Black Duck Launches Open-Source Security Solution
Black Duck's new Black Duck Hub open source security solution helps development teams check the security of open source in their code bases.Black Duck Software has announced a new open source security platform that helps security and development teams find and fix open source vulnerabilities. The Black Duck Hub helps users identify open source components used within their code, identify known security vulnerabilities, and triage, schedule, and track remediation. “Most companies do not have an automated mechanism to identify new open source as it enters a code base,” said Bill Ledingham, executive vice president and chief technology officer at Black Duck Software, in a statement. “Moreover, they are unable to determine the actual risk and impact from vulnerabilities. Without this knowledge, companies have no way to triage and track vulnerability remediation efforts over time. The Black Duck Hub helps security and development teams identify and mitigate open source related risks across an application portfolio.” Black Duck said on average, more than 30 percent of software deployed in most enterprises is open source software (OSS). Yet, few organizations have visibility into what open source is used and where. With more than 4,000 new open source vulnerabilities reported each year, understanding what open source is used within an organization is critical, the company said. Indeed, thousands of unknown open source vulnerabilities go unnoticed within a typical enterprise. The Black Duck Hub identifies open source usage, maps known open source vulnerabilities, and tracks remediation efforts. The Black Duck Hub leverages Black Duck’s KnowledgeBase of license and vulnerability data.
The Black Duck Hub operates by running as part of the build process, automatically discovering and identifying open source as it enters the code stream and flagging open source libraries that have known vulnerabilities. Vulnerability details are used to assess application and portfolio risk, in addition to open source license and community activity risk. Moreover, remediation scheduling and tracking enable security professionals to ensure critical vulnerabilities are remediated.