open source code is great. Sometimes, however, keeping open source software patched and up to date can be a challenge. The open source projects themselves–especially ones that are active–do an excellent job of identifying and remediating flaws. The problem is that nobody is “responsible” for ensuring that dormant open source projects are updated, or making sure that third-party code and APIs that are embedded in software are patched as well. Black Duck has a new tool designed to help you scan your open source applications to identify vulnerabilities.
Open source platforms and projects offer a wide variety of benefits for organizations and developers, but they also can introduce vulnerabilities if you’re not careful. That’s why Black Duck has released Security Checker, a free tool based on its Hub open source security tool to help you identify those vulnerabilities so your applications will be secure.
One of the advantages of open source is also a potential concern. Open source software has benefits from community cooperation and collaboration. More eyes and more hands contributing to the development allow for faster evolution and greater innovation. However, when all of the code is available to the public, and any developer can add or change the code, it also is an opportunity to introduce problems.
While theoretically it is possible for a malicious developer to intentionally add vulnerabilities or exploits, the collaborative nature of open source projects actually makes it less likely. Any obvious attempt to insert malicious code would be detected and thwarted by other developers. The communal nature of open source development is not infallible, though, as evidenced by recent major revelations such as Heartbleed.
Open source projects that are active and properly maintained address these issues fairly quickly. The problem, however, is that organizations and developers need to be able to easily determine whether their existing applications are affected and apply the appropriate patches and updates. There also are many open source tools that are not being actively developed or supported, which means known vulnerabilities may be left unfixed.
Security Checker from Black Duck can help minimize exposure to these risks and give organizations and developers an opportunity to address any known issues. The tool is a drag-and-drop solution that allows you to scan code contained in an uploaded archive file, such as a .tar or .zip file, or in a Docker image. Security Checker then generates a report that shows identified vulnerabilities and security issues.
Check out the full post on DevOps.com: Black Duck Targets Open Source Code Security Flaws.