Software Composition Analysis, Securing Containers in the Enterprise

Blog-February 24.jpg

We’re very close to 1,000  CVE entries in the National Vulnerability Database. The NVD CVE report has nearly doubled for February with 650 vulnerability entries. Black Duck is noted as the leader in a new Wave report from Forrester Research. Why it’s a good idea to monitor app code to keep containers secure. What happens when open source meets the enterprise? A look at the changing face of open source licensing. Do 80 percent of web applications really contain security bugs?

All this and more in this week’s edition of Open Source Insight.

Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Black Duck is the only company in the “leader” category in the recently released: The Forrester Wave™: Software Composition Analysis, Q1 2017

Software composition analysis (SCA) tools provide valuable data to security pros, legal pros, and app developers by identifying software vulnerabilities and exposing licenses for open source components. A comprehensive evaluation of “the six (SCA) providers that matter most and how they stack up,” the Forrester report assesses the current state of the software composition analysis market and provides in-depth analysis of the six providers. 

Black Duck: To Keep Containers Secure, Monitor Your App Code, Too

The key to keeping containers secure is to think about the software running inside them, not just the software that hosts them. That’s the message Black Duck Software is aiming to send as adoption of container software increases.

In a discussion with Container Journal about container security, Black Duck said that “increasing container security means increasing the security of the applications deployed in containers.”

The company added, “Secure container frameworks are also obviously critical, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”

When Open Source Meets the Enterprise

Via IT Business Edge: It seems that few organizations will need to convert all of their proprietary technology to open source, but open source will be desirable when it comes to supporting applications and services that are distributed across multi-platform cloud infrastructure. The biggest challenge of all will be to get these two constructs to work together.

The Changing Face of Open Source Licensing

Via DevPro: The GPL is the grandaddy of open source licenses, and is not only the license used by Linux, but is the license that gave birth to the open source movement. It was designed with the purpose of giving computer users control of their machines, guaranteeing that software would be freely available and modifiable by users. It has served that purpose well. It is also the backbone upon which enterprise adoption of open source is based, and being compatible with the GPL is considered to be a requirement for all open source licenses.

80% Of Web Applications Contain at Least One Security Bug

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities, reports DarkReading. Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

The Only Leader in Software Composition Analysis Providers


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


CVE-2017-2636 Vuln of the Week & UK National Cyber Security Strategy

| Mar 24, 2017

Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story below. Other open source security and

| MORE >

Struts Buster Hits Canada, Zero Days, the Best Vuln Info Sources

| Mar 17, 2017

CVE-2017-5638 – the Struts Buster – still leads the news cycle with the Canadian Revenue Agency taken offline to deal with the vulnerability, and Statistics Canada hacked. If you haven’t patched for CVE-2017-5638, go get that update.  The hits keep on coming at the NVD with 657 entries now listed

| MORE >

CVE-2017-5638 Apache Struts 2 Vulnerability & More Security News

| Mar 10, 2017

If you’re running an Apache Struts 2 server and haven’t patched for CVE-2017-5638, stop reading right now and do so. Researchers are reporting that exploits of the vulnerability are trivial to carry out, highly reliable and require no authentication. While NIST has only had a placeholder for the

| MORE >