Application security

Managing Vulnerabilities Introduced from Open Source Code Libraries

TF 70px2 png

ThreadFix Team


Blog Images 2022 TF Coalfire logo grey

Modern development architectures are commonly based around open source components. Using open source components helps organizations lower their overall development cost while improving the time to market for new applications. Introducing these components however, can lead to serious consequences when these risks areas are not properly managed.

Traditional security testing using dynamic application security testing (DAST) and static application security testing (SAST) identify large amounts of vulnerabilities in applications, however they aren’t a perfect toolset. Certain types of vulnerabilities can exist in open source code for years, despite being subject to thousands of different security assessments and scans. Why? Because they take a dedicated security researcher to find them. 

Black Duck Hub helps organizations analyze the open source components in their code and identify vulnerabilities associated with them. Using Black Duck Hub allows you to cross-reference the known vulnerabilities in your open source components against the National Vulnerability Database (NVD), as well as Black Duck’s expanded library of vulnerability data. Checking for vulnerabilities introduced throughout the development process, and tracking them to remediation is a crucial part of developing secure applications. ThreadFix combines the scan results from manual security checks, and other DAST and SAST scanners with Black Duck vulnerability reports and provides an overview of the most critical vulnerabilities.

Through integration with Black Duck Hub, ThreadFix helps improve visibility for open source component vulnerabilities and allows you to run a comprehensive application security program where you are managing the various risks associated with code reads. By scheduling scans through the ThreadFix API, prioritizing vulnerabilities based on their risk and exporting them to defect trackers as tickets for developers to work on, you can begin to continuously monitor open source vulnerabilities through every stage of the standard development lifecycle (SDLC).