There’s no question that Microsoft believes in the power of Open Source to help developers create better applications. Last year, GitHub reported that Microsoft had more contributors to open source projects than Facebook, Docker, or Google. Clearly, the wall between Microsoft development and open source development has fallen. In response to increasing demand, we at Black Duck are excited to introduce our latest integration, which gives developers the ability to scan and identify open source security and license risks as part of their build, test, and release pipelines within the Microsoft Visual Studio Team Services and Team Foundation Server (TFS) environments.
Why Open Source Vulnerability Management is Critical
More and more, developers are using open source to get the job done. Forrester Research recently reported that 80-90% of new application code is open source. Today, the use of open source in building applications provides a competitive advantage allowing organizations to bring better applications to market faster and more efficiently than ever.
But use of open source is not without risks. Many open source components have security vulnerabilities and license risks that can compromise your entire application. Even some of the most commonly used components, such as Apache Commons Collections and Spring Framework, have seen vulnerabilities that may leave your application open to exploit.
For most organizations, manual tracking of the nearly 4000 new open source security vulnerabilities that are reported each year, not to mention the often-complex license obligations, is a nearly impossible task. Let’s face it, no sane developer wants to take the time to manually identify and review all the potential vulnerabilities in the components they use.
Automated Vulnerability Management with Hub and TFS
The good news is that Black Duck will help. Last month Black Duck rolled out its integration into Microsoft’s Visual Studio Team Services and TFS to automate open source vulnerability management within the Microsoft continuous build and integration (CI) environment. The Black Duck Hub Microsoft Visual Studio extension can be triggered to automatically scan your project and quickly identify open source components throughout your code base, mapping them to known open source security vulnerabilities and license compliance risks. It can flag policy violations, track remediation progress, and continuously monitor your software projects for newly identified vulnerabilities, even after they’re released.
This allows you to set lightweight open source use and security policies up front, automatically check for compliance against those policies as part of the build process, and configure specific actions such as team notifications or even build failures within TFS. Teams can maintain their agile development practices while ensuring that open source vulnerabilities are addressed prior to ship.
Open source is the foundation of modern applications, and the importance of open source security has never been clearer. Black Duck’s partnership with Microsoft is bringing open source security automation into the SDLC, and we’re excited to be working with Microsoft on new solutions to help developers be both agile and secure. Stay tuned for more updates in the coming weeks.