If your organization manages payments, handles sensitive customer or patient data, or operates in a regulated market, you may need to demonstrate compliance with specific standards to maintain customer trust and avoid legal or regulatory penalties.
Build compliance into your SDLC
Black Duck® tools and services can integrate software testing into development workflows, focus analyses and remediation on compliance objectives, and report against the software standards that are most important to your business.
Solutions to help meet your compliance needs
Software is a key differentiator for many organizations. But before shipping it to customers, you need to ensure that it meets the coding standards that are important for your business. Black Duck tools, services, and eLearning can help enable compliance with many standards related to software quality, security, safety, and privacy.
Aerospace and defense
DISA-STIG
Coverity® Static Analysis identifies potential security vulnerabilities and defects in application code, enabling organizations with DISA-STIG requirements to track, prioritize, and resolve issues in accordance with these guidelines. Code scans can uncover a wide range of defects that impact DISA-STIG compliance, including race conditions, error handling, and overflows.
- DISA-STIG Resources
DO-330 / DO-178C
Coverity integrates into the development life cycle for software used in airborne systems to identify code defects that could prevent compliance with DO-330 requirements. It provides detailed remediation guidance to help resolve issues that could impact the safety, reliability, and effectiveness of those systems. And the Coverity Qualification Kit ensures that Coverity is configured and operating properly in the end-user build environment as required by DO-178C standards.
- DO-330 / DO-178C Resources
Automotive
AUTOSAR
Coverity supports AUTOSAR requirements by identifying code quality and security defects and mapping them to the rules of this standard. Code scans can be automated to run on pull requests to uncover issues early in the SDLC, when they’re easiest to resolve. Native reports make it easy to enforce AUTOSAR coding standards, prioritize issues, and provide evidence of compliance.
- AUTOSAR Resources
MISRA
Coverity static analysis supports MISRA coding standards and can identify relevant defects, assign scores based on predefined policies, and prioritize issues for remediation. Code scans can be triggered on pull requests to uncover issues early in the SDLC, when they’re easiest to resolve. Native reporting provides evidence of compliance to the MISRA coding standards.
ISO 26262
Black Duck helps organizations achieve ISO 26262 compliance for developing and testing safety-critical software by providing static analysis for proprietary code, software composition analysis to identify weaknesses in third-party and open source components, and fuzz testing to uncover defects and zero-day vulnerabilities in services and protocols. And the Coverity Qualification Kit ensures that Coverity is configured and operating properly in the end-user build environment as required by ISO 26262 standards.
- ISO 26262 Resources
ISO / SAE 21434
Black Duck helps organizations meet ISO 21434 requirements for secure software development by providing automated static code analysis, vulnerability scanning of open source components, fuzz testing, and penetration testing into the software development life cycle for road vehicle systems. Issue reporting can be tailored specific to ISO 21434 requirements to track and manage compliance with these standards.
- ISO / SAE 21434 Resources
Hyundai Coding Standards
Coverity provides code quality and security checkers to find defects that violate the Hyundai Coding Standards for C, C++, and Java. Native reporting helps security teams prioritize results by displaying details of all outstanding violations along with a description of each rule and its severity level, priority, and the number of times that rule has been violated.
- Hyundai Coding Standards Resources
Financial services
PCI DSS
Companies with PCI DSS requirements can benefit from Coverity static analysis as well as Seeker® IAST capabilities. Both solutions provide a sophisticated sensitive-data leak checker to help ensure cardholder and PII data are handled properly. Additionally, Coverity identifies more than 25 types of sensitive data along with flexible reporting to provide evidence of PCI DSS compliance.
Medical devices
FDA Section 524B
The Black Duck security services team helps organizations plan and implement the tools needed to reach compliance with FDA guidance and standards, including strategic planning, threat risk assessments, and architecture reviews. Additionally, Coverity static analysis and Black Duck® software composition analysis (SCA) make it easy to track and manage security, quality, and license risks in accordance with FDA requirements. Defensics® Fuzzing proactively detects security issues related to protocols used with medical devices during the development and testing phases of software creation.
- FDA Section 524B Resources
Public sector
FedRAMP
The Black Duck AppSec portfolio and services teams help federal agencies and government contractors address all AppSec-related FedRAMP controls and requirements. From awareness training to planning and security risk assessments, our services teams provide a cohesive approach to build integrity into your software development process. Static code analysis, continuous monitoring of open source software, and penetration testing are key aspects of the Black Duck portfolio that help track, manage, and demonstrate evidence of compliance with FedRAMP requirements.
NIST SP 800-161
Black Duck SCA provides the foundation of a secure software supply chain. Federal agencies can generate SPDX and CycloneDX Software Bills of Materials (SBOMs) to satisfy regulatory and customer requirements. SBOMs from your suppliers can be seamlessly integrated to get a comprehensive view of your supply chain components and risks.
NIST SP800-218
The Black Duck portfolio of tools and services helps organizations adhere to the recommendations included in the NIST Secure Software Development Framework (SSDF), especially those included in the “Produce Well-Secured Software (PW)” group. The Black Duck AppSec services team provides training, threat modeling, and architecture assessments to help determine risks to your software and design a solution that best mitigates those risks. Black Duck Static Analysis and SCA solutions provide automated testing of both proprietary and open source software code to identify vulnerabilities and their root causes early in the SDLC, along with detailed remediation guidance to remove issues and help prevent similar defects from being produced in the future.
- NIST SP800-218 Resources
Let us help you navigate the complex compliance landscape
Black Duck can help you verify and maintain compliance before, during, and after development.
Many Black Duck employees serve or have served as subject matter experts for committees, boards, working groups, programs, and projects related to software quality and security standards, policies, and regulatory guidelines, as well as open source community initiatives.