By Cassandra Balentine
Black Duck Software develops security and management solutions for open source software. Serving a worldwide customer base, the company’s goal is to eliminate security vulnerabilities as well as compliance and operational risk for its clients. Headquartered in Burlington, MA, the company also operates offices in Mountain View, CA as well as London, Frankfurt, Hong Kong, Tokyo, Seoul, and Beijing.
Founded in 2002, the company has 225 employees worldwide. Black Duck is a private company and does not disclose its revenue information.
One of the company’s offerings is the Black Duck Hub, an open source, security-focused product released in 2015. Hub provides customers with visibility into and control of their open source software, particularly known security vulnerabilities. It is designed to automate the process of identifying and inventorying the open source in applications or containers and maps any known security vulnerabilities in the inventory. Additionally, Hub dynamically monitors for newly discovered vulnerabilities.
To enhance its Hub software, Black Duck recently announced the addition of comprehensive container scanning capabilities. With these new functions, DevOps teams are able to map open source security vulnerabilities for applications, Linux distributions, and other software in Docker and Linux containers.
By deploying a containerized scanner on their Docker host, users are able to automatically identify the known open source security vulnerabilities in all layers of any container on the host.
“Container technology is white hot and although enterprise DevOps groups are eager to adopt containers, security concerns are a big blocker. By providing container scanning capabilities that deliver exactly the same visibility and control value in scanning containers that we do in traditional users we broaden our market reach,” says Brian Carter, director of strategic communications, Black Duck Software.
Carter explains that two things are well known. First, organizations do not have good visibility into, or control of the open source they are using. Black Duck on demand—the company’s merger and acquisition arm—conducts hundreds of open source code audits annually and 98.9 percent of the time finds opens source code that the customer did not know they had and was not tracking. “That is a security breach-rich environment,” says Carter.
Secondly, Hub provides visibility by offering an inventory of the open source and by mapping any known vulnerabilities. Hub also monitors for newly discovered vulnerabilities. Carter adds that this capability improves container security.
Red Hat Partnership
Last Fall, Black Duck and Red Hat announced a collaboration to establish a more secure model for containerized application delivery. During the partnership, both companies noted that security concerns were major barriers for container technology adoption and decided to address it jointly to spur ongoing container adoption.
Cartner notes that Hub’s new container scanning functionality is a key aspect of the relationship. The collaboration of the two companies is designed to establish a secure and trusted model for containerized application delivery by providing verification that application containers are free from known vulnerabilities and include only certified content. The validation is a major step forward in enabling enterprise-ready application containers, and builds upon the strengths of each company, including Red Hat’s leadership in container technologies and solutions. This includes Red Hat’s platform and certification strategy, and Black Duck’s position as a provider of comprehensive identification and notification technologies of open source vulnerabilities.
“Because containers enable consistent operating environments for development, testing, and deployment, they are quickly becoming a mainstream technology,” says Carter. He explains that container security, however—including provenance, certification, policy, and trust—has emerged as a challenge for enterprise adoption. A recent survey of global IT professionals commissioned by Red Hat through TechValidate showed that more than 60 percent of respondents identified container security, certification, and image provenance as key issues.
So what can we expect in terms of adoption and development of this integration over the next few months? “That’s the million dollar question, of course,” says Carter. “We’re not in the guessing business. What we do know is that we have proven technology and a market that is actively looking for a solution to the problem that Red Hat and Black Duck in collaboration can solve,” he explains.
That said, Carter notes that as part of the initial collaboration, they plan to integrate Hub with OpenShift, Red Hat’s Platform as a Service offering. This will provide reports and data on known vulnerabilities present in container images made available in the OpenShift registry, a Red Hat-backed repository of validated, secure, and trusted container images.
Black Duck’s KnowledgeBase provides the backbone for the Hub and includes information on 1.1. million open source projects, with detailed data on more than 100,000 known open source vulnerabilities across more than 350 billion lines of code.
Black Duck understands the potential for containers is significant, and can only be fully realized in the enterprise if container security is addressed. SW
Feb2016, Software Magazine