Frogs and Ducks, Your Sentinels for Open Source Security

Black Duck Software creates products to secure and manage open source in applications and containers, eliminating pain related to open source security vulnerabilities and license compliance. The Tenth Annual Future of Open Source Survey they conducted in 2016, provided the numbers to prove many things about open source that we already knew.

First and foremost, “everyone” is using open source, or as the survey results state…

“Ubiquitous worldwide open source software development IS the rule.”

The survey also revealed that the main driver for using open source is freedom from vendor lock-in. This is also one of JFrog’s main drivers and the reason that everything we create is universal:

Artifactory, the universal artifact repository manager

Bintray, the universal software distribution platform,

Xray, for universal artifact analysis,

Mission Control for universal repository management.

Most organizations use open source blindly

But the survey also showed that most organizations lack visibility and control of their open source software. Open source enters and propagates within organizations’ application code through many known and unknown sources, including developers, vendors, and outside contractors. Open source audits conducted by Black Duck On-Demand services find that, on average, companies are using twice as much open source as they were previously aware of, and 67% of applications contain known open source vulnerabilities.

You need a process to see the light

To lift the “fog” around open source usage, organizations need a number of automated and repeatable process, which in most cases, don’t exist. These include:

• Detection and approval of new open source as it enters a code stream
• Taking inventory and tracking the use of open source software within their code base and Docker containers
• Identifying or monitoring known open source vulnerabilities (like Heartbleed, ShellShock, etc.) associated with the open source software they use
• Orchestration or tracking of risk remediation efforts over time
• Assessment of litigation and intellectual property (IP) risks that can arise with the use of open source software with incompatible license terms.
• Audit and enforcement of open source security policies and license compliance.

All these processes are now much easier to implement with Black Duck Hub integrated into JFrog Xray and with Black Duck’s Binary Repository Integration plugins for JFrog Artifactory

Xray lights the way forward with Black Duck Hub

Xray’s deep recursive scanning takes packages in your Artifactory repositories and drills down to the deepest levels to identify all the open source dependencies you are using. Xray cross-references those dependencies with its global database of vulnerabilities which is aggregated from different sources.

Black Duck Hub provides organizations with open source risk management throughout their Software Development Lifecycle (SDLC) – including IDE, SCM, build, CI, binary repositories and Docker containers.

Through Xray’s integration with Black Duck Hub, you can vastly extend the vulnerability database to include Black Duck’s comprehensive KnowledgeBase (™) of over 2,000,000 open source projects and 150,000 vulnerabilities. All you need to do is enter your Black Duck credentials in Xray’s Integration module.

Black Duck’s integration with JFrog Artifactory and Xray allows organizations to manage both the build output scanning and repository inspection at different levels in the SDLC. At the repository level with Artifactory Pro or outside the formal SDLC process with Xray. The Build output scanner plugin provides the ability to monitor builds and provide risk information earlier in the development process, when developer builds need to be monitored, for example.  The Repository inspector plug-in provides the ability to monitor artifacts when enterprises have multiple disparate SDLC toolsets and uniform integration across all toolsets is not possible. Integration of Black Duck Hub into Xray also provides similar functionality through Xray. Xray scans builds and artifacts in your repositories according to Watches you define, cross-referencing those artifacts with its global database in conjunction with the Black Duck KnowledgeBase to identify issues and vulnerabilities, after which it can then generate corresponding Alerts for remediation.

Combining the power of JFrog Xray and JFrog Artifactory with Black Duck Hub allows organizations to eliminate open source security vulnerabilities, meet license compliance obligations and limit operational risk.

Identify Components and Open Source Security Risks

Xray automatically tracks open source used by components and Docker images in your Artifactory repositories. It maps those components to those with known open source security vulnerabilities reported in its global database and by Black Duck’s KnowledgeBase, and monitors for license and component quality risks.

Automate Remediation and Policy Enforcement

Easily enforce open source license policies using license filters defined in Watches, and streamline enforcement by intervening early on in automated CI processes if vulnerabilities are detected in builds.

Continuously Monitor Apps for New Vulnerabilities

Both Xray’s global database and Black Duck’s KnowledgeBase aggregate multiple vulnerability data feeds so you can get same-day alerts for new vulnerabilities that are detected in your production apps. Notifications can be issued through the Xray UI, via email or by invoking webhooks

With Xray and Black Duck guarding your gates, your usage of open source software is placed under the spotlight. You are fully aware all open source components used by your organization, vulnerabilities can be detected and remediated early on in the SDLC, you are quickly notified when new vulnerabilities, that may be lurking in your production systems, are detected, and using open source will not only be ubiquitous, it will also be safe.