Black Duck has announced version 3.0 of its open-source security solution, Hub, with increased code-scanning performance and new agile functionality.
“Because of its widespread use, open source represents a large ‘attack surface’ where hackers can use (and reuse) vulnerabilities in open-source components to gain access to a large number of systems and sensitive data,” said Bill Ledingham, CTO and executive vice president of engineering at Black Duck. “In addition, the onus is on the user of open-source software to monitor and patch vulnerabilities when they are discovered. Unlike commercial products, there are no ‘patch Tuesdays’ for open-source software. As a result, many vulnerabilities remain unpatched for years.”
(Related: Strata Conference focuses on security)
Hub 3.0 aims to address those problems with new features such as policy management and a new notification API. According to Ledingham, these features will allow enterprises to define policies on how their open-source software is managed. Policy conditions include license types, component names or usage, number of newer versions available, and project characteristics. Hub also sends real-time notifications about newly discovered vulnerabilities to enable users to take action and respond quickly to potential problems.
“Open source is how today’s applications are built,” said N. Louis Shipley, CEO of Black Duck. “With open source often comprising the majority of an application’s code, policy management, along with fast, comprehensive identification of all open-source code and mapping of all known vulnerabilities, are crucial.”
In addition, Black Duck reported that Hub 3.0 scanning and identification capabilities are 100x faster than in previous versions, and it includes full signature scans in order to find all open-source and known vulnerabilities even if they aren’t declared in package manifests.
Hub 3.0 supports Alpine, Debian, Fedora and Red Hat Enterprise Linux.