The number of open source vulnerabilities discovered each year never seems to stop growing, emphasizing the importance of developers addressing them quickly and efficiently. However, simply identifying vulnerabilities is insufficient; their sheer scale makes it necessary to have an intelligent way of understanding which ones need to be fixed first to decrease the risk of a breach. For development teams in this environment, remediation prioritization and broad vulnerability coverage are critical. Enter Black Duck® Security Advisories (BDSA).
Black Duck Security Advisories are highly detailed open source vulnerability records that are hand-crafted by the Synopsys Cybersecurity Research Center (CyRC). Black Duck delivers advisories that provide actionable advice and details about vulnerabilities affecting items in your software Bill of Materials (BOM). Leveraging these advisories ensures that you have the necessary data points to completely understand a vulnerability and assess the risk it poses to your organization.
CyRC provides vulnerability alerts based specifically on a Black Duck customer’s BOM. In other words, customers receive vulnerability information specific and relevant to their applications and projects. Armed with these actionable and detailed advisories, customers can identify vulnerable components, assess the risk they pose, and perform fixes when necessary.
In order to provide the most robust vulnerability data to customers, CyRC starts by analyzing multiple sources of vulnerability information. This process occurs daily.
CyRC focuses on three types of sources:
Given the sheer scale of data collected, an efficient triage process is critical. CyRC sorts the collected data and filters out any noise or duplication. After sorting through the data, the remainder is prioritized based on how often the affected open source components appear on Black Duck customers’ BOMs. Finally, the data is assigned to a team of vulnerability analysts.
The vulnerability analysts perform two key functions:
The quality of information provided in BDSAs is unmatched. The Vulnerability Analyst team has a rigorous set of established quality standards and guidelines for each advisory. Every vulnerability is reviewed by a senior analyst, guaranteeing its accuracy and thoroughness. The NVD, along with Black Duck’s competitors often provide inaccurate, out-of-date, or unconfirmed descriptions.
This extra layer of accuracy in each advisory is overseen by an analyst who also provides a description for a general audience, so it includes information about where the vulnerability lives in the code, attack vectors, etc. This level of detailed information is available only through BDSAs. Additionally, analysts build custom CVSS scores from scratch, providing the most accurate and pinpointed severity advice.
The information provided in BDSAs are accessible for various audiences, meaning you do NOT have to be a security expert to understand and address the vulnerability. BDSAs include two descriptions, one that is clear, concise, and accessible by the layperson, and the other technical. This makes it easy for businesses to be strategic with their development and security resources. With the inclusion of this detail and remediation advice, you don’t have to waste time doing your own research about discovered vulnerabilities. Everything you need to understand, prioritize, and fix a vulnerability is nicely packaged in a BDSA.
With our efficient processes, extensive source overage, and focus on open source, we can provide more critical vulnerability information faster to our customers. This is very much unlike the NVD process, which is slow and inefficient, and sometimes takes weeks to publish critical vulnerability information. Additionally, BDSAs are not limited simply to CVEs. Because not every vulnerability is issued a CVE reference, BDSAs include vulnerabilities beyond them, giving you the most complete view of risk. Finally, BDSAs are focused on open source—other sources may spread themselves too thin by also analyzing proprietary software, slowing down their process and diluting their quality.
When assigning scores, BDSAs take many things, such as exploitability, into consideration. This provides the most precise CVSS score. In addition, BDSAs include temporal metrics into scoring considerations, whereas sources like the NVD do not.
Any BDSA field that can be completed will be populated. If not, it means that all available information is included, and the BDSA will be marked as such and completed as soon as additional information is made available. Feeds like the NVD go through a lengthy process of fluctuating statuses, leaving questions unanswered and applications unsecured. BDSAs provide the most complete information as soon as it is available.
If you want to learn more about how BDSAs can help you and your organization increase the depth, speed, and accuracy of your remediation activities and improve visibility into your overall level of risk, start by exploring our eBook, “Demonstrating the Value of Black Duck Security Advisories.”