Software Composition Analysis, Securing Containers in the Enterprise

Blog-February 24.jpg

We’re very close to 1,000  CVE entries in the National Vulnerability Database. The NVD CVE report has nearly doubled for February with 650 vulnerability entries. Black Duck is noted as the leader in a new Wave report from Forrester Research. Why it’s a good idea to monitor app code to keep containers secure. What happens when open source meets the enterprise? A look at the changing face of open source licensing. Do 80 percent of web applications really contain security bugs?

All this and more in this week’s edition of Open Source Insight.

Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Black Duck is the only company in the “leader” category in the recently released: The Forrester Wave™: Software Composition Analysis, Q1 2017

Software composition analysis (SCA) tools provide valuable data to security pros, legal pros, and app developers by identifying software vulnerabilities and exposing licenses for open source components. A comprehensive evaluation of “the six (SCA) providers that matter most and how they stack up,” the Forrester report assesses the current state of the software composition analysis market and provides in-depth analysis of the six providers. 

Black Duck: To Keep Containers Secure, Monitor Your App Code, Too

The key to keeping containers secure is to think about the software running inside them, not just the software that hosts them. That’s the message Black Duck Software is aiming to send as adoption of container software increases.

In a discussion with Container Journal about container security, Black Duck said that “increasing container security means increasing the security of the applications deployed in containers.”

The company added, “Secure container frameworks are also obviously critical, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”

When Open Source Meets the Enterprise

Via IT Business Edge: It seems that few organizations will need to convert all of their proprietary technology to open source, but open source will be desirable when it comes to supporting applications and services that are distributed across multi-platform cloud infrastructure. The biggest challenge of all will be to get these two constructs to work together.

The Changing Face of Open Source Licensing

Via DevPro: The GPL is the grandaddy of open source licenses, and is not only the license used by Linux, but is the license that gave birth to the open source movement. It was designed with the purpose of giving computer users control of their machines, guaranteeing that software would be freely available and modifiable by users. It has served that purpose well. It is also the backbone upon which enterprise adoption of open source is based, and being compatible with the GPL is considered to be a requirement for all open source licenses.

80% Of Web Applications Contain at Least One Security Bug

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities, reports DarkReading. Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

The Only Leader in Software Composition Analysis Providers


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Samba Vulnerability, Connected Car Risks, and Are You Ready for GDPR?

| May 26, 2017

Threat of the week is the newly discovered remote code execution vulnerability CVE-2017-7494. Chris Fearon, Research Director at Black Duck, advises: Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote

| MORE >

GDPR Deadline: Does “Appropriate Security” Include Open Source Risk?

| May 25, 2017

It’s May 25th, 2017, and the GDPR is bearing down on us like an express train. Personal data privacy is the impetus behind the EU General Data Protection Regulation (GDPR), which goes into effect in exactly one year — on May 25th, 2018. Will your business be impacted by the GDPR? Any organization

| MORE >

Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >