Open-source software has a number of significant benefits. For starters, it’s both free, which is hard to beat, and open, which means developers can customize or modify it to fit their needs. One issue with open-source software, however, is security. Black Duck has established itself as a leading tool for managing security of open-source tools—and now that protection is extended to HPE Security Fortify.
“Use of open source has increased dramatically in the last five years because it cuts development costs and accelerates time to market. Open source is ubiquitous worldwide and can comprise 50 percent or more of a large organization’s code base,” noted Black Duck CEO Lou Shipley in a press release announcing the HPE integration. “By integrating Black Duck Hub with HPE Security Fortify, customers will have visibility into and control of the open source they are using and also be able to identify known vulnerabilities. This allows them to better understand and reduce their security risks.”
Black Duck lists a variety of key features and benefits of the HPE Security Fortify integration:
- Deep Discovery of Open Source: Rapid scanning and identification of open-source libraries, versions, license and community activity powered by the Black Duck KnowledgeBase, a comprehensive open-source database containing information on more than 1.5 million open-source projects and more than 76,000 known open-source vulnerabilities.
- Comprehensive Identification of Open Source Risks: Create an inventory of all open source in use and a map to known security vulnerabilities, identifying and prioritizing the severity of the vulnerability and exploring remediation steps.
- Integrated Remediation Orchestration and Policy Enforcement: Open-source vulnerability remediation prioritization, mitigation guidance and automated policy management, allowing organizations to have visibility into their remediation efforts and manage their external and internal compliance mandates.
- Continuous Monitoring for New Security Vulnerabilities: Ongoing monitoring and alerting on newly reported open-source security vulnerabilities.
The problem with open-source software security isn’t the software itself—at least not in my opinion. It’s ownership and responsibility. With proprietary software there is no question of who is responsible for addressing any vulnerabilities and developing the necessary patches. But with an open-source project, where hundreds or thousands of developers are contributing to a single platform or application, nobody is truly responsible and, yet, everybody is.
Don’t get me wrong. In most cases and with most open-source applications flaws are addressed and fixes are developed and deployed very quickly. With some open-source code, though, that is not the case. Ultimately, the burden for ensuring that open-source applications are secure falls on the IT managers at the companies using the software.
An even bigger issue than open-source applications themselves is the use of code modules or snippets within other applications. Again, there is a huge benefit to being able to “crowdsource” code and leverage what you need from an open-source community, but if a critical vulnerability is later discovered and fixed in the originating code you also have to take responsibility for updating it in your custom code that uses it.
Jason Schmitt, vice president and general manager for HPE Security Fortify at Hewlett Packard Enterprise, said, “This integration with Black Duck complements our existing secure development and security testing solutions by providing the ability to view the results of open-source scanning alongside application security testing results to deliver a more complete and effective approach to managing application security.”
Open-source software is just about everywhere, which is why IBM, Microsoft, Red Hat, Docker and now HPE all have embraced the Black Duck Hub. Black Duck may not be the only option on the table, but it is the open-source security option that seems to have the most traction right now.