Software Composition Analysis, Securing Containers in the Enterprise

Blog-February 24.jpg

We’re very close to 1,000  CVE entries in the National Vulnerability Database. The NVD CVE report has nearly doubled for February with 650 vulnerability entries. Black Duck is noted as the leader in a new Wave report from Forrester Research. Why it’s a good idea to monitor app code to keep containers secure. What happens when open source meets the enterprise? A look at the changing face of open source licensing. Do 80 percent of web applications really contain security bugs?

All this and more in this week’s edition of Open Source Insight.

Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Black Duck is the only company in the “leader” category in the recently released: The Forrester Wave™: Software Composition Analysis, Q1 2017

Software composition analysis (SCA) tools provide valuable data to security pros, legal pros, and app developers by identifying software vulnerabilities and exposing licenses for open source components. A comprehensive evaluation of “the six (SCA) providers that matter most and how they stack up,” the Forrester report assesses the current state of the software composition analysis market and provides in-depth analysis of the six providers. 

Black Duck: To Keep Containers Secure, Monitor Your App Code, Too

The key to keeping containers secure is to think about the software running inside them, not just the software that hosts them. That’s the message Black Duck Software is aiming to send as adoption of container software increases.

In a discussion with Container Journal about container security, Black Duck said that “increasing container security means increasing the security of the applications deployed in containers.”

The company added, “Secure container frameworks are also obviously critical, but when those frameworks know nothing about the applications they encapsulate, they can’t possibly prevent well-crafted application attacks.”

When Open Source Meets the Enterprise

Via IT Business Edge: It seems that few organizations will need to convert all of their proprietary technology to open source, but open source will be desirable when it comes to supporting applications and services that are distributed across multi-platform cloud infrastructure. The biggest challenge of all will be to get these two constructs to work together.

The Changing Face of Open Source Licensing

Via DevPro: The GPL is the grandaddy of open source licenses, and is not only the license used by Linux, but is the license that gave birth to the open source movement. It was designed with the purpose of giving computer users control of their machines, guaranteeing that software would be freely available and modifiable by users. It has served that purpose well. It is also the backbone upon which enterprise adoption of open source is based, and being compatible with the GPL is considered to be a requirement for all open source licenses.

80% Of Web Applications Contain at Least One Security Bug

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities, reports DarkReading. Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

The Only Leader in Software Composition Analysis Providers


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

| Sep 8, 2017

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >