Open Source Security for Federal Government Applications
Today’s application landscape is complex, and for federal government agencies, maintaining security through that complexity is paramount. Untracked open source code, and the vulnerabilities that can come with it, compromises security and exposes your organization and constituents to significant risk. With recent open source use mandates for government agencies, as well as strategic plans for federal cybersecurity, it’s imperative that you have an established set of tools and automated processes to detect and manage open source security risks in your applications.
Constant Threat and Persistent Security Government data is a constant target for malicious activity by both individual and state-sponsored hackers. Recent reports from the FTC and Verizon find that government applications face significant and unrelenting attacks, making them the target of the greatest number of cyber incidents and breaches across industry sectors. The goal for developers, established by the National Science and Technology Council (NSTC) is to ensure application security and risk management (https://www.blackducksoftware.com/solutions/application-security) practices make the cost of an attempted attack greater than the potential benefit of a breach. But open source vulnerabilities, which are often widely publicized, make attacks inexpensive. By proactively tracking and managing open source vulnerabilities, you turn the security economics in your favor.
A Measure of Success Federal mandates and strategic initiatives outline the criteria needed to successfully achieve target levels of application security, deter security hackers, and encourage the proliferation of software across the federal government.
100K
2019
20%
target for lines of code per defect in government applications
target date by which effective risk management should eliminate attackers’ advantage
or more of agency code must be released as open source
Eliminating Vulnerabilities in Government Software What makes attacks so inexpensive? Unpatched or unidentified vulnerabilities in applications’ code are easily exploited. With open source components comprising 50% or more of a typical application, a vulnerability in one component can be used to compromise hundreds or thousands of applications. In fact, a recent Department of Homeland Security report estimates that 90 percent of security incidents result from exploits against defects in software.
Effective detection and remediation of vulnerabilities in open source components has a material impact on deterring adversaries and preventing a successful attack (http://blog.blackducksoftware.com/asymmetric-advantage-open-source-government-cybersecurity?hs_preview=FjJPLsiZ-4952289751). Yet the presence of untracked open source components in government applications represents a serious threat: you can’t defend against threats you don’t track.
When we built our business case for bringing in Black Duck, our internal information security group was a co-sponsor of the effort. This group now has a significantly easier way to determine which artifacts and versions are affected by any security vulnerability and which applications are impacted as a result. This capability did not exist before, so this is huge. - Kostas Gaitanos, Senior Director of Development Services, FINRA
Simplifying Open Source Application Security Management for the Federal Government Black Duck solutions (https://www.blackducksoftware.com/solutions) for open source application security and license compliance provide a complete, single pane of glass view into open source risks in your applications. Black Duck solutions:
• • • • •
Identify and inventory open source components used in your applications. Map components to known open source vulnerabilities. Monitor for and alert on new vulnerabilities which impact your applications. Automate and integrate open source governance into your development tools and processes. Deliver powerful risk and remediation insight to security teams.
Black duck products and services are available for purchase off of Carahsoft's GSA contracts and Carahsoft's NASA SEWP contracts.
DATA SHEETS
Black Duck Hub: Open Source Security (https://www.blackducksoftware.com/black-duckManagement hub-data-sheet)
Follow us online
(/)
WEBINARS CASE STUDIES Empowering Application Security in (https://www.brighttalk.com/webcast/13983/201341? DevOps FINRA Improves Development Efficiencies utm_source=Website&utm_medium=website&utm_campaign=AppSec%20in%20DevOps) (https://www.blackducksoftware.com/cs-finra) and Security
(http://www.facebook.com/pages/Black-Du (http://www.linkedin.com/company/bla (http://blog.blackducksoftware.com/rss (http://www.slideshare.net/blackducks (http://www.twitter.com/black_duck_s (http://www.youtube.com/user/BlackD (https://plus.google.com/u/0/b/10774695
Solutions (/solutions)
Products (/products)
Audits (/on-demand)
Application Security (/solutions/application-security)
Hub (/products/hub)
Open Source Audits (/ondemand/open-source-softwareaudit)
Container Security (/solutions/container-security)
OpsSight (/products/opssight) Integrations (/technology/integrations)
License Compliance (/solutions/open-source-licensecompliance) M & A (/solutions/mergers-andacquisitions) Open Hub
Open Source Security Audits (/on-demand/open-sourcesecurity-audit)
Resources About (/about) (https://www.blackducksoftware.com/resources)
Company (/company)
Blog Leadership (https://blog.blackducksoftware.com/) (https://www.synopsys.com/company/manag team.html) Resource Library (/resources) Support & Training (/support)
Code Quality Analysis (/ondemand/code-quality-analysis) Customers (/customers)
(https://www.openhub.net/) Industry (https://www.blackducksoftware.com/industry)
© 2017 Black Duck Software, Inc. All Rights Reserved.
Encryption Audits (/onPartners (/partners) demand/encryption-audits)
Legal Notices (/legal)
Privacy Policy (/legal/privacy)
News & Events (/about/newsevents) Careers (/about)
Request a Demo (/black-duckhub-demo)
Contact Us (/contact-us)