Today’s application landscape is complex, and for federal government agencies, maintaining security through that complexity is paramount. Untracked open source code, and the vulnerabilities that can come with it, compromises security and exposes your organization and constituents to significant risk.
With recent open source use mandates for government agencies, as well as strategic plans for federal cybersecurity, it’s imperative that you have an established set of tools and automated processes to detect and manage open source security risks in your applications.
Government data is a constant target for malicious activity by both individual and state-sponsored hackers. Recent reports from the FTC and Verizon find that government applications face significant and unrelenting attacks, making them the target of the greatest number of cyber incidents and breaches across industry sectors.
The goal for developers, established by the National Science and Technology Council (NSTC) is to ensure application security and risk management practices make the cost of an attempted attack greater than the potential benefit of a breach. But open source vulnerabilities, which are often widely publicized, make attacks inexpensive. By proactively tracking and managing open source vulnerabilities, you turn the security economics in your favor.
target for lines of code per defect in government applications
target date by which effective risk management should eliminate attackers’ advantage
or more of agency code must be released as open source
What makes attacks so inexpensive? Unpatched or unidentified vulnerabilities in applications’ code are easily exploited. With open source components comprising 50% or more of a typical application, a vulnerability in one component can be used to compromise hundreds or thousands of applications. In fact, a recent Department of Homeland Security report estimates that 90 percent of security incidents result from exploits against defects in software.
Effective detection and remediation of vulnerabilities in open source components has a material impact on deterring adversaries and preventing a successful attack. Yet the presence of untracked open source components in government applications represents a serious threat: you can’t defend against threats you don’t track.
When we built our business case for bringing in Black Duck, our internal information security group was a co-sponsor of the effort. This group now has a significantly easier way to determine which artifacts and versions are affected by any security vulnerability and which applications are impacted as a result. This capability did not exist before, so this is huge.
Black Duck solutions for open source application security and license compliance provide a complete, single pane of glass view into open source risks in your applications. Black Duck solutions:
Black duck products and services are available for purchase off of Carahsoft's GSA contracts and Carahsoft's NASA SEWP contracts.