Software Composition Analysis, Securing Containers in the Enterprise

Blog-February 24.jpg

We’re very close to 1,000  CVE entries in the National Vulnerability Database. The NVD CVE report has nearly doubled for February with 650 vulnerability entries. Black Duck is noted as the leader in a new Wave report from Forrester Research. Why it’s a good idea to monitor app code to keep containers secure. What happens when open source meets the enterprise? A look at the changing face of open source licensing. Do 80 percent of web applications really contain security bugs?

All this and more in this week’s edition of Open Source Insight.

Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Black Duck is the only company in the “leader” category in the recently released: The Forrester Wave™: Software Composition Analysis, Q1 2017

Software composition analysis (SCA) tools provide valuable data to security pros, legal pros, and app developers by identifying software vulnerabilities and exposing licenses for open source components. A comprehensive evaluation of “the six (SCA) providers that matter most and how they stack up,” the Forrester report assesses the current state of the software composition analysis market and provides in-depth analysis of the six providers. 

Black Duck: To Keep Containers Secure, Monitor Your App Code, Too

The key to keeping containers secure is to think about the software running inside them, not just the software that hosts them. That’s the message Black Duck Software is aiming to send as adoption of container software increases.

In a discussion with Container Journal about container security, Black Duck said that “increasing container security means increasing the security of the applications deployed in containers.”

The company added, “Secure container frameworks are also obviously critical, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”

When Open Source Meets the Enterprise

Via IT Business Edge: It seems that few organizations will need to convert all of their proprietary technology to open source, but open source will be desirable when it comes to supporting applications and services that are distributed across multi-platform cloud infrastructure. The biggest challenge of all will be to get these two constructs to work together.

The Changing Face of Open Source Licensing

Via DevPro: The GPL is the grandaddy of open source licenses, and is not only the license used by Linux, but is the license that gave birth to the open source movement. It was designed with the purpose of giving computer users control of their machines, guaranteeing that software would be freely available and modifiable by users. It has served that purpose well. It is also the backbone upon which enterprise adoption of open source is based, and being compatible with the GPL is considered to be a requirement for all open source licenses.

80% Of Web Applications Contain at Least One Security Bug

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities, reports DarkReading. Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

The Only Leader in Software Composition Analysis Providers


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

| Jul 21, 2017

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker

| MORE >

Black Duck Teams with Google, Connected Cars, FinTech Compliance

| Jul 14, 2017

Black Duck and Google partner so that open source vulnerability management can be integrated directly with build and deployment activities in the cloud. Connected car news includes BMW adding on to its connected car services; concerns on how code vulnerabilities might lead to driving dangers; and

| MORE >

Top Picks for Black Hat, GDPR & Open Source Webinar, UN Cybersecurity Report

| Jul 7, 2017

Our vulnerability of the week is CVE-2017-7526, which resides in the Libgcrypt cryptographic library used by GnuPG. Exploiting the vulnerability, security researchers were able to successfully extract the secret RSA-1024 key to decrypt data. Libgcrypt has released a fix for the issue in Libgcrypt

| MORE >