Third party and open source code are widely used in applications and containers but organizations are not paying enough attention to their security. Ordinary SAST and DAST tools are unable to adequately detect and remediate vulnerabilities in open source code. You need a software composition analysis (SCA) tool such as Black Duck® to analyze third party open source code for vulnerabilities, license compliance, and operational factors.
Comprehensive Scanning of Applications & Containers
Black Duck scans your application or container and gives you a comprehensive and accurate Bill of Materials, beyond what is declared, using multifactor open source detection and Synopsys’ industry-leading Knowledgebase which is sourced and curated by its own Cybersecurity Research Center (CyRC). The KnowledgeBase contains more than 2,650 unique open source licenses (GPL, LGPL, Apache, etc.), with full license text for the most popular open source licenses and dozens of encoded attributes and obligations for each license.
Earlier Notification of Vulnerabilities Than NVD
Black Duck Security Advisories provide same-day notification of most vulnerabilities, weeks before they are published in the National Vulnerability Database (NVD). They include data such as exploit info, remediation guidance, severity scoring, and call path analysis that will allow your team to find and prioritize vulnerabilities for remediation.
Synopsys is also a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing (AST) for the fifth year in a row.
Compliance With Open Source Licenses
Black Duck provides obligation summaries of license requirements to help your development and legal teams assess the impact of using a component in their application. It flags components in your software that cannot be identified in its KnowledgeBase of 2,700 licenses, as well as potential license conflicts.
Enforce Open Source Compliance Across the SDLC
Black Duck offers a wide range of integrations across the software development life cycle (SDLC), including IDEs, package managers, CI/CD, issue trackers, and production capabilities.
To enforce open source governance, you can use Black Duck automated policy management to define policies for open source use, security risk, and license compliance up front, and then automate compliance across the SDLC.
Want to know if Synopsys Black Duck will meet your needs? Lexington Soft will gladly provide a sales demo and proof of concept, conduct product evaluations and even offer you a free trial!
Lexington Soft also offers the following software testing tools from Synopsys:
- Coverity – SAST tool
- Black Duck – Software Composition Analysis
- Seeker – Interactive Application Security Testing
- Defensics – Fuzz Testing
- Web Scanner – Dynamic Application Security Testing
- Code Dx – AppSec Automation Platform
Invest in software integrity to build trust into your software. Contact us today!