Black Duck is among platforms that lead the pack, cited for “very strong policy management and SDLC integrations and strong proactive vulnerability management.”
This week we’re happy to announce that Forrester has recognized Synopsys as a leader in The Forrester Wave™: Software Composition Analysis, Q2 2019, based on an evaluation of Black Duck, our SCA solution. We’re proud of this achievement because we believe it showcases both the hard work of our team and the importance of open source risk management in almost every aspect of software development and operation.
Get the full report here, or read on to see some of our takeaways, as well as our plans for Black Duck.
It has been a little over a year since Black Duck became part of the Synopsys Software Integrity portfolio of products and services. However, Forrester noted the progress we’ve already made, both in integrating binary analysis (formerly Protecode SC) into Black Duck and in the integration of Black Duck source and binary analysis with the rest of our solutions via the recently announced Polaris Software Integrity Platform™.
We understand that teams don’t evaluate open source security risks in isolation from those stemming from flaws in proprietary code or application configuration. We’re committed to making our products work together to help teams analyze and address security issues holistically, at all application layers, and across the software development life cycle (SDLC).
Proactive vulnerability management
Forrester also recognized Black Duck’s proactive vulnerability management as “strong.” According to the report: “Customers credit Synopsys with scans that are fast and reliable with detailed remediation advice.”
“Customers credit Synopsys with scans that are fast and reliable with detailed remediation advice.”
Core to Synopsys’ strengths in this area are Black Duck’s multifactor open source discovery capabilities, which combine source, binary, and code “snippet” scanning with build system monitoring to provide a comprehensive assessment of all open source in your codebase. If you don’t know what’s in your code, you can’t protect it, and no other SCA solution provides this level of accurate open source discovery across the range of languages supported by Black Duck.
In addition, our Enhanced Vulnerability Data, researched and curated by our Cybersecurity Research Center team, provides the most complete, timely, and actionable vulnerability analysis and remediation guidance available in the industry. In a time when vulnerabilities and the exploits that target them become public knowledge almost simultaneously, it is essential that development, security, and operations teams have both the earliest possible warning of new vulnerabilities and remediation guidance so they can win the race against hackers.
Policy management and SDLC integration
From the Forrester report: “Synopsys has very strong policy management and SDLC integrations and strong proactive vulnerability management, including a BOM [bill of materials] compare feature that highlights what has changed over time.”
“Synopsys has very strong policy management and SDLC integrations and strong proactive vulnerability management.”
The software development process is increasingly automated, with most teams making use of CI/CD tools to help them reduce time to market for their products. Integration of Black Duck with these automated environments has been an area of focus for Black Duck over the last several years. With Black Duck, teams can set and enforce open source security, compliance, and usage policies automatically in conjunction with tools like Jenkins, Jira, and Slack.
So what’s next? It’s clear that integrating and automating SCA throughout the SDLC is essential. But we’re also focused on integrating SCA with other forms of risk analysis, such as static analysis (SAST) and interactive application security testing (IAST). Our customers tell us that they want to be able to look at application security risk holistically so that they can focus their mitigation and remediation efforts where it matters most. We agree and are already heading down that path with the recent launch of our Polaris Software Integrity Platform. We believe this integrated view of application security risks across proprietary, open source, and other third-party components is what will enable teams to manage those risks effectively, and we’re excited to be able to make this integration a reality as we go forward with Black Duck and the rest of the Synopsys Software Integrity Portfolio.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Patrick Carey. Read the original post at: https://www.synopsys.com/blogs/software-security/forrester-wave-sca-2019/