close search bar

Sorry, not available in this language yet

close language selection

Securing the software supply chain with Black Duck Supply Chain Edition

Mike McGuire

Apr 09, 2024 / 4 min read

Each year, our "Open Source Security and Risk Analysis” (OSSRA) report highlights the fact that open source software (OSS) plays a critical and substantial role in modern application development, and it is therefore foundational to the software supply chain. The prevalence of OSS within commercial applications makes it difficult to track, and that makes it difficult to manage the risk that it may introduce. But because it is developed outside the control and visibility of the organizations that use it, screening and vetting OSS is a crucial component of any software supply chain security program.


Challenges securing the software supply chain

Threat actors recognize that organizations struggle to keep track of their OSS and capitalize on the opportunity this presents them. We see persistent supply chain attacks that impact not only the software provider, but the software consumer. These attacks, whether they exploit open source vulnerabilities or inject malicious packages and malware, result in the compromise of sensitive user information and erosion of business relationships between software builders and software buyers. The OSSRA report shows why these attacks persist: The 2024 edition found that 84% of the codebases scanned contained an open source vulnerability, and 54% had a high-risk vulnerability. It is clear that OSS vulnerabilities are a pervasive problem that organizations are either inadequately addressing—or not addressing at all.

Over the past few years, we’ve seen high-profile vulnerabilities like Log4J, Curl, Apache Struts, and OpenSSL. Although these thankfully did not result in a major attack or loss of IP, they demonstrate how exposed an organization can be from a single vulnerability within their software supply chain. Today, we are seeing even more complex software supply chain attacks, wherein bad actors inject malware and malicious packages into the software development life cycle (SDLC) and successfully transfer that risk all the way down to the end user. These types of attacks are successful due to an inherent trust we place in third-party software when developing software at the organizational level.

Organizations today must expand their view of what it means to address software supply chain security. They need complete visibility into all dependencies inside their applications. And they need to expand their ability to identify modern risks beyond open source vulnerabilities. Traditionally, this has been no easy task—until now.

Black Duck Supply Chain Edition

Enter Black Duck® Supply Chain Edition. This new offering provides expanded visibility, security controls, and compliance to your existing supply chain security activities. Here are some of the key capabilities.

Comprehensive open source discovery

With the majority of the software supply chain comprised of open source, failure to properly track and manage it equates to a glaring gap in any risk management strategy. Additionally, any required Software Bill of Materials (SBOM) will mandate that all OSS dependencies be listed.

With Black Duck, you can easily identify all open source components using a combination of dependency, CodePrint™, snippet, binary, and container analysis to surface every single dependency, regardless of language or package manager, so you get the most comprehensive view of OSS available.

Third-party SBOM import and analysis

Most commercial and enterprise software teams use third-party code from an outside vendor. And although security teams can perform their own analysis of these third-party artifacts, it is much easier if the software vendor provides their own SBOM.

With Black Duck, security teams can import external SBOMs, and automatically catalog the open source, commercial, and custom components contained within them. This helps expand software supply chain visibility beyond just open source dependencies, and analyzes all dependencies for risk.

Malware detection

Attackers are getting more devious, injecting malicious packages into open source ecosystems, and even directly into applications, making it possible to compromise build environments. Catching this type of malware requires a specialized form of analysis that we are able to offer with built-in malware analysis, powered by our partnership with ReversingLabs

Continuous risk identification and monitoring

Just because something is secure when it enters the SDLC does not mean it will remain secure further down the development pipeline. Black Duck continuously analyzes dependencies in both generated and imported SBOMs, monitoring for open source vulnerabilities, secrets, malware, and malicious packages, giving you the insight you need, quickly.

IP risk and license compliance management

Nearly all third-party software, and especially OSS, includes some form of IP or license obligation. Failing to comply with these obligations can result in costly outcomes, especially for organizations that distribute software.

Black Duck automatically identifies any open source licenses associated with dependencies and offers guidance on any conflicts with how the application is licensed, deployed, or distributed, regardless of how the OSS entered the codebase—including via AI coding assistants.

Support for industry SBOM standards

Most software providers deliver to a wide range of customers across different industries. Each of these customers often have their own SBOM requirements for their vendors.

Black Duck provides out-of-the-box and custom SBOM export templates so that customers can determine the right amount of visibility and align their SBOMs to meet those requirements, on a repeatable basis.

 

Learn more

Black Duck Supply Chain Edition offers complete visibility into the software supply chain, giving you the ability to act on that visibility and perpetuate it with streamlined SBOM generation. This enables you to show that you are building secure applications and doing your due diligence to manage and identify software supply chain risk, building trust with your customers.

Continue Reading

Explore Topics