Black Duck provides a comprehensive software composition analysis (SCA) solution for managing security, quality, and license compliance risk that comes from the use of open source and third-party code in applications and containers. Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.
Are you looking to assess open source risks for M&A? Learn more about our audit services.
Manage open source risks with Black Duck
Black Duck software composition analysis combines versatile open source risk management and deep binary inspection in a best-in-class solution. Black Duck gives development, operations, procurement, and security teams the tools they need to minimize the security, compliance, and code quality risks of open source and other third-party software, while still realizing the benefits that come with it.
Discover
• Identify open source in code, binaries, and containers
• Detect partial and modified components
• Automate scanning with DevOps integrations
Protect
• Map components to known vulnerabilities
• Identify license and component-quality risks
• Monitor for new vulnerabilities in development and production
Manage
• Set and enforce open source use and security policies
• Automate policy enforcement with DevOps integrations
• Prioritize and track remediation activities
Black Duck technology
Not all open source security solutions are created equal. Synopsys solutions are built on a foundation of industry-leading technologies that ensure you get the most complete and accurate view of open source risks in your software.
Multifactor open source detection
- Multifactor discovery, beyond dependency scanning
- Detect undeclared, modified, or even partial open source components
- Thorough open source discovery, with or without access to source code
Enhanced vulnerability data
- Featuring our independently researched Black Duck Security Advisories (BDSAs)
- Rich-vulnerability data, above and beyond and weeks faster than the NVD
- Automatically prioritize remediation efforts based on critical business requirements
End-to-end DevOps integrations
- Manage open source risks at every stage of the application life cycle
- Define open source use policies once, with automatic alerts and enforcement
- Access BDSAs for vulnerabilities as you code, right in the IDE
Comprehensive KnowledgeBase
- Black Duck KnowledgeBase is the definitive source for open source information
- Continuous automated data collection from over 20,000 global sites and forges
- Curated and validated by Black Duck’s team of experts
Manage open source during development
We selected Black Duck for three reasons: for reputation, ease of use, and confidence in results."
Lawrence Croft
|VP Product Development at Copperleaf
With Black Duck software composition analysis, you can identify and track open source components within your applications’ source code and monitor for new and existing vulnerabilities that put them at risk.
Use multifactor open source detection to inventory open source in use.
Identify declared components, unique hash signatures, and dependencies resolved during a build. Track all third-party components, licenses, and versions contained in your applications.
Map your bill of materials (BOM).
Map your BOM onto the largest KnowledgeBase™ of open source project, vulnerability, and license data. Make informed decisions with relevant risk metrics and actionable remediation guidance.
Manage risk as you code.
With the Code Sight IDE plugin, developers have the information necessary to find and fix issues as they code. Access detailed vulnerability descriptions, remediation guidance, license information, and potential policy violations so you can fix the problem without interrupting your work or leaving the IDE.
Get deeper vulnerability insight.
Access detailed, proprietary security risk insight from the Cybersecurity Research Center (CyRC). Receive notifications of new vulnerabilities up to three weeks before they are published in the NVD, reducing your window of exposure.
Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in the components and dependencies in your BOM.
Manage open source during procurement
An innovative binary scanner to address 3rd party software vulnerabilities."
Software Engineer
|Communications Industry
With Black Duck Binary Analysis, you can analyze systems and software to identify weak links in your software supply chain quickly and easily—all without source code.
Scan virtually any software or firmware in minutes.
This includes desktop and mobile applications, embedded system firmware, virtual appliances, and more.
Analyze without source code.
Simply upload the software you want to assess, and Black Duck performs a thorough binary analysis in minutes.
Obtain a comprehensive bill of materials (BoM).
Identify and catalog all third-party software components and licenses.
Make informed decisions about software consumption.
Reduce security risks and the threat of license noncompliance. Identify known open source vulnerabilities, licensing obligations, sources of sensitive data leakage, and application permission requirements.
Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.
Manage software risk during mergers and acquisitions
With Black Duck Audits, you get a complete picture of the license, quality, and security risks in the codebase being acquired.
Inventory and analyze open source and plan for remediation.
Obtain a comprehensive bill of materials (BOM) of open source components, their license obligations, and associated security vulnerabilities in the code. Get recommendations for remediating to build into your diligence plan.
Assess application security flaws.
Perform testing of the application from the outside in, and from within the app, to uncover potentially exploitable issues. Understand the risk of potential security breaches, and build a plan for remediation before data, IP, or financial loss occurs.
Identify high-level design and code quality issues.
Pair quantitative and qualitative analysis to understand code design and process quality. Design and process flaws can add time and money to integration efforts.
Frequently Asked Questions
- How is software composition analysis different from other application security tools?
- Open source security is often overlooked, given the misconception that vulnerabilities in proprietary code and open source code can be detected and remediated in similar ways. The reality is that SAST, DAST, and other application security testing tools cannot effectively detect open source vulnerabilities. Enter SCA.
The key differentiator between software composition analysis (SCA) and other application security tools is what these tools analyze, and in what state. SCA analyzes third-party open source code for vulnerabilities, licenses, and operational factors, while SAST analyzes weaknesses in proprietary code, and DAST tests running applications for vulnerable behavior.
- Open source security is often overlooked, given the misconception that vulnerabilities in proprietary code and open source code can be detected and remediated in similar ways. The reality is that SAST, DAST, and other application security testing tools cannot effectively detect open source vulnerabilities. Enter SCA.
- Do you need both SAST and software composition analysis?
- A comprehensive software security program contains both SAST and SCA. Organizations that adopt such an approach see improvements throughout the SDLC, including these: improved quality through early identification of issues, visibility across proprietary and open source code, lower remediation costs by detecting and fixing vulnerabilities early in the development process, minimized risk of security breaches, and optimized security testing that is both effective and compatible with agile development.
- What integrations does your software composition analysis tool support?
- Black Duck offers easy-to-use open source integrations for the most popular development tools and REST APIs, allowing you to build your own integrations for virtually any commercial or custom development environment. Black Duck offers a wide range of integrations across the SDLC, including IDEs, package managers, CI/CD, issue trackers, and production capabilities.
- Black Duck Supported Integrations
- Where does Black Duck’s vulnerability information come from?
- Most solutions rely solely on data from the National Vulnerability Database (NVD). This limitation presents a problem, as many vulnerabilities are never documented in the NVD, and others are not listed until weeks after they become public. Black Duck Security Advisories (BDSAs) go beyond the NVD, with enhanced data that is researched and analyzed by the Synopsys Cybersecurity Research Center (CyRC) to ensure completeness and accuracy, providing early warning and complete insight.
- Black Duck vulnerability reporting
- Why should I care about scanning for more than declared dependencies?
- Most solutions use package manager declarations to identify open source components. But failing to scan for more than declared dependencies guarantees that you’ll miss some open source. And if you don’t know it’s there, you can’t possibly ensure it’s secure and compliant.
Package manager scanning will overlook open source that developers don’t declare in package manifests, languages like C and C++ or open source built into containers where no package manager is used, open source that has been modified, or partial snippets of code that still carry license obligations. By combining file system scanning and snippet scanning with build process monitoring, Black Duck provides visibility into open source components not tracked by a package manager, partial open source, and open source that was potentially modified or not declared, as well as component and version verification for dynamic and transitive dependencies.
- Most solutions use package manager declarations to identify open source components. But failing to scan for more than declared dependencies guarantees that you’ll miss some open source. And if you don’t know it’s there, you can’t possibly ensure it’s secure and compliant.
- What should I look for in a software composition analysis solution?
- The short answer is an extensive and powerful solution that provides end-to-end control of open source risks. A solution like Black Duck provides a comprehensive approach to open source management throughout the entire SDLC.
More specifically, the following capabilities should be considered when selecting an SCA solution:
- Comprehensive scanning, beyond what is declared
- Persistent bill of materials
- Policy, workflow, SDLC integrations
- Robust vulnerability database, beyond the NVD
- License compliance functionality
- Monitoring and alerting
- The short answer is an extensive and powerful solution that provides end-to-end control of open source risks. A solution like Black Duck provides a comprehensive approach to open source management throughout the entire SDLC.
- What languages and platforms does your software composition analysis tool support?
- Black Duck supports the most common package managers. Black Duck’s snippet scanning covers the top and most frequently used languages. The expert KnowledgeBase™ team is constantly monitoring for and adding new languages, ensuring that all common languages are supported.
Additionally, Black Duck’s proprietary signature scanning approach is language agnostic. This scanning approach searches for signatures based on file and directory layouts along with other metadata that is independent of language. - Contact us for the most current list of supported languages and platforms.
- Black Duck supports the most common package managers. Black Duck’s snippet scanning covers the top and most frequently used languages. The expert KnowledgeBase™ team is constantly monitoring for and adding new languages, ensuring that all common languages are supported.
- Does SCA support binary code in addition to source code?
- Yes. Some solutions can scan binaries for package manager information or binaries pulled directly from a repository without any modification. Black Duck’s sophisticated binary scanning solution can crack binaries open to detect modified binaries and provide legacy language and broad artifact support.
- Black Duck Binary Analysis
- How comprehensive is Black Duck’s licensing data in the KnowledgeBase™ ?
- Black Duck’s open source KnowledgeBase™ is the industry’s most comprehensive database of open source project, license, and security information, sourced and curated by the Synopsys Cybersecurity Research Center (CyRC). The KnowledgeBase contains more than 2,650 unique open source licenses (GPL, LGPL, Apache, etc.), with full license text for the most popular open source licenses and dozens of encoded attributes and obligations for each license. Black Duck also includes deep copyright data and the ability to pull out embedded open source licenses for complete open source compliance.
- Does your SCA tool scan containers?
- Yes. Black Duck allows teams who package and deliver applications using Docker (and other) containers to confirm and attest that any open source in their containers meets use and security policies, is free of vulnerabilities, and fulfills license obligations. Open source management includes ongoing monitoring for new vulnerabilities affecting existing applications and containers.
Take control of open source, eliminate risks, and accelerate remediation
Black Duck empowers your application development, deployment, and procurement initiatives with a comprehensive toolkit to identify and remediate open source security, license, and operational risks. Use insightful vulnerability remediation and risk mitigation guidance, complete open source license compliance data, Black Duck exclusive security advisories, and impactful policy controls to eliminate risks proactively.
