The world of open source is trying to be more proactive about protecting its software and protocols, but what can enterprises do to determine if the open source code in their code base has a known flaw?
Black Duck Software attempts to address that question with Black Duck Hub, a system that allows enterprise developers and code auditors to continuously audit the use of third-party open source code for known vulnerabilities.
Black Duck Hub scans existing code bases to create a bill of materials that identifies all third-party open source code used. The bill of materials not only identifies the code and any licensing requirements that go with it, it is also used by Black Duck to verify whether the code has known vulnerabilities, courtesy of its own knowledge base.
"To each of the components we've scanned, we're mapping metadata around the licenses attached to the software, as well as whether or not there are any security vulnerabilities in that particular version of that component,"said Bill Ledingham, CTO and executive VP of engineering at Black Duck.
"A big focus for the product is allowing companies to easily scan their code by having integrations of this product with other tools in their infrastructure," Ledingham said, citing Jenkins as one such tool. Scans can be kicked off whenever new code is checked in and built for a given source code base.
Black Duck determines the quality of a given open source component based on multiple factors, Ledingham said. In addition to scanning and correlating against the existing databases of known software vulnerabilities, the company evaluates other factors that might mitigate or aggravate a given vulnerability -- for example, whether the application using the code is on the public Internet, how quickly previous issues with the same code have been mitigated, and so on. This way, Ledingham claims, a company can make more sense of its triage and remediation efforts.
The number of Black Duck Hub beta customers that are creating open source products, rather than only using the software internally, is industry-specific, Ledingham said. "With industries like financial services, their concern is more around internal applications that they have, where they use a lot of open source, and have their customers use on websites." Vulnerabilities in the Web frameworks used are potentially dangerous.
For technology and software companies, the issues are more in the software supply chain, according to Ledingham. "A lot of the products they're selling and distributing may have a lot of open source content, and a lot of other third-party technology that's being used there may have open source content." The more products are publicly connected and used, he said, the greater the concern to not be relying on a vulnerable component -- such as a car's in-dash entertainment system that's accessible by a smartphone app.