Extending a Secure SDLC to Remediate Open Source Security Issues
The challenge: If a vulnerability can’t be found, it can’t be patched
As with many organizations in the business of building software, Blue Yonder’s portfolio of 100+ applications contains a mix of custom-built codebases and commercial and open source components. Analysts such as Forrester and Gartner note that over 90% of IT organizations use open source software for mission-critical workloads and that open source components often compose up to 90% of some applications.
While the number of vulnerabilities in open source is small compared to proprietary software, over 7,000 open source vulnerabilities were discovered in 2018 alone. Over 50,000 have emerged over the past two decades. Of the codebases reviewed by the Synopsys Black Duck Audit Services team in 2018, 60% contained at least one open source vulnerability. Over 40% contained high-risk vulnerabilities, and 68% contained components with license conflicts.
From a license compliance perspective, whether an open source license is one of the most popular licenses or a one-off variant, unless an organization is aware of the rights, obligations, and restrictions of using a specific open source component, they can’t be sure whether they comply with those obligations. Noncompliant organizations could theoretically lose rights to their proprietary code or call into question the ownership of their IP.
From a security standpoint, all software, be it proprietary or open source, has weaknesses that may become security vulnerabilities. Only a handful of open source vulnerabilities—such as those infamously affecting Apache Struts or OpenSSL—are ever likely to be widely exploited. But when such an exploit occurs, the need for open source security management becomes front-page news—as it did with the Equifax data security breach of 2017.
A report by the U.S. Senate Permanent Subcommittee on Investigations noted that Equifax’s lack of a complete software inventory was a major contributing factor to its massive security breach. “Equifax lacked a comprehensive IT asset inventory—meaning it lacked a complete understanding of the assets it owned,” the report states. “This made it difficult, if not impossible, for Equifax to know if vulnerabilities existed on its networks. If a vulnerability cannot be found, it cannot be patched.”
We needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative."
John Vrankovich
|Blue Yonder
Many companies don’t formally manage their developers’ use of open source, and few can produce an accurate, up-to-date inventory (also known as a bill of materials, or BOM) of open source components, licenses, versions, and patch status. In consequence, these organizations open themselves and their customers to risk. “Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses,” says John Vrankovich, Principal Architect at Blue Yonder.
“We have over a hundred products, with each of those products themselves having hundreds to thousands of different open source components. A decade ago, we had little concept of identifying and understanding open source security vulnerabilities in our BOM. The move to Black Duck was to address our not knowing about open source security issues. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.”
The solution: Black Duck software composition analysis
Blue Yonder first implemented Black Duck Code Center in 2015. Code Center provides Blue Yonder with software component selection, approval, and tracking of open source and other third-party software components. The goal was to automate Blue Yonder’s Technical Review Committee’s (TRC) review process from architectural through security and commercial review to final executive review across all Blue Yonder products and release gateways.
Blue Yonder added Black Duck software composition analysis (formerly known as Black Duck Hub) in 2017. Synopsys’ Black Duck SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables Blue Yonder to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.
“All of our core products are using Code Center,” says Meghan Caudill, project manager for third-party product compliance at Blue Yonder. “About three years ago, we began to use Black Duck SCA when building the CI/CD process for our Blue Yonder Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.”
Company Overview
With over $1 billion in annual revenue, Blue Yonder has been the world’s leading supply chain provider for the past 30 years. Blue Yonder enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use Blue Yonder’s unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.
Related content
Six Considerations for Securing Your Software Supply Chain
Download the supply chain security solution guide
Forrester Wave: Software Composition Analysis
See why Synopsys is a software composition analysis Leader
