The Complete Magazine on Open Source

“We help organisations reap the benefits of open source, while controlling security and associated risks”

, / 1269 0

Bob Canaway, CMO, Black Duck

Security is crucial in the world of open source. But so far, there have been just a handful of companies that enable open source deployments in a secure and safe manner. Bob Canaway, CMO of Black Duck, in an interaction with Jagmeet Singh from OSFY, talked of the new solutions to secure open source deployments. Here are excerpts from the conversation.

Q What is Black Duck’s place in the open source world?
Use of open source continues to increase rapidly worldwide because it helps organisations lower their development costs and deliver solutions faster. This is true for internal application development and for bringing commercial software to the market. To fully capitalise on the economic and productivity benefits that open source enables, leading organisations take steps to make sure their open source deployments are secure and well managed. One management challenge they face is ensuring that open source licence obligations are understood and met. The bigger and more important challenge today is making sure there is good visibility into the open source in use, so that the organisation can control the risks. This means making sure there is a comprehensive inventory of all the open source software being used and that it is mapped to security databases to detect any known security vulnerabilities.
This is where Black Duck fits in. We help our customers automate the processes of securing and managing the open source software they use to build their applications. Black Duck automates the open source identification and inventorying processes and we map the inventory–from the bill of materials to security databases, to find any known vulnerabilities. We also monitor the inventory constantly and if a new vulnerability is discovered, our customers receive a notification right away.
This approach enables our customers and partners to use open source software and services in the most secure, compliant and reliable way.

Q How does Black Duck secure open source deployments?
Software development teams are laser focused on getting solutions to market as quickly as possible. This fast-paced development approach often means that some of the open source code included in a project doesn’t get properly recorded, or isn’t recorded at all. When that happens, it becomes impossible to track the open source software. Almost every time Black Duck does an automated scan of a customer’s code and creates an inventory, we find open source software that many in the organisation didn’t know they were using. A recent study of 200 open source code audits we conducted showed an average of 50 per cent more open source software in the inventory than customers thought they had. So, by making it easy for development teams and organisations to identify, manage and secure the open source software they use, we help them reap the benefits of open source while controlling security and the associated risks.

Q What are the significant challenges in securing and managing open source software and how are they resolved by Black Duck?
The primary challenge in securing and managing open source software is creating and maintaining an accurate inventory of what you’re using. Application developers pull anywhere from 75 to 125 open source components into an app; so without an automated process for inventorying and tracking them, managing these components over the lifecycle of the product is both difficult and prone to error. When you have 40 or 50 software developers, you can easily see how difficult it gets to find and fix potential open source issues without an automated inventorying process. As we’ve seen with recent, high-profile breaches in open source – HeartBleed for example – it is essential to be able to find and fix vulnerabilities. Of course, you can’t cure what you can’t see.

Black Duck tracks and collects data on about 1.7 million open source projects. We ‘fingerprint’ those projects, which enables us to provide our clients with an accurate open source inventory and to map any known vulnerabilities by scanning their code.
There are other ways to approach the inventorying task. For example, you can use a build manager or a package manager, which reports that the build you are calling has certain pieces and, based on those pieces, makes an estimate of the open source components in your software. This approach is hardly comprehensive and cannot be entirely accurate.

Incredibly, even though this is 2016, some companies still rely on Excel spreadsheets to keep track of open source software. Developers create, update and maintain the inventory manually. This is nearly impossible to keep current, and also requires that someone go to the National Vulnerability Database (NVD) to check if there’s anything there that matches the open source on the spreadsheet.

Q Last year, Red Hat and Black Duck announced a partnership. How can this be fruitful for enterprises?
Containers are attractive to enterprise customers because they are development accelerators. Black Duck is partnering with Red Hat to enable secure use of Linux containers.
Red Hat has a container offering called OpenShift, which works as a Platform-as-a-Service (PaaS). A container has a base operating system, which is usually a stripped down version of a Linux package, and Red Hat Linux Enterprise (RHEL) is running the whole thing. The container has a base layer and an application server like TomCat. Additionally, it might have Java, possibly a database, and then an open source based application on top. What Red Hat realised is that with Black Duck, its customers would have excellent visibility into everything inside of those containers. We can look at all the container pieces as well as the base operating system. We can tell you if there are vulnerabilities in that version of the operating system, and can inform you if a vulnerability exists that can be patched.

While our competitors can only tell you that there could be vulnerabilities in the container, we can show whether there are real vulnerabilities or if they’ve already been patched. And then we monitor everything over the lifecycle of the container. All of this helps Red Hat’s customers ensure that their containers are free from licence and security risks.

Q How does Black Duck drive developer engagement in open source deployments?
We have a free project called OpenHub that aggregates information about open source projects. There are about 600,000 open source developers and users as a part of the OpenHub community, and a significant number of active contributors. It’s a great tool for analysing the strength of an open source based project. This is important, because if you’re relying on a piece of open source software that doesn’t have a vibrant community, it’s going to be much harder to get somebody to help you fix it when problems surface. Typically, you’ll be left trying to fix it by yourself. If a project has an active community, it will be regularly patched and improved. We help you find the one that’s going to be the best fit, with the most active community.
OpenHub is free for developers and is open for anybody who wants to search for particular information. Also, people who manage projects are free to put their information in it, so they can ensure that their offerings get visibility.
We recently started to show security information on OpenHub as well; so the same value we bring to our commercial customers, we offer the open source community.

Q Black Duck already has a strong presence in the US, UK, Europe and Japan. When can we see its expansion in India?
We’re investing in India because of its market opportunities and tech sophistication. Some of the biggest and the most important companies in the world are developing software in India, so it’s a natural fit for Black Duck to be here and help them with their open source security and management.

Q What is your go-to-market strategy for the Indian market?
We have direct sales here. We also sell through our partners. We have a strong relationship with companies such as IBM, Red Hat and HP, who have a large presence in India.

Q The Indian government is supporting enterprises with programmes like ‘Digital India’ and ‘Make in India’. How is Black Duck contributing to these initiatives?
We’re supportive of the government’s initiatives and will help them in any way we can. Starting a business today and getting to market quickly requires the use of open source. That’s true not only in India but also across the globe. Our free OpenHub project is a resource Black Duck provides to help startups and other companies responsibly choose open source software. This platform allows developers to research what open source is available for the task at hand, assess the value of projects that address their needs, and understand how much support each open source community provides.

Q Do you think open source will reach even greater heights in the future?
Open source usage is ubiquitous. It’s everywhere. Once looked at with skepticism, open source is simply the way we develop software today. It will continue to be the engine for innovation and the pace of adoption will increase.