Developers don’t limit themselves to one method when building applications. They pull from third party libraries, build custom code for themselves, and rely heavily on open source. As a proponent for open source, I think it's important to recognize its prevalence in software development today. Black Duck research shows that 95% of all mission-critical applications contain open source in the business world. A recent Forrester Wave on Software Composition Analysis reported that 80% to 90% of code these days is open source. So while custom code may be the mortar that ties an application together, open source components are the bricks that make up the bulk of its structure.
When we talk about application security, the need to secure your open source is clear. Open source vulnerabilities affecting widely used components such as OpenSSL , the Standard C Library, and more recently Samba have made headlines exposing the need for better management and security of open source components. Black Duck’s 2017 Open Source Security and Risk Analysis report found that there’s a startling deficiency in the management of open source in most organizations. But when you’re building applications using a mix of open source and custom code, you ideally want to be able to track and manage vulnerabilities across both types of code. This can be a challenge, but the good news is that with updated integrations between Black Duck Hub and HPE Security tools you can do just that.
Integrated Security Management with Hub and HPE Security
With all the tools available to help you — static analysis, dynamic analysis, penetration testing, open source scans just to name a few — managing software security can quickly start to seem painful. That’s why Black Duck and HPE have partnered to let you manage your full set of application security needs in one place.
HPE Security Fortify provides enterprise-grade tools to give visibility into the software risk in custom code using static and dynamic testing. Software Security Center (SSC) is their solution for companies who prefer on-premise AppSec management, and Fortify on Demand works in the cloud. Black Duck Hub now integrates with both, giving you the ability to detect, prioritize, and fix open source vulnerabilities alongside your custom code bugs in a single, unified view.
Black Duck and HPE are excited to team up on this effort. Jason Schmitt, Vice President and General Manager, HPE Security Fortify, Hewlett Packard Enterprise told us, “Black Duck’s integrations complement our existing secure development and security testing solutions by providing the ability to view the results of open source scanning alongside application security testing results to deliver a more complete and effective approach to managing application security.”
With the power of HPE Security Fortify and Black Duck Hub, you can be sure that you’ll be getting complete visibility into your entire security risk profile. Black Duck is excited to announce the new version of this integration. Check out our new partnership page for more information, or download the integration on Github.