Black Duck, the company that focuses on automated open-source code management, and Microsoft are integrating Black Duck's Hub program with Microsoft Visual Studio Team Services (TS), formerly Visual Studio Online, and Team Foundation Server (TFS).
Black Duck Hub is a database and code-checking service. Its database, Black Duck KnowledgeBase, contains data on over 2 million open-source projects and 79,000+ known open-source vulnerabilities. Armed with this data, Hub scans your project's code to identify its open-source components. It then checks the code for known vulnerabilities and for new vulnerabilities as they're reported. It also enables you to prioritize and track your remediation efforts.
This way you can be sure, for example, the old code in your project from three months ago will have any new problems cleaned up and fixed. It also enables you to spot open-source code when it shouldn't be in your project for licensing reasons.
The new Black Duck Visual Studio extensions will automatically detect any known open-source code used during your TFS and TS builds. It will identify security vulnerabilities, components with license compliance issues, and any security risks. It will also spot cases when your lazier programmers have "borrowed" open-source code without permission for your projects.
According to Sonatype, a software security and automation company, one in every 16 open-source download requests for a component has a known vulnerability. This is a real worry. Forrester Research reports, "In their haste to create applications, developers use open-source components as their foundation, creating applications using only 10 percent to 20 percent new code."
Black Duck CEO Lou Shipley continued on this theme in a statement. "With open source making up between 80 percent and 90 percent of the code in today's applications, effective security and management of open source is essential. Microsoft recognizes the importance of open source in application development and the many economic and productivity reasons for its rapidly expanding use. We're pleased that Microsoft also sees the value in bringing Black Duck's open-source license and security compliance capabilities to the Microsoft Visual Studio continuous integration platform."
Shawn Nandi, Microsoft's senior director, cloud app dev and data marketing, added: "We welcome Black Duck to the Visual Studio Partner Program and we are pleased that this integration with Visual Studio will bring our customers options to detect and manage potential security risks."
- Black Duck and North Bridge find that today, and tomorrow, belong to open source
- Dangerous open-source bugs lurk inside most commercial apps
- Microsoft's Visual Studio 2017 is now generally available