New Jenkins Plugin Identifies Known Security Vulnerabilities in Open Source Projects
By Bill Weinberg, Senior Director of Open Source Strategy at Black Duck Software
With over 4,000 vulnerabilities reported each year in open source software (OSS), it is very likely that a company’s software portfolio contains potentially exploitable OSS components. The first step in building and shipping more secure applications is identifying vulnerable code in your software stack. But that’s no simple task – there can be hundreds or even thousands of open source modules integrated into platforms, middleware, libraries, and utility code; that code can be distributed across different groups and development sites; and the process of vetting open source software for vulnerabilities can be time consuming, slowing down software builds and bringing continuous integration to a grinding halt.
Consequently, developers and DevOps teams often forego securing their wares until late in the software lifecycle, when stakes (and costs) are highest. The results – apps packed with out-of-date open source code with a high probability of latent vulnerabilities – and little or no visibility into this security risk.
Now, developers can download Black Duck’s newly released Free Vulnerability Plugin for Jenkins. This freely available tool lets developers and DevOps managers quickly and easily discover known security vulnerabilities in open source code early in the software development lifecycle, when remediation is less disruptive and costly.
The Vulnerability Plug-in works by leveraging Black Duck’s KnowledgeBase and by extracting dependency data from the Jenkins build. It streamlines discovery of specific versions of open source software in use, and then cross-references those open source components with databases of catalogued vulnerabilities associated with those modules. The key is automation – the plug-in minimizes the need for exhaustive inspection (human intervention) and doesn’t slow down daily (or hourly) builds and associated Agile sprints. Developers can then export PDF reports listing the vulnerabilities and share them with security teams and architects for easy collaboration and remediation.
Flagging vulnerabilities early in development saves developer time and resources, and ultimately helps deliver better quality code and more security applications. Check it out!
You can download the Jenkins plugin for free HERE.