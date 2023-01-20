Obtaining the “so what?” of vulnerability reports

While I might have made the process sound simple, there is nothing simple about it. It can be difficult to understand all the aspects of a vulnerability, and most organizations don’t have the in-house expertise or resources to do so. This is why Synopsys provides Black Duck® customers with Black Duck Security Advisories (BDSAs) about the vulnerabilities we identify in target codebases.

But just handing over a large list of components and vulnerabilities would be confusing and burdensome, so we augment it with information that has been researched, confirmed, and curated by our team of cybersecurity experts. Details such as severity scoring, descriptions, exploits, remediation guidance, reachability, and impacted versions give security teams the information needed to understand the impact of a vulnerability on an application. This is key to understanding the “so what?” of the findings, so you can best evaluate the security of the software you acquire and what it will take to bring it up to snuff.

Some of the information you get from a BDSAs in your audit report include

The name of the actual open source component. For example, Apache Log4J. Version. Think of the component as a vehicle model, and the version as the year. A safety recall will only affect certain versions/years. Very rarely will it impact the entire model.

The version of the component that fixes the vulnerability. Workaround. Upgrading might not always be an immediate option since it can have downstream impacts. Workarounds protect an application while upgrades can be planned.

These details are only a subset of what is provided by BDSAs in our open source risk analysis. Many audit and application security vendors claim to have some capability in this area, but BDSAs provide the most accurate and actionable security advisories offered.