Category Archives: Black Duck

Box, IBM and Black Duck announce security offerings amid open source vulnerabilities

Security concept with padlock icon on digital screenTwo more services have been launched with the aim of shoring up the security of the cloud, as its popularity sees it becoming increasingly targeted for attack.

File sharing company Box has launched a customer-managed encryption service, KeySafe, in a bid to give clients more control over their encryption keys without sacrificing the ease of use and collaboration features of Box. Meanwhile UK-based open source security vendor Black Duck has been recognised under IBM PartnerWorld’s ‘Ready for IBM Security Intelligence’ designation.

Box’s KeySafe aims to centralise sensitive content in the cloud, and promises new levels of productivity and faster business processes. Box Enterprise Key Management (EKM) uses Amazon Web Services (AWS) and a dedicated hardware storage module (HSM) to protect keys used to encrypt sensitive data. Box also has a service that integrates with AWS Key Management Service so customers can control their encryption keys. The service is intended to be simple and uses a software-based technology that doesn’t need dedicated HSMs.

Box says it can never access a customer’s encryption keys, which the customer owns. The main selling points of KeySafe, in addition to this independent key control, are unchangeable usage policies and audit logs and a ‘frictionless end user experience’ with simple data. Pricing is to be based on size.

In another security announcement, Black Duck’s new offering through IBM follows a research finding that 95% of mission critical apps now contain open source components, with 98% of companies using open source software they don’t know about. With 4,000 new open source vulnerabilities reported every year, Black Duck claims that cloud computing is creating greater vulnerabilities.

IBM has announced that Black Duck Hub has been validated to integrate with IBM Security AppScan in order to identify and manage application security risks in custom-developed and open source code. The hub now provides a clarified view within IBM Security AppScan which will help spot problems quicker. Black Duck Hub identifies and logs the open source in applications and containers and maps any known security vulnerabilities by comparing the inventory against data from the National Vulnerability Database (NVD) and VulnDB.

“It’s not uncommon for open source software to make up 50 per cent of a large organisation’s code base. By integrating Black Duck Hub with AppScan, IBM customers will gain visibility into and control of the open source they’re using,” said Black Duck CEO Louis Shipley.