Get earlier, actionable vulnerability insights from Black Duck Security Advisories

The number of open source vulnerabilities discovered each year never seems to stop growing, emphasizing the importance of developers addressing them quickly and efficiently. However, simply identifying vulnerabilities is insufficient; their sheer scale makes it necessary to have an intelligent way of understanding which ones need to be fixed first to decrease the risk of a breach. For development teams in this environment, remediation prioritization and broad vulnerability coverage are critical. Enter Black Duck® Security Advisories (BDSA).

What are Black Duck Security Advisories?

Black Duck Security Advisories are highly detailed open source vulnerability records that are hand-crafted by the Black Duck Cybersecurity Research Center (CyRC). Black Duck delivers advisories that provide actionable advice and details about vulnerabilities affecting items in your software Bill of Materials (BOM). Leveraging these advisories ensures that you have the necessary data points to completely understand a vulnerability and assess the risk it poses to your organization.

How are they used?

CyRC provides vulnerability alerts based specifically on a Black Duck customer’s BOM. In other words, customers receive vulnerability information specific and relevant to their applications and projects. Armed with these actionable and detailed advisories, customers can identify vulnerable components, assess the risk they pose, and perform fixes when necessary.

How are BDSAs developed?

Raw data analysis

In order to provide the most robust vulnerability data to customers, CyRC starts by analyzing multiple sources of vulnerability information. This process occurs daily.

CyRC focuses on three types of sources:

• Vendors and projects. Common Vulnerabilities and Exposures (CVE) numbering authorities disclose vulnerabilities, as do open source project vendors like Apache, RedHat, Google, Ubuntu, Python, etc.
• Independent researchers. CyRC crawls websites such as Full Disclosure, Bug Traq, HackerOne, and more, where open source researchers discuss security issues and disclose vulnerabilities, regardless of whether a vendor has acknowledged them yet. Doing so is important because some researchers never apply for a CVE, so those vulnerabilities are never publicly disclosed.
• Aggregators. CyRC gathers information from vulnerability feeds such as the National Vulnerability Database (NVD) as well.

Triage the data

Given the sheer scale of data collected, an efficient triage process is critical. CyRC sorts the collected data and filters out any noise or duplication. After sorting through the data, the remainder is prioritized based on how often the affected open source components appear on Black Duck customers’ BOMs. Finally, the data is assigned to a team of vulnerability analysts.

The vulnerability analysts perform two key functions:

• Research and authoring. Analysts research each vulnerability individually, with the first draft of findings reviewed by senior staff. If the draft doesn’t meet quality standards, it’s returned for improvement. Once approved, the advisory goes into the Black Duck Knowledge Base, and is immediately made available in the Black Duck hub.
• Quality review. Vulnerability information can change at any time, so ongoing monitoring of vulnerability data is vital. These changes can stem from additional information being published about a vulnerability or from additional exploitability details discovered by CyRC’s independent research. To address this constant state of change, Black Duck employs a review cycle that frequently checks each BDSA to see if they require any updating. The research team prioritizes which vulnerabilities to review most frequently by focusing on their relative severity.

Why are Black Duck Security Advisories unique/better?

Quality

The quality of information provided in BDSAs is unmatched. The Vulnerability Analyst team has a rigorous set of established quality standards and guidelines for each advisory. Every vulnerability is reviewed by a senior analyst, guaranteeing its accuracy and thoroughness. The NVD, along with Black Duck’s competitors often provide inaccurate, out-of-date, or unconfirmed descriptions.

Human touch

This extra layer of accuracy in each advisory is overseen by an analyst who also provides a description for a general audience, so it includes information about where the vulnerability lives in the code, attack vectors, etc. This level of detailed information is available only through BDSAs. Additionally, analysts build custom CVSS scores from scratch, providing the most accurate and pinpointed severity advice.

Customer-centric

The information provided in BDSAs are accessible for various audiences, meaning you do NOT have to be a security expert to understand and address the vulnerability. BDSAs include two descriptions, one that is clear, concise, and accessible by the layperson, and the other technical. This makes it easy for businesses to be strategic with their development and security resources. With the inclusion of this detail and remediation advice, you don’t have to waste time doing your own research about discovered vulnerabilities. Everything you need to understand, prioritize, and fix a vulnerability is nicely packaged in a BDSA.

Speed

With our efficient processes, extensive source overage, and focus on open source, we can provide more critical vulnerability information faster to our customers. This is very much unlike the NVD process, which is slow and inefficient, and sometimes takes weeks to publish critical vulnerability information. Additionally, BDSAs are not limited simply to CVEs. Because not every vulnerability is issued a CVE reference, BDSAs include vulnerabilities beyond them, giving you the most complete view of risk. Finally, BDSAs are focused on open source—other sources may spread themselves too thin by also analyzing proprietary software, slowing down their process and diluting their quality.

Accuracy

• Scoring. BDSAs leverage the CVSS scoring system, as specified by FIRST.org, to assign severity scores in alignment with CVSS versions 2.0 and 3.x. The scores included in a BDSA are assigned by CyRC, as opposed to simply parroting those issued by the NVD, which tends to provide worst-case scenario scores, making your perceived level of risk elevated and inaccurate.

When assigning scores, BDSAs take many things, such as exploitability, into consideration. This provides the most precise CVSS score. In addition, BDSAs include temporal metrics into scoring considerations, whereas sources like the NVD do not.

• Version accuracy. BDSAs include the results of independent research to give highly accurate advice on the versions affected. In contrast, the NVD is simply a catch-all that can incorrectly list versions as affected when they are in fact not.

Completeness

Any BDSA field that can be completed will be populated. If not, it means that all available information is included, and the BDSA will be marked as such and completed as soon as additional information is made available. Feeds like the NVD go through a lengthy process of fluctuating statuses, leaving questions unanswered and applications unsecured. BDSAs provide the most complete information as soon as it is available.