When the first software composition analysis (SCA) tools made their entrance into the market, their focus was on license compliance. As open source grew in popularity, SCA tools expanded to include vulnerability management, helping to reduce the attack surface for organizations leveraging open source. Today, the goal is still reducing license and security risks, but changes to how software is developed has shifted much of the responsibility for risk reduction onto the developer. In the 2021.06 release, Black Duck® introduces Rapid Scan to help organizations and developers address this risk.
In modern software organizations such as those adhering to a DevSecOps methodology, everyone is accountable for security. Some form of security should be included at every stage of the software development life cycle (SDLC). This makes the developer the first line of defense against application security and compliance issues.
Despite this, developers often find themselves unknowingly writing and merging code that violates their company’s risk mitigation policies. But they typically aren’t notified of these issues until the last minute, requiring fixes to be made under a tight deadline. To address this problem, developers must be notified of policy violations as early in the SDLC as possible.
Initiating a full SCA scan against every build of every software component after every merge can meet this need. With Black Duck, a full scan can include any combination of dependency, code print, snippet, and binary analysis. While this will certainly identify all open source components, build a complete BOM, and flag policy violations—highly recommended before releasing any application—there should be another option that better fits the situation—one that provides just enough information for the current job to be done.
Black Duck’s Rapid Scan feature strikes a balance between agility and the open source risk management developers need. It enables developers to evaluate the open source code they include against company policy before promoting their code to release branches—all at the same speed and scale of other development and operational tasks.
The Black Duck Rapid Scan feature provides developers and release managers with a quick, agile method of checking for security or policy violations before merging code into release candidate branches. Completing a dependency analysis in under a minute, it can complete more than 30,000 scans per day. Rapid Scan provides an early layer of security and compliance that doesn’t disrupt the development process.
Depending on an organization’s desired workflow, Rapid Scan can be initiated either directly from the Detect CLI or within a continuous integration tool, such as Jenkins or GitLab. When initiated, Black Duck performs a full dependency analysis of an application to identify any security or compliance policy violations.
Developers can compare the open source vulnerabilities and licenses found against the policies that have been configured in Black Duck. They get just the right amount of information to let them know whether an included component violates a policy and how to remediate the issue if desired. The dependencies found aren’t added to the Bill of Materials; instead developers get a list of components, versions, vulnerabilities, licenses, and other related information, providing early insight into the dependencies in their code. That enables them to drastically reduce the number of policy violations that are merged from their feature branches, avoiding costly, time-bound rework down the line.
A complete SCA solution requires a multifaceted approach involving different types of scans at various points throughout the SDLC. While Rapid Scan is best for quickly identifying policy violations in open source dependencies before merging with release branches, a full Black Duck scan provides a complete open source BOM that identifies undeclared, partial, or modified components.
Both scans are necessities. But Black Duck believes that the key to effective application security testing means initiating the right scan at the right time, providing only the information needed at the time to reduce risk. Both types of scans, occurring at different phases of the SDLC, complement one another to provide our customers with a complete and accurate picture of application security and compliance risk, without slowing down the pace at which they develop and release software.