Black Duck’s mission: to find unsecured open source code in the enterprise


The open source world tries to be more proactive in protecting its software and protocols, but what can companies do to determine if their codebase’s open source code has a known flaw?

Black Duck Software attempts to answer this question with Black Duck Hub, a system that allows enterprise developers and code auditors to continuously audit the use of third-party open source code for known vulnerabilities.

Black Duck Hub analyzes existing code bases to create a BOM that identifies all third party open source code in use. The nomenclature not only identifies the code and all the license requirements that go with it, but it is also used by Black Duck to check the code for known vulnerabilities, using its own knowledge base.

“For each of the components that we analyzed, we map the metadata around the licenses attached to the software, as well as whether or not there are any security vulnerabilities in that particular version of that component,” said Bill Ledingham, CTO and vice – Executive President of Engineering at Black Duck.

“One of the main goals of the product is to allow businesses to easily scan their code by integrating this product with other tools in their infrastructure,” Ledingham said, citing Jenkins as one of those tools. Scans can be started whenever new code is saved and built for a given source code base.

Black Duck determines the quality of a given open source component based on several factors, Ledingham said. In addition to analyzing and correlating with existing databases of known software vulnerabilities, the company evaluates other factors that could mitigate or exacerbate a given vulnerability – for example, whether the application using the code is on. the public internet, how quickly previous problems with the same code were mitigated, and so on. This way, says Ledingham, a company can better understand its triage and remediation efforts.

The number of Black Duck Hub beta customers who create open source products, rather than just using the software in-house, is industry specific, Ledingham said. “With industries like financial services, their concern is more with the internal applications they have, where they use a lot of open source and which their clients use on websites.” The vulnerabilities of the web frameworks used are potentially dangerous.

For tech and software companies, the problems lie more in the software supply chain, according to Ledingham. “A lot of the products that they sell and distribute can have a lot of open source content, and a lot of other third-party technologies that are used there can have open source content. The more the products are connected and used publicly, he said, the more the concern not to depend on a vulnerable component, such as the entertainment system integrated in the dashboard of a car, accessible by an app. for smartphone, is great.

Copyright © 2015 IDG Communications, Inc.


Comments are closed.