This week, Black Duck was named a Leader in “The Forrester Wave™: Software Composition Analysis, Q3, 2023,” by Forrester, based on its evaluation of Black Duck®, our software composition analysis (SCA) solution.
Forrester evaluated 12 of the most significant SCA providers against 32 criteria. We are proud to be recognized as a Leader, and to receive the highest-possible scores in the SBOM Management, Policy Management, Supporting Services and Offerings criteria. We believe this recognition from Forrester reflects our commitment to helping customers secure their software supply chains by managing the security, quality, and license compliance risks that come from the use of open source and third-party code in their applications and containers.
Black Duck is a Leader in the 2023 Forrester Wave for Software Composition Analysis
The Forrester report noted that “Synopsys continues to have strong features, including quality and accuracy.”
Black Duck’s multifactor scanning, coupled with support for over 100 languages, delivers dependency analysis, binary analysis, codeprint analysis, code snippet detection, and custom component detection. By discovering both declared and undeclared dependencies in your applications, we are able to provide the most complete and dynamic inventory of your applications’ contents and the associated vulnerabilities and licenses. All of this contributes to a complete Software Bill of Materials (SBOM), which is crucial for knowing what risks you’re exposed to.
Although completeness is crucial when evaluating risk, so is accuracy. Part of providing users with trust in their applications is assuring them that the issues identified are the ones that pose actual risk.
Identifying vulnerabilities is just one step in securing an application. Once you find vulnerabilities, they then have to be addressed. To this end, Black Duck offers Black Duck Security Advisories (BDSAs), which provide all the information you need to understand, prioritize, and remediate vulnerabilities. BDSAs include severity scoring, reachability, vulnerability descriptions, details on affected versions, and critical guidance on upgrades, patches, and workarounds. These powerful details are provided by the Black Duck Cybersecurity Research Center (CyRC). The CyRC leverages the Black Duck open source KnowledgeBase™, the industry's most comprehensive database of open source project, license, and security information, covering more than 7.4 million open source projects from nearly 30,000 forges and repositories.
We believe Forrester’s findings are aligned with this level of vulnerability identification and remediation, with the report giving Black Duck the highest score in the Breadth of Coverage criteria.
Black Duck’s flexible policy management helps define and capture an organization’s unique risk tolerance, which can then be automatically enforced by Black Duck in conjunction with tools used throughout the SDLC, such as IDEs, Jenkins, Slack, Artifactory, and so on. This capability helps reduce the noise produced by AppSec tools by focusing them on what matters most to the organization.
With Black Duck, you can configure your open source security and use policies based on criteria including license type, vulnerability severity, component version, and more. You can then enforce these policies with automatic workflow triggers, automated notifications, and seamless integrations with applications like Jira to help accelerate your remediation efforts.
Black Duck provides a complete picture of license risk and obligations by offering deep license data and copyright identification. Accelerating this capability is our code snippet analysis, which identifies partial bits of open source code that may have been pasted into projects and that still carry license obligations. After identifying the licenses in your applications, Black Duck further categorizes these findings, ranking them as declared, deep, or discovered. This helps you understand your level of risk and which obligations you need to address first. In addition to open source licenses, Black Duck also offers the ability to map and identify closed source and third-party licenses.
SCA is one of several steps necessary to securing applications, and it plays an important role in our vision of a holistic AppSec solution. With Code Sight™ and Rapid Scan, Black Duck uncovers issues in dependencies before they are merged into release branches. Scans integrated with continuous integration and continuous delivery and deployment tools identify issues that dependency analysis cannot, both before and after deployment. Policy-as-code can define when, and at what depth, SCA scans should occur—depending on variables such as code change, risk calculation, and dev phase—to run the right scan at the right time. Bringing it all together, our application security posture management platform aggregates and correlates the results from SCA and other AppSec tools to reduce noise and provide the most accurate picture of risk in a manner that’s consumable to all stakeholders across the organization. This is how Black Duck defines the “Sec” in DevSecOps.