a hundred products, with each of those products themselves having hundreds to thousands of different open source components. A decade ago, we had little concept of identifying and understanding open source security vulnerabilities in our BOM. The move to Black Duck was to address our not knowing about open source security issues. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.”

The solution: Black Duck software composition analysis

JDA first implemented Black Duck Code Center in 2015. Code Center provides JDA with software component selection, approval, and tracking of open source and other third-party software components. The goal was to automate JDA’s Technical Review Committee’s (TRC) review process from architectural through security and commercial review to final executive review across all JDA products and release gateways.

JDA added Black Duck software composition analysis (formerly known as Black Duck Hub) in 2017. Synopsys’ Black Duck SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables JDA to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.

“All of our core products are using Code Center,” says Meghan Caudill, project manager for third-party product compliance at JDA. “About three years ago, we began to use Black Duck SCA when building the CI/CD process for our JDA Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.”

Download the PDF

JDA Software Group, Inc | Synopsys

Company Overview

With over $1 billion in annual revenue, JDA Software has been the world’s leading supply chain provider for the past 30 years. JDA enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use JDA’s unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.