Skip to content

Software Development News: .NET, Java, PHP, Ruby, Agile, Databases, SOA, JavaScript, Open Source

Methods & Tools

Subscribe to Methods & Tools
if you are not afraid to read more than one page to be a smarter software developer, software tester or project manager!

Black Duck Software Press Releases
Syndicate content
Updated: 1 hour 24 min ago

Black Duck Open Source Audits of 1000+ Applications Show Widespread Weakness in Addressing Open Source Security Vulnerability Risks

Wed, 04/19/2017 - 11:00
Black Duck Open Source Audits of 1000+ Applications Show Widespread Weakness in Addressing Open Source Security Vulnerability Riskshleclair Wed, 04/19/2017 - 06:00

Open Source Security and Risk Analysis reveals ineffectiveness across industries; Retail, E-commerce, FinTech audits show highest risk to open source security vulnerabilities

BURLINGTON, MA – April 19, 2017 – Black Duck, the global leader in automated solutions for securing and managing open source, today released its 2017 Open Source Security and Risk Analysis (OSSRA), a report that details significant cross-industry risks related to open source vulnerabilities and license-compliance challenges.

Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation (COSRI) analyzed 1,071 applications audited during 2016 and found both high levels of open source usage – 96% of the apps contained open source – and significant risk to open source security vulnerabilities – more than 60% of the apps contained open source security vulnerabilities.

Notably, audit results of applications from the financial industry contained 52 open source vulnerabilities per application, and 60% of the applications contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.

Open source license conflicts were widespread. The audited applications contained 147 open source components on average – a daunting number of license obligations to keep track of – and in fact 85% of audited applications contained components with license conflicts. The most common challenges were GPL license violations, with 75% of applications containing components under the GPL family of licenses, but only 45% of those applications in compliance with GPL obligations.

“Open source use is ubiquitous worldwide and recent research reports show that between 80% and 90% of the code in today’s apps is open source. This isn’t surprising because open source is valuable in lowering dev costs, accelerating innovation and speeding time to market. Our audits confirmed the universal use, but also revealed troubling levels of ineffectiveness in addressing risks related to open source security vulnerabilities and license compliance challenges,” said Black Duck CEO Lou Shipley.

Shipley said he expected the open source audit findings would be eye-opening for security executives because the application layer is a primary target for hackers. “Exploits of open source vulnerabilities are the biggest application security risk that most companies have,” said Shipley.

“Reading this report should be a wake-up call. Everyone is using lots of open source, but as the audits show, very few are doing an adequate job detecting, remediating and monitoring open source vulnerabilities in their applications,” said Chris Fearon, Director at Black Duck’s Northern Ireland based Open Source Security Research Group, the security research arm of COSRI. “The COSRI analysis of the audits clearly demonstrate that organizations in every industry have a long way to go before they are effective in managing their open source.”

To download the OSSRA analysis, visit https://www.blackducksoftware.com/open-source-security-risk-analysis-2017.

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

Media Contacts

Black Duck
Brian Carter
Director of Strategic Communications
bcarter@blackducksoftware.com
508.277.7570

PAN Communications
Michael O’Connell and Lisa Sorrentino
blackduck@pancomm.com
617-502-4300

Categories: Vendor

Black Duck integrates Hub into Microsoft’s Visual Studio Team Services and Team Foundation Server to automate open source identification and detect security and compliance issues

Tue, 03/07/2017 - 15:00
Black Duck integrates Hub into Microsoft’s Visual Studio Team Services and Team Foundation Server to automate open source identification and detect security and compliance issues hleclair Tue, 03/07/2017 - 09:00

Open source security leader joins Microsoft Visual Studio Program as Premier Level Partner

BURLINGTON, MA -  March 7, 2017 – Black Duck, the global leader in automated solutions for securing and managing open source, today announced it is integrating its Hub solution with Microsoft Visual Studio Team Services (TS) and Team Foundation Server (TFS).  Black Duck’s Visual Studio extensions will automatically detect the open source in use during the TFS and TS builds, identifying security vulnerabilities, components with license compliance issues and operational risks early in the software development lifecycle (SDLC).

“With open source making up between 80% and 90% of the code in today’s applications, effective security and management of the open source in use is essential,” said Black Duck CEO Lou Shipley. “Microsoft recognizes the importance of open source in application development and the many economic and productivity reasons for its rapidly expanding use. We’re pleased that Microsoft also sees the value in bringing Black Duck’s open source license and security compliance capabilities to the Microsoft Visual Studio continuous integration platform,” said Shipley.

Shipley also pointed out that “the continuing rapid growth in open source use worldwide, and the demand for more and more application development agility and speed, make strategic partnerships like this one with Microsoft more important than ever.” 

Organizations worldwide are striving to identify application issues earlier in the SDLC, and Black Duck Hub’s software composition analysis capabilities can be fully integrated during the build and release processes, allowing teams to produce better code, faster. With one in every 16 open source download requests for a component with a known vulnerability, organizations increasingly recognize the need for automated processes to identify and manage the open source they use.

Shawn Nandi, Senior Director, Cloud App Dev and Data Marketing for Microsoft, said, “We welcome Black Duck to the Visual Studio Partner Program and we are pleased that this integration with Visual Studio will bring our customers options to detect and manage potential security risks.”

Availability and Resources

  • Explore details on Black Duck Hub Visual Studio Team Services and Team Foundation Server Extensions here
  • Understand Software Composition Analysis by reading The Forrester Wave™: Software Composition Analysis, Q1 2017 here
  • Watch a video explaining how to get started with Black Duck Hub for Visual Studio here
  • Try Black Duck Hub 14-day Free Trial here

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

Media Contacts

Black Duck
Brian Carter
Director of Strategic Communications
bcarter@blackducksoftware.com
508.277.7570

PAN Communications
Michael O’Connell and Lisa Sorrentino
blackduck@pancomm.com
617-502-4300

Categories: Vendor

Black Duck CEO Lou Shipley Presenting at the JMP Securities 2017 Technology Conference and Pacific Crest Emerging Technology Summit

Tue, 02/28/2017 - 20:35
Black Duck CEO Lou Shipley Presenting at the JMP Securities 2017 Technology Conference and Pacific Crest Emerging Technology Summithleclair Tue, 02/28/2017 - 14:35

BURLINGTON, MA – February 28, 2017 – Black Duck, the global leader in automated solutions for securing and managing open source software, announced that Black Duck CEO, Lou Shipley, presents today at the JMP Securities Technology Conference and the Pacific Crest Emerging Technology Summit in San Francisco, CA.

The Emerging Technology Summit features executives from over 300 of the most innovative and transformative companies around the globe to help investors get ahead of the curve and capitalize on the dynamic shifts in SaaS & Data Analytics, Cloud, Security & Infrastructure and Digital Media & Commerce.

JMP's annual technology research conference matches institutional investors and financial sponsors with senior executives of leading publicly traded and privately held companies in sectors including software, Internet, digital media, communications infrastructure, security, storage and alternative energy. Featured speakers and panel discussions will explore the topics and ideas poised to influence the industry most in 2017 and beyond.

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

Media Contacts:

Black Duck
Fred Bals, Senior Content Strategist
fbals@blackducksoftware.com
603-512-6519

PAN Communications
Michael O’Connell
blackduck@pancomm.com
617-502-4300

 

Categories: Vendor

Black Duck Announces 2016 Open Source ‘Rookies of the Year’

Mon, 02/27/2017 - 15:00
Black Duck Announces 2016 Open Source ‘Rookies of the Year’hleclair Mon, 02/27/2017 - 09:00

BURLINGTON, MA – February 27, 2017 – Black Duck, the global leader in automated solutions for securing and managing open source software, today announced the ninth annual Open Source Rookies of the Year, recognizing the top new open source projects initiated in 2016.

“This recognition is a tribute to the success and momentum of these projects,” said Patrick Carey, Director of Product Marketing, Black Duck, who heads the annual Rookies selection process. “The selections for 2016 show how diverse and ambitious open source software development has become. From communications to healthcare and beyond, they offer innovative solutions to a range of consumer- and enterprise-grade problems.” 

The 2016 Rookies class reflects several industry trends shaping the future of open source software including:

  • Stretching the Blockchain: Many open source projects are exploring ways to extend blockchain technology to uses well beyond cryptocurrency.
     
  • Beyond Basic Database Data: Open source projects are striving to accelerate data analysis, increase database efficiency, and blur the line between the traditional database and blockchain technologies.
     
  • Diving into Deep Learning: Projects seeking to simplify machine learning to encourage broader adoption across industries and applications.
     
  • Redefining Software-Defined Networks: Projects applying open source technology aimed at making networks as agile and flexible as the virtualized server and storage infrastructure of the modern data center.
     
  • Controlling Container Clutter: A number of this year’s open source projects have found remarkable opportunities to simplify the world of containers.
     
  • Network Security: Several projects are striving to revolutionize network security by leveraging cutting edge machine learning and software-defined network capabilities.
     
  • Revolutionizing Education: Open source projects with the goal to make learning resources readily available to students and teachers worldwide.

The 2016 Black Duck Open Source Rookies of the Year

Blockchain

  • Sawtooth Lake: Intel’s new distributed ledger platform for the Hyperledger blockchain, developed to address concerns about the scalability and security of existing blockchain technologies.

Big Data

  • CarbonData: A unique approach to data organization, multi-level indexing, and optimization allows for faster data filtering, better compression, and enhanced search and query processing for more-efficient use of compute resources.

Deep Learning

  • Deep Scalable Sparse Tensor Network Engine: DSSTNE (“Destiny”) seeks to evolve the neural networks landscape by optimizing for data sparseness and scalability and focusing on optimal use of multiple GPUs.

Software-Defined Networking

  • OpenCORD: An end-to-end solution which combines SDN, NFV, and Cloud with commodity infrastructure to bring datacenter-grade scale and agility to service provider networks.

Network Security (Co-Winners)

  • Poseidon: The Poseidon project seeks to answer two key questions: What is on your network, and what is it doing? It answers these questions by providing situational awareness to the items being added or removed from your network, as well as the traffic being generated.
  • Trireme: Trireme allows the creation of security policies at-scale and application segmentation through end-to-end authentication and authorization.

Containers

  • Ansible Container: The result of the Ansible development team’s desire for an alternative to Docker files, Ansible Container works to automate the container build, deployment, and management process using nothing but Ansible Playbooks.

Education

  • Kolibri: Kolibri seeks to make learning resources available to students and teachers in areas with limited education resources, from rural schools and after-school programs to refugee camps and orphanages.

For more information about the 2016 Black Duck Open Source Rookies of the Year, please visit https://www.blackducksoftware.com/open-source-rookies-2016

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

Media Contacts:

Black Duck
Fred Bals, Senior Content Strategist
fbals@blackducksoftware.com
603-512-6519

PAN Communications
Michael O’Connell
blackduck@pancomm.com
617-502-4300

Categories: Vendor

Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Thu, 02/23/2017 - 14:27
Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providershleclair Thu, 02/23/2017 - 08:27

Research Report: “developers use open source components as their foundation, creating applications using only 10% to 20% new code”

BURLINGTON, MA – Feb. 23, 2017 – Black Duck, the global leader in securing and managing open source software, was named the leader in The Forrester Wave™: Software Composition Analysis, Q1 2017, which was released today.

In Forrester’s comprehensive, 38-criteria evaluation of “the six (SCA) providers that matter most and how they stack up,” Black Duck was the only company placed in the Wave’s “leader” classification.

To assess the state of the SCA market, Forrester examined past research, user need assessments, and vendor and expert interviews, and developed the evaluation criteria, which it grouped into three categories: current offering, strategy and market presence.

To address the market demand for more and better applications and to accelerate application development, developers “use open source components as their foundation, creating applications using only 10% to 20% new code,”¹ the Forrester report stated.

“Unfortunately, many of these (open source) components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability. To reduce these risks, security pros are turning to SCA tools,”² the Forrester report stated.

Black Duck CEO Lou Shipley said “being named the leader in Forrester’s software composition analysis evaluation is encouraging and is certainly how we think of ourselves. However, for those of us in the rapidly expanding open source ecosystem, probably the most significant element of this SCA Wave is Forrester’s point that ’developers use open source components as their foundation, creating applications using only 10% to 20% new code.’

Shipley said “the increasing global reliance on open source and its preeminence in application development increase the need for enterprises to deploy effective open source security vulnerability management tools. It is clear to us that the Forrester Wave report acknowledges the opportunity to reduce application security risk by securing and managing open source more effectively using SCA tools such as Black Duck’s,” Shipley said. 

To reduce application risk, according to the Forrester SCA Wave analysis, organizations are turning to SCA tools for the benefits of:

  • Gathering more information that helps identify and remediate vulnerabilities quickly
  • Automating scans to highlight license risk exposure
  • Flexible policy enforcement that increases alignment with business needs
  • Integrating products to support existing development processes

In its vendor profile, Forrester noted that Black Duck’s market-leading product, “boasts over 80 supported source code language formats, and it uses this strength to scan a broad range of developer preferences for both license risk management and vulnerability identification. Additionally, Black Duck provides an application bill of materials (BOM) for as long as users choose, and it monitors for any new open source vulnerabilities using vulnerability data that gets updated hourly. Users are notified of newly identified vulnerabilities in their BOM.

“Black Duck Software has very strong risk reporting and strong proactive vulnerability management capabilities, but its biggest differentiation comes from sound support for the fundamentals of license risk management, vulnerability identification, and policy management.”

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

Media Contacts:

Black Duck
Brian Carter, Director of Strategic Communications
bcarter@blackducksoftware.com
508-277-7570

PAN Communications
Michael O’Connell
blackduck@pancomm.com
617-502-4300

 

¹ 2015 State of the Software Supply Chain Report: Hidden Speed Bumps on the Road to ‘Continuous,'" Sonatype

² 2016 State of the Software Supply Chain," Sonatype

Categories: Vendor

Black Duck Adds Cybric to Partner Program

Mon, 02/13/2017 - 17:00
Black Duck Adds Cybric to Partner Programhleclair Mon, 02/13/2017 - 11:00

BURLINGTON, MA – February 13, 2017 - 

Black Duck, the global leader in automated solutions for securing and managing open source software, today announced that Boston-based Cybric, provider of the first Continuous Security Delivery Fabric®, has joined its Partner Program. 

Cybric’s platform automates and orchestrates code and application security across the DevOps lifecycle, reducing application vulnerability exposure and allowing security processes to keep pace with DevOps. 

Cybric has integrated Black Duck's Hub into its platform, enabling joint customers to use Cybric and Black Duck in combination. Black Duck Hub automates the process of inventorying the open source in applications and containers, maps the inventory to known vulnerabilities, manages remediation activities, and through real-time monitoring provides alerts when new threats are reported.

Cybric’s patent-pending technology rapidly orchestrates exact replicas of application environments and scans for security vulnerabilities by containerizing and automating security solutions without negatively impacting or slowing the production process.

“Our mission is to deliver the first automation and orchestration platform that integrates security into the SDLC from code commit to application delivery, enabling true DevSecOps,” said Cybric Founder and CEO Ernesto DiGiambattista. “Partnering with best-in-class providers such as Back Duck allows us to do this and provide our customers with confidence and assurance in their application security and resiliency for their business.”

About Black Duck

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.

About Cybric

Cybric is the first to automate and orchestrate code and application security across the DevOps lifecycle. The company’s Continuous Security-as-a-Service platform leverages its patent-pending Continuous Security Delivery Fabric® to seamlessly integrate security into the development process and deliver frictionless security assurance from code commit to application delivery. To learn more visit www.cybric.io or follow us on Twitter @cybric.

Categories: Vendor