Skip to main content

Worried about Open Source Vulnerabilities?

If you don’t know what open source is in your code, you’re leaving yourself exposed.

With over 3,000 new open source vulnerabilities discovered every year, open source application security is clearly no place to cut corners. When vulnerabilities are disclosed, the race is on between you and hackers looking to exploit your applications and containers.

If you don’t already know what’s in your code, you may lose that race.

 

Request a Demo

 

Which Approach Should You Choose?

There are different approaches to identifying, tracking and managing open source usage and risks, but you need to choose wisely or you risk being blindsided by open source vulnerabilities that enter your code untracked and under the radar.

 

Do it Yourself

Discount Tool

Black Duck Hub

How it works

MANUAL TRACKING

Development teams track open source use in spreadsheets. They research vulnerabilities manually in the National Vulnerabilities Database (NVD).

AUTOMATED CATALOGING

Limited-capability, deeply discounted tools automate the spreadsheet process by scanning package/build manifests (e.g. Maven POM files), identifying only the declared open source and mapping to CVEs.

AUTOMATED DEEP SCANNING

Hub provides full source and binary scanning that identifies all open source (even modified code) used in apps & containers and maps vulnerabilities using multiple databases including NVD and VulnDB.

Integration into your continuous integration processes?

NONE

Unless you build your own tools for analyzing source code or build artifacts there is no practical way to support a agile, continuous integration development model.

LIMITED

Tools that rely solely on the package manifests only provide insight at the integration/packaging development stage.

COMPLETE

Black Duck scanning is fast and flexible and can be easily incorporated at any stage of the development lifecycle, giving you continuous insight.

Finds open source in your apps & containers?

POOR

Spreadsheets rely on developers to keep them up to date and are usually incomplete and out of date.

LIMITED

The open source list is kept up to date, but only for components declared in the manifest files.

BEST

The open source list is kept up to date, but only for components declared in the manifest files.

Finds known open source vulnerabilities?

POOR

The open source list is kept up to date, but only for components declared in the manifest files.

POOR

Automated mapping to NVD CVE entries is more reliable than manual research, but only for declared open source, and not all vulnerabilities are listed in NVD.

BEST

Automated identification and mapping leveraging multiple vulnerability databases provides visibility and insight into more vulnerabilities than NVD alone.

Monitoring and alerts for newly reported vulnerabilities?

NO

You have to manually track various news sources which may or may not report vulnerabilities relevant to you.

MAYBE

Some products will provide CVE alerts for the open source they find, but many vulnerabilities do not appear in NVD for days or weeks after they are publicly reported.

YES

Hub provides continuous vulnerability monitoring with same day alerts for most vulnerabilities.

Access to comprehensive open source project information, including licensing?

POOR

Open source projects are stored in thousands of repositories making effective manual research nearly impossible.

LIMITED

Tools often provide access to a database of open source project data, but it is often incomplete and limited to a small number of languages.

BEST

The Black Duck KnowledgeBase™ is the industry standard, with information on 1.5 million projects from over 2,400 global repositories, constantly maintained by a team of experts.

Access to comprehensive vulnerability information, including remediation guidance?

POOR

The NVD is publicly accessible, but can be difficult to search and the CVE entries difficult to interpret.

LIMITED

Most tools will automate the process of identifying NVD CVEs associated with open source they identify. But, NVD entries often do not provide detailed remediation guidance needed to quickly resolve them.

BEST

Hub provides automated mapping to both NVD and VulnDB which tracks 30% more vulnerabilities, lists vulnerabilities an average of 3 weeks earlier than NVD, and includes remediation guidance not contained in NVD.

Long Term Value

POOR

Manual open source tracking is better than no tracking at all, but barely so. Over time, the labor cost far exceeds the realized value.

POOR

While better than a DiY approach, discount solutions miss many vulnerabilities because they miss open source.

BEST

With Black Duck you know what’s in our code and find the most vulnerabilities of any solution.

Period.


Go Deep or Go Home

What’s the point of spending money on an open source security solution if it doesn’t find all the open source you’re using or the associated known vulnerabilities hiding with it? You wouldn’t use antivirus software that did nothing but look at file names or registry entries to see if your system was infected. So why would you take that approach to finding and fixing open source vulnerabilities? 

You need a solution that finds all open source in your code, not just the open source listed in package manifests. The only reliable way to do that is with deep automated scanning in Black Duck Hub.


Trusted by the World’s Largest Companies

Black Duck is the most trusted name in open source risk management, which is why companies like Intel, Samsung, Carbonite and others rely on us to help them secure and manage open source in their applications and containers. 


Be Agile and Confident with Black Duck Hub

Black Duck Hub integrates directly into your build environment and processes, enabling you to find and fix vulnerabilities at every stage of the development lifecycle. This approach reduces development time and cost, while providing the best protection against open source risks.

  • Fast scanning of source and binary files to find all the open source you are using, not just what’s declared in your packages.
  • Integration with continuous integration tools including Jenkins, TeamCity and more using API and CLI interfaces.
  • Automated open source identification for the most common languages including C, C++, C#, Java, Javascript, Python, and Ruby
  • Continuous monitoring and alerting for vulnerabilities reported against the open source you use.
  • Ability to identify component origins and applied patches, resulting in more accurate vulnerability reports.
  • Full-stack support for Docker container scanning; OS to application layers.