Black Duck, the global organisation providing automated solutions for securing and managing open source software, today released Security Checker, a free, drag-and-drop tool for users to identify known open source security vulnerabilities in their code.
Based on Black Duck’s flagship Hub open source security solution, Security Checker scans the code contained in an uploaded archive file (e.g. .tar, .jar, .zip) or Docker image and provides a report showing the identified open source and related known security vulnerabilities.
“Applications represent the greatest level of risk on the security-threat landscape and we expect that Security Checker scan results will provide an ‘aha moment’ for many open source users,” said Black Duck CEO Lou Shipley. “Their findings will focus attention on the need to regularly review application code to ensure it’s free of known open source vulnerabilities.”
Open source use is ubiquitous worldwide because it reduces development costs, frees developers to work on higher-level tasks and accelerates time to market. It is the way applications are developed today. “Organizations definitely want to maximize all the benefits they get from open source, and as open source usage has increased, they’re realizing that it’s imperative to secure and manage their open source more effectively,” said Shipley.
The maximum file size for a Security Checker scan is 100MB and Shipley noted that “start to finish the process takes about 15 minutes. It’s a worthwhile investment of time to get valuable insights into the security of your open source code.”
Earlier this month Black Duck released a revealing report based on data from open source security audits of 200 commercial applications, conducted by its On-Demand business unit. The report confirms the widespread use of open source in application development and also highlights persistent challenges in securing and managing the open source in use.
Among the findings: 67 percent of the audited applications contained known open source security vulnerabilities; more than one third of the vulnerabilities identified were classified as “severe”; and 10 percent of the applications contained the Heartbleed vulnerability, which was discovered in April 2014.
Security Checker is available at: blackducksoftware.com/checker .