Today we’re happy to announce the release of new capabilities of the Black Duck Polaris™ Platform, features that fundamentally change the way developers detect, analyze, and remediate security risks during development. These new capabilities, the first of their kind in the market, enable developers to proactively find and fix both security weaknesses in proprietary code and known vulnerabilities in open source dependencies simultaneously, without switching tools or interrupting their workflow.
The increasing pace of development is shifting the responsibility for application security left, all the way onto the developer’s desktop. But dealing with security issues detected in downstream builds and tests can be very disruptive. By the time defects are reported, developers have moved on to their next tasks. To remediate a problem, they have to interrupt what they are doing and go back, reopen the code, make a fix, and retest. To make matters worse, they also need to leave their primary tool, the IDE (interactive development environment), to analyze the issue and determine potential fixes. All this tool and context switching kills developer productivity.
Code Sight, the security analysis IDE plugin available as part of the Polaris platform, solves the problem. We initially launched Code Sight with support for static analysis, enabling developers to find and fix security defects (CWEs) in the IDE, while they code. But with modern applications consisting of up to 90% open source, developers need to address security in both their proprietary code and the open source they use. Now, with Code Sight, developers can get early warning of vulnerabilities (CVEs) lurking in the open source components they’re using.
The integration of static analysis (SAST) and software composition analysis (SCA) together in the IDE is what makes Code Sight unique and powerful. Let’s face it: As a developer, you want to ensure your software is both secure and bug-free. It doesn’t matter whether a security vulnerability is in your code or in an open source dependency. Either way, you need to fix it. Using one tool to analyze your code and a completely separate tool to look at open source is a pain. With Code Sight, you can address security holistically across the entire application codebase.
Code Sight automatically performs just-in-time code analysis as the developer opens, edits, and saves files in the IDE. It does this in the background without disrupting workflow. As it detects issues, it reports them in the IDE itself, and the developer can fix them immediately—no need to change tools or reopen past projects.
Code Sight’s new capabilities extend this analysis to open source dependencies. As developers work on a software project in their IDE, Code Sight analyzes the project’s dependencies against information in the Black Duck KnowledgeBase. In the IDE, Code Sight lists components with known vulnerabilities alongside any CWEs it has identified through SAST analysis.
The developer can then review vulnerability severity and risk information from Black Duck Security Advisories (BDSAs), independently researched by Black Duck, as well as public CVE records from the National Vulnerability Database (NVD). In addition to vulnerability information, Code Sight provides other information developers can use to optimize component selection, including the open source license type and potential violations of the organization’s predefined policies on open source security and license compliance.
Finally, Code Sight helps developers quickly identify and select the best fix for the issue using information in the BDSAs, which provide more timely, accurate, and thorough risk and remediation guidance than tools that only use the NVD.
By enabling developers to address security early in the software development life cycle, Code Sight dramatically reduces the likelihood that security and quality defects make it into downstream builds or into production.
By providing real-time SAST and SCA results together in the IDE, Black Duck enables developers to detect security defects in both their own code and the open source components they use—all while they build their applications. Developers can fix problems in real time, avoiding the risks and loss of productivity that occur when issues are allowed to go undetected for days, weeks, or even months after the developers have moved on to other tasks.
With Polaris and the Code Sight IDE plugin, developers can truly build secure, high-quality software better, faster, and stronger. Want to see for yourself?