DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More Topics
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Features » Black Duck, HPE Partner to Protect Open Source

Black Duck, HPE Partner to Protect Open Source

By: Tony Bradley on July 28, 2016 2 Comments

Open-source software has a number of significant benefits. For starters, it’s both free, which is hard to beat, and open, which means developers can customize or modify it to fit their needs. One issue with open-source software, however, is security. Black Duck has established itself as a leading tool for managing security of open-source tools—and now that protection is extended to HPE Security Fortify.

Recent Posts By Tony Bradley
  • The Best Approach to Help Developers Build Security into the Pipeline
  • Better Apps and Better Security When You Shift Left
  • The Road Ahead for Security, DevOps Transformation
More from Tony Bradley
Related Posts
  • Black Duck, HPE Partner to Protect Open Source
  • Deepfactor Partners with Synopsys to Help Developers Resolve Cloud Native Supply Chain Security Risks
  • Black Duck Targets Open Source Code Security Flaws
    Related Categories
  • Features
    Related Topics
  • black duck
  • HPE Security Fortify
  • open source software
  • vulnerability scanning
Show more
Show less

“Use of open source has increased dramatically in the last five years because it cuts development costs and accelerates time to market. Open source is ubiquitous worldwide and can comprise 50 percent or more of a large organization’s code base,” noted Black Duck CEO Lou Shipley in a press release announcing the HPE integration. “By integrating Black Duck Hub with HPE Security Fortify, customers will have visibility into and control of the open source they are using and also be able to identify known vulnerabilities. This allows them to better understand and reduce their security risks.”

DevOps/Cloud-Native Live! Boston

Black Duck lists a variety of key features and benefits of the HPE Security Fortify integration:

  • Deep Discovery of Open Source: Rapid scanning and identification of open-source libraries, versions, license and community activity powered by the Black Duck KnowledgeBase, a comprehensive open-source database containing information on more than 1.5 million open-source projects and more than 76,000 known open-source vulnerabilities.
  • Comprehensive Identification of Open Source Risks: Create an inventory of all open source in use and a map to known security vulnerabilities, identifying and prioritizing the severity of the vulnerability and exploring remediation steps.
  • Integrated Remediation Orchestration and Policy Enforcement: Open-source vulnerability remediation prioritization, mitigation guidance and automated policy management, allowing organizations to have visibility into their remediation efforts and manage their external and internal compliance mandates.
  • Continuous Monitoring for New Security Vulnerabilities: Ongoing monitoring and alerting on newly reported open-source security vulnerabilities.

The problem with open-source software security isn’t the software itself—at least not in my opinion. It’s ownership and responsibility. With proprietary software there is no question of who is responsible for addressing any vulnerabilities and developing the necessary patches. But with an open-source project, where hundreds or thousands of developers are contributing to a single platform or application, nobody is truly responsible and, yet, everybody is.

Don’t get me wrong. In most cases and with most open-source applications flaws are addressed and fixes are developed and deployed very quickly. With some open-source code, though, that is not the case. Ultimately, the burden for ensuring that open-source applications are secure falls on the IT managers at the companies using the software.

An even bigger issue than open-source applications themselves is the use of code modules or snippets within other applications. Again, there is a huge benefit to being able to “crowdsource” code and leverage what you need from an open-source community, but if a critical vulnerability is later discovered and fixed in the originating code you also have to take responsibility for updating it in your custom code that uses it.

Jason Schmitt, vice president and general manager for HPE Security Fortify at Hewlett Packard Enterprise, said, “This integration with Black Duck complements our existing secure development and security testing solutions by providing the ability to view the results of open-source scanning alongside application security testing results to deliver a more complete and effective approach to managing application security.”

Open-source software is just about everywhere, which is why IBM, Microsoft, Red Hat, Docker and now HPE all have embraced the Black Duck Hub. Black Duck may not be the only option on the table, but it is the open-source security option that seems to have the most traction right now.

Filed Under: Features Tagged With: black duck, HPE Security Fortify, open source software, vulnerability scanning

Sponsored Content
Featured eBook
The State of the CI/CD/ARA Market: Convergence

The State of the CI/CD/ARA Market: Convergence

The entire CI/CD/ARA market has been in flux almost since its inception. No sooner did we find a solution to a given problem than a better idea came along. The level of change has been intensified by increasing use, which has driven changes to underlying tools. Changes in infrastructure, such ... Read More
« Data Modeling
Separate but Equal: Not Equal and Not the Right Way »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Accelerating Continuous Security With Value Stream Management
Monday, May 23, 2022 - 11:00 am EDT
The Complete Guide to Open Source Licenses 2022
Monday, May 23, 2022 - 3:00 pm EDT
Building a Successful Open Source Program Office
Tuesday, May 24, 2022 - 11:00 am EDT

Latest from DevOps.com

DevSecOps Deluge: Choosing the Right Tools
May 20, 2022 | Gary Robinson
Managing Hardcoded Secrets to Shrink Your Attack Surface 
May 20, 2022 | John Morton
DevOps Institute Releases Upskilling IT 2022 Report 
May 18, 2022 | Natan Solomon
Creating Automated GitHub Bots in Go
May 18, 2022 | Sebastian Spaink
Is Your Future in SaaS? Yes, Except …
May 18, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The 101 of Continuous Software Delivery
New call-to-action

Most Read on DevOps.com

Why Over-Permissive CI/CD Pipelines are an Unnecessary Evil
May 16, 2022 | Vladi Sandler
Apple Allows 50% Fee Rise | @ElonMusk Fans: 70% Fake | Micro...
May 17, 2022 | Richi Jennings
Making DevOps Smoother
May 17, 2022 | Gaurav Belani
DevOps Institute Releases Upskilling IT 2022 Report 
May 18, 2022 | Natan Solomon
Why Data Lineage Matters and Why it’s so Challenging
May 16, 2022 | Alex Morozov

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.