One of the first step in protecting your company’s software applications against known security vulernabilities is to scan your code base, creating an inventory of the open source components you have in use. Next, you must continually compare this code bill of materials (BOM) to various vulnerability databases.
The following databases collectively provide the most comprehensive vulnerability data available and are all leveraged through the Black Duck Hub's lightweight open source vulnerability scanning, tracking, and monitoring solution.
The National Vulnerability Database (NVD)
The National Vulnerability Database (NVD) is a public resource, managed by the US government, tracking security vulnerabilities reported for all types of software. Black Duck leverages the information tracked in the NVD to help automate and manage open source security.
- Black Duck leverages the NVD to identify and send alerts about security vulnerabilities associated with open source components in use within your codebase
- Reported vulnerabilities include a severity ranking that can also be used to filter alerts and workflow
- Black Duck delivers NVD information during component selection and approval, enabling developers and approvers to have early visibility into any known security vulnerabilities
The NVD tracks vulnerability data for commonly used operating systems, applications, and software components, including OSS. It is the result of continuous collaboration between the software industry and the multi-agency Information Security Automation Program (ISAP). NVD is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
The Open Source Vulnerability Database (OSVDB)
Founded in 2002, OSVDB is an independent and open source web-based vulnerability database aiming to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. Currently tracking over 120,980 vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years, the project arguably has the most comprehensive open source-specific vulnerability data available today.
Run by Risk Based Security, in partnership with the Open Security Foundation, VulnDB is a most timely, high quality vulnerability intelligence database, tracking:
- Over 118,000 vulnerabilities
- Vulnerabilities posted within 24-hours
- Deeper vulnerability data
Embedded in the Black Duck Hub, customers will have automatic access to premium vulnerability intelligence mapped to the open source software they use.