The document describes different levels of open source risk management from manual tracking using spreadsheets to fully automated identification and inventory of open source components. It notes that manual tracking impacts developer productivity and accuracy is difficult to maintain. The highest level of automated risk management allows open source to be automatically identified, inventoried, and mapped to vulnerabilities and licenses without disrupting the software development lifecycle. Black Duck Software offers products to help organizations automate open source security and license compliance management.
1. LEVEL 3 – TRACKING OPEN SOURCE BY SPREADSHEET
Making Progress (Issues Remain). Developers complain
that manual tracking is impacting their productivity.
Accuracy is difficult to maintain. Provides limited insight
into security vulnerabilities.
DO YOU KNOW WHAT LICENSE OR SECURITY ISSUES
MIGHT ARISE FROM YOUR USE OF OPEN SOURCE?
BLACK DUCK CAN HELP YOU:
Automatically identify and inventory open source software used to build applications and
Docker containers
Map open source components to known vulnerabilities and license requirements with Black
Duck’s comprehensive KnowledgeBase™ of more than 1.5 million open source projects and
75,000 vulnerabilities
Streamline and secure continuous integration/deployment activities with integration with the
most popular DevOps and security tools, including IBM AppScan, HP Fortify, Docker, Red Hat
Atomic, Jenkins, and Atlassian
Help your teams set policies to govern open source security, license, and code quality risks,
enforce policies through build-tool integrations, and manage remediation efforts through IT
workflow support.
Continuously monitor for and provide alerts for new open source vulnerabilities
For more information, visit www.blackducksoftware.com
LEVEL 1 – IGNORING RISK
Code Red. You’re unaware of open source used in
your code. No policies in place to manage open
source security and licensing risks.
LEVEL 2 – MANUAL DISCOVERY OF OPEN SOURCE
Significant Trouble. Inaccurate open source invento-
ries. Processes to manage open source are incon-
sistent. No controls over open source use.
Where does your organization stand with open source risk management?
How are you identifying and securing open source used in your code?
Measure your organization against these four levels to find out…
LEVEL 4 –AUTOMATED OS RISK MANAGEMENT
Way Cool. Open source is automatically identified,
inventoried, and mapped to known vulnerabilities and
license requirements without impacting your SDLC.
Organizations worldwide use Black Duck Software’s industry-leading products to automate
the processes of securing and managing open source software, eliminating the pain related
to security vulnerabilities, open source license compliance and operational risk. Black Duck
is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong
Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com