In today’s software development, open source components are almost inseparable. Software companies are also looking for effective solutions to make it easier for teams to manage the security, quality and license compliance risks associated with using open source and third-party code in applications and containers. For years, many companies have adopted Black Duck® Software Component Analysis (SCA) to integrate and automate open source governance into DevSecOps to prevent and manage open source risk. Avira Software is one of them.
Avira background introduction
Since 1986, Avira Operations GmbH & Co. KG offers a secure, private, high-performance software portfolio that stands out in its class. Avira is a multinational computer software company that develops products for desktops, mobile devices and smart homes, with free upgrades and premium versions.
Challenges: Keeping DevOps Speed, Keeping Open Source Software Safe
Open source software has become the norm, common in tech and non-tech companies alike. Today, open source is the foundation of nearly every application in every industry. Despite the surge in popularity and adoption of open source, enterprises often still fail to manage their security effectively.
Synopsys publishes the Open Source Security and Risk Analysis Report annually, providing insight into the current state of open source security, compliance, and code quality risks. The 2020 report found that 99% of the 1,253 apps reviewed contained open source code, and 75% of those codebases contained vulnerabilities. Obviously, this shows the strengths of open source code and the lack of open source code vulnerability management.
The need for open source security is growing. As enterprises move to an agile DevOps development cycle, security solutions must be able to adequately scale and keep pace.
To provide industry-leading software products, companies such as Avira must use secure and reliable code. Therefore, they must incorporate robust security solutions into their software development lifecycle in order to adequately manage open source.
According to Marian Schneider, Information Security Officer at Avira, key challenges in Avira’s DevOps process include increasing product complexity, increased market regulations and the need to replace manual processes. These challenges drove Avira to seek an open source security solution that kept pace with its DevOps needs and maintained its scale.
Marian Schneider said: “Open source security is becoming more and more important from the DevOps side, and Avira started looking in the market for tools to integrate into the DevOps pipeline.”
Solution: Synopsys Application Security Testing Tool
Avira uses Synopsys’ BlackDuck® Software Composition Analysis (SCA) solution to help protect its open source resources and ensure security measures don’t slow down development. Black Duck is a comprehensive SCA solution for managing the security, license compliance and code quality risks of using open source in applications and containers.
To expand the DevOps channel and product suite, Avira adopted Black Duck at scale. Black Duck is deployed across all Avira products by all development teams and scanned frequently. Avira enables Black Duck on every major release and/or build.
When asked why Avira chose the Black Duck SCA, Marian Schneider explained: “Summary scans (compliance side), security information and integration from the DevOps side into the DevOps process. The Black Duck proof of concept shows that it finds and displays issues , providing the information Avira needs.”
Effect: Simplified security efforts and enhanced communication
“Security is a right, not a privilege,” said Marian Schneider. “All customers have a right to secure software, not just someone or a product.”
Prior to the implementation of Black Duck, Avira’s open source risk was managed in two ways: through Confluence and Jira to handle licenses, and to handle Common Vulnerability Exposures (CVEs) using custom Python scripts based on documented third-party libraries. These disjointed and siloed processes cannot scale or keep pace with Avira’s DevOps pipeline. Avira needed a comprehensive solution that could maintain the speed of development.
Marian Schneider pointed out that deploying Black Duck brings many benefits to Avira, the most important of which is the addition of automated processes and integration tools in DevOps.
“Now, open source security and compliance are deeply embedded in the development process, rather than being managed by compliance teams,” she said.
Marian Schneider found that Black Duck provided greater scalability, eliminated the need for manual operations, and increased overall employee awareness of the importance of open source code security. And, Black Duck brings an unexpected benefit: “As awareness increases, communication between developers and the legal department increases”.
With Black Duck SCA, Avira ensures open source security and its products have proven security and perform well, further cementing its industry-leading position.
The Links: MCC720-18 PM100CSE120 LCD-DISPLAY