In today’s application development world, developers rely heavily on open source to build applications smarter and bring them to market faster. The benefits of open source are clear, but dependence on open source also exposes applications to open source vulnerabilities and license compliance risks.
When Do You Address Risks?
Too many organizations become aware of these risks only after their applications are already built or shipped. Remediating those issues so late in the game is time consuming and expensive, four to five times more expensive than remediating during development according to the Systems Sciences Institute at IBM. If you change just one component, how many dependencies have you broken? At Black Duck we believe it’s never too early to address risks, and we help teams do so with integrations throughout the SDLC, including the IDE.
Microsoft’s Visual Studio is one of the most comprehensive and popular IDE platforms for development in the market. And with over 35% of developers using Visual Studio (according to Stack Overflow), it definitely sees a lot of open source code. Black Duck and Microsoft are working together to help these developers fix open source risks before they become a problem.
Shifting Left in Your SDLC
Black Duck’s new Hub plugin to Visual Studio IDE can scan your code as your team is developing it, immediately alerting you to any components with potential security risks. Think of it as a spell checker for open source components. Black Duck will tell you if a component is vulnerable or violates any open source use policies that you’ve set. More detailed information is only a click away in Black Duck Hub, where you can quickly find safer versions and select the one that works best for your needs. The plugin is a simple and unobtrusive tool, giving you the ability to make corrections as you develop without creating a new process that disrupts your work.
Earlier this year we released integrations into Visual Studio’s Team Services and Team Foundation Server, which allow automatic code scans as you build. Now, with the Hub plugin for Visual Studio IDE, Black Duck and Microsoft are helping teams be agile and secure by introducing open source management early in the SDLC, where it is easier and less costly to remediate vulnerabilities or license compliance risks found in open source components.