Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

AI-generated code | Harness the power of AI coding assistants while managing the risks
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Consolidation | Simplify your application security program
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source License Compliance | Effective solutions for ensuring open source license compliance
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

Trend Micro: Delivering Open Source Cybersecurity

The challenge: Moving beyond manual maintenance for better vulnerability management

“Before Black Duck^®, our open source management process was essentially a manually maintained inventory of third-party apps, primarily open source components,” said Fabio Arciniegas, senior cybersecurity architect at Trend Micro. “Each individual Trend Micro product team manually reviewed that list and updated it as needed during their release process. We also utilized an in-house CVE collection process that notified the various product teams of new CVEs based on the inventory.”

“The manual nature of the process impacted developer productivity and undermined the reliability of our third-party vulnerability management, especially considering the increasing number of open source security vulnerabilities discovered each year,” Arciniegas continued. “We wanted to embrace the ‘shifting security testing left’ concept fully with an efficient, automated vulnerability management solution that would provide us with a comprehensive Software Bill of Materials (SBOM) that could be automatically and regularly updated.”

The solution: Synopsys and Black Duck SCA for open source management

Black Duck is a comprehensive software composition analysis solution that helps organizations manage the security, quality, and license compliance risks that come from using open source and third-party code in applications and containers. Black Duck gives organizations like Trend Micro visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.

“We conducted testing on several vendors’ products noted in analysts’ reports as SCA industry leaders,” Arciniegas said. “We found that Synopsys Black Duck surpassed other vendors in terms of accuracy and support for scanning of various file types. We were impressed by the Black Duck Signature Scanner and its ability to analyze more types of files from different package management ecosystems than other vendors.”

In a typical Black Duck scan, Synopsys Detect scans source code (including archive formats), a Docker image, or a binary artifact. Once the scan is launched, Synopsys Detect utilizes a set of internal tools (Black Duck Signature Scanner, detectors, and inspectors) to discover open source components. These tools also gather metadata about the code, which includes package manager data and code prints. When that process is complete, Detect sends the metadata to Black Duck in the form of a scan file. A Black Duck server communicates with the Black Duck KnowledgeBase™ and uses the scan file to create a Software Bill of Materials that includes all discovered open source and the associated risk. Synopsys Detect maps the scan file to a project and project version in Black Duck, where the SBOM will be displayed.

The results: Effective monitoring of third-party vulnerabilities

“We’ve found Black Duck very easy to install and to use,” said Arciniegas. “It integrates well into our CI/CD process—which includes Jenkins and GitHub Actions—and has useful APIs to create customized queries. For example, we use a Python script to call the Black Duck API and post results to Slack.”

“With Black Duck, monitoring of third-party vulnerabilities is a required Trend Micro policy in order to release a product. Our product teams must perform Black Duck scans regularly and address discovered vulnerabilities in compliance with corporate policy. Our policy requires that all high or critical vulnerabilities with a CVSS score of seven or higher must be fixed.”

Download the PDF

Company overview

A global leader in cloud and enterprise cybersecurity, Trend Micro helps make the world safe for the exchange of digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, its cybersecurity platform protects 500,000+ organizations and 250+ million individuals across clouds, networks, devices, and endpoints.

Trend Micro’s platform delivers central visibility for better, faster issue detection and response. And it provides a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google.

Since 2019, Trend Micro has used Synopsys Black Duck software composition analysis (SCA) to create and maintain a comprehensive and accurate Software Bill of Materials and to aggregate open source vulnerability management across software repositories.