Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
4. Importance of
Software Security
• Digital transformation in all industries is
powered by software
• The nature of the threat is changing
more rapidly with the concurrent rise in
cybercrime
5. Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Today, most application code is open source
*Source: Black Duck Software
6. Had Known
Vulnerabilities67%
Of Those Were
Rated as Severe52%
Were Out Of
License Compliance85%
96% of audited apps contain open source…
*Source: Black Duck Software
7. • Commitment to security
• Desire to continuously monitor application security
• Desire to automate process so it was scalable
Challenges
8. Do it often
Do it continuously
Do it frequently
What Did We Learn?
9. Continuous Integration Flow
Black Duck:
Each Build
Build Code with Unit test (Send Result
to Code Coverage tools)
Scan Artifact with Black Duck
Deploy Code to QA stack
Run Integration test
QA Promotes for production
Coverity:
Weekly
Scan Code with Coverity
Notify the Committer
about new code flaws
10. Get everybody on-boarded right away!
• Internal Tech Talks on Black Duck ongoing
• Train to understand value
• Periodic training
Cultivating a Security Community in Development
11. Our Journey with Black Duck
• Development team: It is part of our
Continuous Integration process
• Operation: Scan for all third party
libraries included in our system
• Integrate with development workflow
through Jenkins, JIRA and Hipchat
12. • Get the developers engaged with the findings
• Work on the findings: Ongoing training
• Minimize false positives: Working with Black Duck to update KnowledgeBase
• An appropriate job configuration must run relatively fast in CI-CD pipeline
• Better notification to team about the scanned project
Challenges with Black Duck