Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Integrating Black Duck into your Agile DevOps Environment
1. Integrating Black Duck
in your Agile DevOps
Environment
Utsav Sanghani
Product Manager Black Duck Software
2. 2Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC
3. 3Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC
4. 4Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC; APPLICATIONS SHIP
WITH VULNERABILITIES
5. 5Black Duck Customer Conference
Continuous
Build & Test
Configure
& Release
Packaging
THE PROCESS IS MANUAL & NON LINEAR WITH ADDED TIME IN QUEUE BEFORE
RELEASE
6. How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL.
TRACKING VULNERABILITIES
• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, versions, components,
vulnerabilities
SPREADSHEET INVENTORY
• Depends on developer best effort or memory
• Difficult maintenance
• Not source of truth
MANUAL TABULATION
• Architectural Review Board
• Occurs at end of SDLC
• High effort and low accuracy
• No controls
VULNERABILITY DETECTION
Run monthly/quarterly vulnerability assessment
tools (e.g., Nessus, Nexpose) against all
applications to identify exploitable instances
7. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
7Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs
8. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
8Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs
2. REDUCED TIME TO MARKET
In process automation checks over post processing
9. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
9Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs
2. REDUCED TIME TO MARKET
In process automation checks over post processing
3. REDUCED RISK
Move checks to the left to facilitate higher remediation time with lower impact
Dev Ops
10. 10Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
FEEDBACK
A FEEDBACK LINK BETWEEN CI & DEVELOPMENT IS NEEDED TO SHIP COMPLIANT
AND SECURE PRODUCTS
11. BLACK DUCK PROVIDES FEEDBACK: CI/BUILD IS THE PLACE TO PLUG IN
AUTOMATED CHECKS (CURRENTLY)
11Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging
12. WHAT SHOULD YOU ASK YOU BUILD/RELEASE TEAM?
12Black Duck Customer Conference
• Does the build contain only approved open source
components?
• How secure is the build? Does it have any known
security vulnerabilities?
• Can we add diligence and remain agile?
• Where are you deploying the production builds?
16. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
16Black Duck Customer Conference
17. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
17Black Duck Customer Conference
18. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
18Black Duck Customer Conference
19. CONTINUOUS BUILD & INTEGRATION IS THE PLACE TO PLUG IN AUTOMATED
CHECKS (2017)
19Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging
1 5
4
3
2
20. COMPLIANT AND SECURE BUILDS VIA JENKINS: CHECK
20Black Duck Customer Conference
ALERT
New Vulnerabilities
Affecting You
IDENTIFTY
License
Compliance
Risks