Open Source Security Audit
Get An Actionable View of Security, Legal, and Operational Risks Present In Your Code Base
Is your company as concerned about open source security and third-party vulnerabilities and operational risk as it is about license compliance? In addition to identifying potential license issues, a Black Duck Open Source Security Audit provides insight into other risks in your organization’s code base and a high-level action plan to help prioritize research and potential remediation across the various categories of risk.
The Open Web Application Security Project (OWASP) recently added “Using components with known vulnerabilities” to its top 10 list of risks. The OSRA gives you visibility into the components and the vulnerabilities.
Built from a Black Duck On-Demand Open Source Audit Bill of Materials, the OSRA report includes a comprehensive list of reported security vulnerabilities for the components currently in use within your code base(s) derived from National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and other sources.
The report also provides details on components that contain operational risks by highlighting those that have fallen into disuse or have very slow commit activity, as well as versions that are far out of date. Insight into version proliferation are also provided, alerting your team if the code is utilizing multiple versions of the same components.
In most code bases there are a number of risks of different categories and varying severity. Especially in the heat of a transaction, it can be difficult to know where to focus. The Open Source Risk Assessment’s action plan takes into account the types of risk and severity, recommending priorities to guide your efforts.