Integrating Black Duck into your Agile DevOps Environment

2 likes2,589 views

The document discusses the integration of Black Duck into agile DevOps environments, emphasizing the need for early vulnerability detection in the software development lifecycle (SDLC). It highlights the challenges companies face in managing open source security and the advantages of automating checks to reduce costs, time to market, and risks. Key recommendations include ensuring builds only contain approved components and implementing automated checks in continuous integration processes.

Technology

Integrating Black Duck
in your Agile DevOps
Environment
Utsav Sanghani
Product Manager Black Duck Software

2Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC

3Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC

4Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC; APPLICATIONS SHIP
WITH VULNERABILITIES

5Black Duck Customer Conference
Continuous
Build & Test
Configure
& Release
Packaging
THE PROCESS IS MANUAL & NON LINEAR WITH ADDED TIME IN QUEUE BEFORE
RELEASE

How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL.
TRACKING VULNERABILITIES
• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, versions, components,
vulnerabilities
SPREADSHEET INVENTORY
• Depends on developer best effort or memory
• Difficult maintenance
• Not source of truth
MANUAL TABULATION
• Architectural Review Board
• Occurs at end of SDLC
• High effort and low accuracy
• No controls
VULNERABILITY DETECTION
Run monthly/quarterly vulnerability assessment
tools (e.g., Nessus, Nexpose) against all
applications to identify exploitable instances

IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
7Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs

IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
8Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs
2. REDUCED TIME TO MARKET
In process automation checks over post processing

IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
9Black Duck Customer Conference
1. REDUCED COSTS
Avoid human overhead costs
2. REDUCED TIME TO MARKET
In process automation checks over post processing
3. REDUCED RISK
Move checks to the left to facilitate higher remediation time with lower impact
Dev Ops

10Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
FEEDBACK
A FEEDBACK LINK BETWEEN CI & DEVELOPMENT IS NEEDED TO SHIP COMPLIANT
AND SECURE PRODUCTS

BLACK DUCK PROVIDES FEEDBACK: CI/BUILD IS THE PLACE TO PLUG IN
AUTOMATED CHECKS (CURRENTLY)
11Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging

WHAT SHOULD YOU ASK YOU BUILD/RELEASE TEAM?
12Black Duck Customer Conference
• Does the build contain only approved open source
components?
• How secure is the build? Does it have any known
security vulnerabilities?
• Can we add diligence and remain agile?
• Where are you deploying the production builds?

13Black Duck Customer Conference
JENKINS DEMO (7-10 MINS)

OBTAIN COMPREHENSIVE RESULTS INCLUDING DEPENDENCIES FROM BUILD
TOOLS LIKE MAVEN/GRADLE
14Black Duck Customer Conference

MANAGE CORRESPONDING ISSUES USING JIRA
15Black Duck Customer Conference

MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
16Black Duck Customer Conference

MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
17Black Duck Customer Conference

MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
18Black Duck Customer Conference

CONTINUOUS BUILD & INTEGRATION IS THE PLACE TO PLUG IN AUTOMATED
CHECKS (2017)
19Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging
1 5
4
3
2

COMPLIANT AND SECURE BUILDS VIA JENKINS: CHECK
20Black Duck Customer Conference
ALERT
New Vulnerabilities
Affecting You
IDENTIFTY
License
Compliance
Risks

21Black Duck Customer Conference
THANK YOU

More Related Content

What's hot (20)

PDF

DevOps, Common use cases, Architectures, Best PracticesShiva Narayanaswamy

PPTX

Async API and Solace: Enabling the Event-Driven FutureSolace

DOC

Performance Test WCF/WPF app - Selecting right ToolKamran Khan

PPTX

Non functional requirements. do we really care…?OSSCube

PPTX

Case tool introductionAsamHussain3

PDF

IEEE 1633 Recommended Practices for Reliable SoftwareAnn Marie Neufelder

PPTX

How Splunk connects SalesforceMuleSoft

PPT

Software design methodologiesDr. C.V. Suresh Babu

PPT

Integrated Master Scheduleellefsonj

PPT

Pressman ch-25-risk-managementzeeshanwrch

DOCX

Project charterexample (1) (1)owaishazara

PPT

08-Project-Control-ppt.pptTecnicoItca

PPT

Software Development Life Cycle ModelJ.T.A.JONES

PPTX

DEVSECOPS.pptxMohammadSaif904342

PDF

Salesforce DevOps: Where Do You Start?Chandler Anderson

PPTX

Monolithic architectureSRM University Delhi-NCR sonepat

PDF

Monitoring lessons from waze sre teamYonit Gruber-Hazani

PDF

SRE 101Diego Pacheco

PDF

OpenShift Overviewroundman

PDF

uReplicator: Uber Engineering’s Scalable, Robust Kafka ReplicatorMichael Hongliang Xu

DevOps, Common use cases, Architectures, Best PracticesShiva Narayanaswamy

Async API and Solace: Enabling the Event-Driven FutureSolace

Performance Test WCF/WPF app - Selecting right ToolKamran Khan

Non functional requirements. do we really care…?OSSCube

Case tool introductionAsamHussain3

IEEE 1633 Recommended Practices for Reliable SoftwareAnn Marie Neufelder

How Splunk connects SalesforceMuleSoft

Software design methodologiesDr. C.V. Suresh Babu

Integrated Master Scheduleellefsonj

Pressman ch-25-risk-managementzeeshanwrch

Project charterexample (1) (1)owaishazara

08-Project-Control-ppt.pptTecnicoItca

Software Development Life Cycle ModelJ.T.A.JONES

DEVSECOPS.pptxMohammadSaif904342

Salesforce DevOps: Where Do You Start?Chandler Anderson

Monolithic architectureSRM University Delhi-NCR sonepat

Monitoring lessons from waze sre teamYonit Gruber-Hazani

SRE 101Diego Pacheco

OpenShift Overviewroundman

uReplicator: Uber Engineering’s Scalable, Robust Kafka ReplicatorMichael Hongliang Xu

Similar to Integrating Black Duck into your Agile DevOps Environment (20)

PPT

BlackDuck Suitejeff cheng

PDF

Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys

PDF

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys

PPTX

DevOps and Build AutomationHeiswayi Nrird

PDF

Software Security Assurance for DevOpsBlack Duck by Synopsys

PPTX

Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys

PPTX

Continuous IntegrationXPDays

PDF

Dev ops in agile - 1st Conference MelbourneMirco Hering

PPTX

Keynote - Lou ShipleyJerika Phelps

PPTX

Melhore o Desenvolvimento do Time com DevOps na NuvemBruno Borges

PPTX

DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn

PPTX

Software Security Assurance for DevOpsBlack Duck by Synopsys

PPTX

Software Security Assurance for DevopsJerika Phelps

PPTX

Bringing CD to the DoDGene Gotimer

PDF

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group

PDF

Achieving Full Stack DevOps at Colonial Life DevOps.com

PDF

Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group

PDF

Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group

PDF

Getting to Walk with DevOpsEklove Mohan

PPTX

Adrian marinica continuous integration in the visual studio worldCodecamp Romania

BlackDuck Suitejeff cheng

Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys

DevOps and Build AutomationHeiswayi Nrird

Software Security Assurance for DevOpsBlack Duck by Synopsys

Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys

Continuous IntegrationXPDays

Dev ops in agile - 1st Conference MelbourneMirco Hering

Keynote - Lou ShipleyJerika Phelps

Melhore o Desenvolvimento do Time com DevOps na NuvemBruno Borges

DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn

Software Security Assurance for DevOpsBlack Duck by Synopsys

Software Security Assurance for DevopsJerika Phelps

Bringing CD to the DoDGene Gotimer

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group

Achieving Full Stack DevOps at Colonial Life DevOps.com

Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group

Flight East 2018 Presentation–Continuous Integration––An OverviewSynopsys Software Integrity Group

Getting to Walk with DevOpsEklove Mohan

Adrian marinica continuous integration in the visual studio worldCodecamp Romania

More from Black Duck by Synopsys (20)

PDF

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys

PDF

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys

PDF

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys

PDF

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys

PDF

Open-Source- Sicherheits- und Risikoanalyse 2018Black Duck by Synopsys

PDF

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys

PDF

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys

PDF

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys

PDF

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys

PPT

FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys

PPTX

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys

PPTX

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys

PDF

Open Source Rookies and CommunityBlack Duck by Synopsys

PPTX

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys

PPTX

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys

PPTX

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys

PPTX

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys

PPTX

Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys

PPTX

Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys

PDF

20 Billion Reasons for IoT SecurityBlack Duck by Synopsys

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys

FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys

Open-Source- Sicherheits- und Risikoanalyse 2018Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys

FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys

Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys

Open Source Rookies and CommunityBlack Duck by Synopsys

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys

Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys

Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys

Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys

Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys

20 Billion Reasons for IoT SecurityBlack Duck by Synopsys

Recently uploaded (20)

PDF

The Builder’s Playbook - 2025 State of AI Report.pdfjeroen339954

PDF

July Patch TuesdayIvanti

PPTX

Building Search Using OpenSearch: Limitations and WorkaroundsSease

PDF

CIFDAQ Token Spotlight for 9th July 2025CIFDAQ

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PDF

SWEBOK Guide and Software Services Engineering EducationHironori Washizaki

PDF

Building Real-Time Digital Twins with IBM Maximo & ArcGIS IndoorsSafe Software

PDF

Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AIdominikamizerska1

PPTX

Webinar: Introduction to LF Energy EVerestDanBrown980551

PPTX

AI Penetration Testing Essentials: A Cybersecurity Guide for 2025defencerabbit Team

PDF

Complete JavaScript Notes: From Basics to Advanced Concepts.pdfhaydendavispro

PDF

Smart Trailers 2025 Update with History and OverviewPaul Menig

PDF

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

PDF

Python basic programing language for automationDanialHabibi2

PDF

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

PDF

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

PDF

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

PDF

CIFDAQ Market Insights for July 7th 2025CIFDAQ

PPTX

OpenID AuthZEN - Analyst Briefing July 2025David Brossard

PDF

NewMind AI - Journal 100 Insights After The 100th IssueNewMind AI

The Builder’s Playbook - 2025 State of AI Report.pdfjeroen339954

July Patch TuesdayIvanti

Building Search Using OpenSearch: Limitations and WorkaroundsSease

CIFDAQ Token Spotlight for 9th July 2025CIFDAQ

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

SWEBOK Guide and Software Services Engineering EducationHironori Washizaki

Building Real-Time Digital Twins with IBM Maximo & ArcGIS IndoorsSafe Software

Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AIdominikamizerska1

Webinar: Introduction to LF Energy EVerestDanBrown980551

AI Penetration Testing Essentials: A Cybersecurity Guide for 2025defencerabbit Team

Complete JavaScript Notes: From Basics to Advanced Concepts.pdfhaydendavispro

Smart Trailers 2025 Update with History and OverviewPaul Menig

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

Python basic programing language for automationDanialHabibi2

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

CIFDAQ Market Insights for July 7th 2025CIFDAQ

OpenID AuthZEN - Analyst Briefing July 2025David Brossard

NewMind AI - Journal 100 Insights After The 100th IssueNewMind AI

Integrating Black Duck into your Agile DevOps Environment

1. Integrating Black Duck in your Agile DevOps Environment Utsav Sanghani Product Manager Black Duck Software

2. 2Black Duck Customer Conference Continuous Build & Test Code Assimilatio n Development Configure & Release Packaging CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC

3. 3Black Duck Customer Conference Continuous Build & Test Code Assimilatio n Development Configure & Release Packaging CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC

4. 4Black Duck Customer Conference Continuous Build & Test Code Assimilatio n Development Configure & Release Packaging CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC; APPLICATIONS SHIP WITH VULNERABILITIES

5. 5Black Duck Customer Conference Continuous Build & Test Configure & Release Packaging THE PROCESS IS MANUAL & NON LINEAR WITH ADDED TIME IN QUEUE BEFORE RELEASE

6. How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL. TRACKING VULNERABILITIES • No single responsible entity • Manual effort and labor intensive • Unmanageable (11/day) • Match applications, versions, components, vulnerabilities SPREADSHEET INVENTORY • Depends on developer best effort or memory • Difficult maintenance • Not source of truth MANUAL TABULATION • Architectural Review Board • Occurs at end of SDLC • High effort and low accuracy • No controls VULNERABILITY DETECTION Run monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances

7. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT 7Black Duck Customer Conference 1. REDUCED COSTS Avoid human overhead costs

8. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT 8Black Duck Customer Conference 1. REDUCED COSTS Avoid human overhead costs 2. REDUCED TIME TO MARKET In process automation checks over post processing

9. IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT 9Black Duck Customer Conference 1. REDUCED COSTS Avoid human overhead costs 2. REDUCED TIME TO MARKET In process automation checks over post processing 3. REDUCED RISK Move checks to the left to facilitate higher remediation time with lower impact Dev Ops

10. 10Black Duck Customer Conference Continuous Build & Test Code Assimilatio n Development Configure & Release Packaging FEEDBACK A FEEDBACK LINK BETWEEN CI & DEVELOPMENT IS NEEDED TO SHIP COMPLIANT AND SECURE PRODUCTS

11. BLACK DUCK PROVIDES FEEDBACK: CI/BUILD IS THE PLACE TO PLUG IN AUTOMATED CHECKS (CURRENTLY) 11Black Duck Customer Conference Continuou s Build & Test Configure & Release Packaging

12. WHAT SHOULD YOU ASK YOU BUILD/RELEASE TEAM? 12Black Duck Customer Conference • Does the build contain only approved open source components? • How secure is the build? Does it have any known security vulnerabilities? • Can we add diligence and remain agile? • Where are you deploying the production builds?

13. 13Black Duck Customer Conference JENKINS DEMO (7-10 MINS)

14. OBTAIN COMPREHENSIVE RESULTS INCLUDING DEPENDENCIES FROM BUILD TOOLS LIKE MAVEN/GRADLE 14Black Duck Customer Conference

15. MANAGE CORRESPONDING ISSUES USING JIRA 15Black Duck Customer Conference

16. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS 16Black Duck Customer Conference

17. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS 17Black Duck Customer Conference

18. MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS 18Black Duck Customer Conference

19. CONTINUOUS BUILD & INTEGRATION IS THE PLACE TO PLUG IN AUTOMATED CHECKS (2017) 19Black Duck Customer Conference Continuou s Build & Test Configure & Release Packaging 1 5 4 3 2

20. COMPLIANT AND SECURE BUILDS VIA JENKINS: CHECK 20Black Duck Customer Conference ALERT New Vulnerabilities Affecting You IDENTIFTY License Compliance Risks

21. 21Black Duck Customer Conference THANK YOU