SBN

JDA Software: Extending their SDLC to remediate open source issues

Smart organizations in the business of building software need to use a mix of application testing tools to ensure their code is high-quality and secure.

How JDA Software uses SCA to remediate open source issues

With over $1 billion in annual revenue, JDA Software has been the world’s leading supply chain provider for the past 30 years. JDA enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use JDA’s unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.

As with many organizations in the business of building software, JDA’s portfolio of 100+ applications contains a mix of custom-built codebases, commercial, and open source components.

“Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses,” says John Vrankovich, principal architect at JDA.

“Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses.”

“We have over a hundred products, with each of those having hundreds to thousands of different open source components. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.”

All software development teams need a complete and balanced software development program to ensure their applications stay healthy. Every application testing tool has advantages and disadvantages, and no single solution should be expected to find and fix all code issues. Smart organizations in the business of building software like JDA Software know they need to use a mix of application testing tools to help them ensure the code they produce is high-quality and secure.

Complementing SAST with SCA

Static analysis security testing (SAST) tools such as Coverity® are critical for uncovering and eliminating issues in proprietary software early in the SDLC by scanning an application’s code for flaws while that code is still in a nonrunning (i.e., static) state. However, SAST tools aren’t effective in finding open source software vulnerabilities (CVEs) in code, or in identifying open source license types or versions.

SAST tools aren’t effective in finding open source software vulnerabilities (CVEs) in code, or in identifying open source license types or versions.

Given that open source is an essential component of application development today, adding an effective software composition analysis (SCA) tool to application testing should be as imperative to every software development team as SAST is.

JDA first implemented Black Duck Code Center in 2015. Code Center provides JDA with software component selection, approval, and tracking of open source and other third-party software components.

“All of our core products are using Code Center,” says Meghan Caudill, project manager for third-party product compliance at JDA. “About three years ago, we began to use Black Duck SCA when building the CI/CD process for our JDA Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.”

What SCA can do for you

Synopsys’ Black Duck® SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables JDA to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.

“With the Black Duck tools, we were able to write an open source compliance strategy that addressed our requirements and priorities.”

“With the Black Duck tools, we were able to write an open source compliance strategy that addressed our requirements and priorities,” says John Vrankovich. “We’re now able to ensure that none of our products are released with open source license risks, quality or security issues. Any issues we discover are tracked and remediated, all license obligations are being met, and only approved open source components are used in our products. We know what we’re using, the licenses we’re using, the versions we’re using, and any security issues and component patch statuses.”

Read the full JDA Software case study


*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Fred Bals. Read the original post at: https://www.synopsys.com/blogs/software-security/jda-software-case-study/