Black Duck Software this week released Security Checker, a free tool based on the company’s Hub open source security solution.
Security Checker is a drag-and-drop, Web-based tool that allows users to determine if known open source vulnerabilities exist in the components used to build applications. It scans the code in an uploaded archive file or Docker image and provides a report showing the identified open source code and known bugs.
The maximum file size for a Security Checker scan is 100 MB, and it takes about 15 minutes from start to finish, according to Black Duck.
“Users select and scan an archive or image of their choice and within minutes receive a detailed report providing them with a full listing of open source components and vulnerabilities, including severities, descriptions, CVE numbers and links to additional information in the National Vulnerability Database,” said Patrick Carey, director of product management for Black Duck.
Ubiquitous Open Source
The release of the tool comes on the heels of areport Black Duck issued earlier this month based on data from open source security audits of 200 commercial applications its On-Demand business unit conducted.
Use of open source in application development is widespread, according to the report, which highlighted the challenges of securing and managing the open source in use.
Sixty-seven percent of audited applications contained known open source security vulnerabilities, more than a third of the bugs identified were severe, and 10 percent of the applications contained the Heartbleed vulnerability, the report found.
Checker’s Capabilities
Security Checker lets developers quickly and easily check their own code bases. They can see where they stand and take the first step toward managing and securing open source in their environments.
Security Checker uses Black Duck Hub’s intelligent scanning and knowledge base of more than 1.5 million projects to find open source components and vulnerabilities that go undetected by tools that simply report open source as declared, Carey told LinuxInsider. Security Checker lets developers know what is actually in their code.
It allows users to scan up to three archives that are 100 MB or less in size.
Teams that want an open source management solution with more capabilities can try Black Duck Hub free for 14 days.
Application developers often use code from other sources to simplify repetitive tasks and speed the overall process, but it is difficult to keep up with the rising tide of related security alerts, according to Charles King, principal analyst at Pund-IT.
“That is where code-analysis tools like Black Duck’s new offering come in handy. By providing a tool that leverages a continually updated list of security flaws, the company aims to relieve developers from drudge work and also make their code more secure. Both of those are admirable goals,” he told LinuxInsider.
Good and Bad
The main advantage of such tools is ease of use. The main limitation is that a tool is only as effective as its creators’ list of vulnerabilities. Using a given tool implies that you trust the vendor to stay alert and on the job, noted King.
Developers have “a ton of other similar offerings out there,” he said. By offering a free scanner, Black Duck can draw attention to its other products.
“If the new tool delivers what the company promises, it will help put the company in good stead with customer developers. Satisfied customers tend to be repeat customers,” King said.
Endgame Matters
Black Duck’s goal is to help the industry solve the problems revealed by the open source security audits. It is clear that most applications rely heavily on open source. However, many contain untracked open source, resulting in undetected vulnerabilities, said Black Duck’s Carey.
“This is bad for teams building applications as well as users who rely on those applications. Awareness is an important first step,” he said.
Security Checker will provide eye-opening results for many teams and hopefully encourage them to take steps to better track and manage open source vulnerabilities in their code, Carey said. That will lead to more secure applications.