The OpenShift Partner Spotlight is a recurring series that highlights the integration work our partners have done with OpenShift. This month's featured partner is Black Duck by Synopsys. Black Duck by Synopsys is a longtime partner and an active participant in the OpenShift Commons program.
Let's start with an introduction: Name, role, and how long you've been with Black Duck and Synopsys?
My name is Dave Meurer and I am a Senior Technical Manager in Synopsys’ Business Development team. I’ve spent the last year focused on the technical aspects of building a world-class Alliances team that produced over 20 solutions in 2017 with great partners like Red Hat, AWS, Google, GitHub, and JFrog. In December of 2017, Synopsys acquired Black Duck Software, and I moved into the Synopsys Software Integrity Group’s Business Development team. This allows me to focus on a wider portfolio of Synopsys security products and how best to bring these to market with our great partner ecosystem. In total, I’ve been with the company for over 7 years.
For anyone not familiar with Black Duck by Synopsys, can you provide a quick overview of what you do?
Synopsys is at the forefront of smarter connected secure devices with the world’s most advanced tools for silicon chip design, verification, IP integration, and application security testing. Our technology helps customers innovate from silicon to software, so they can deliver smart, secure everything. A leader in software composition analysis, Black Duck provides products and on-demand audit services to secure and manage applications and containers at the speed of DevOps, eliminating pain related to open source security vulnerabilities, license compliance, and operational risk.
Before we get into details, what changes are taking place in the industry that drove this integration?
Software development has undergone a sweeping and rapid change, including the increasing use of open source software (OSS), which makes up close to 90% of the code in today's applications. While the use of open source components lowers development costs and speeds time to market, it isn’t risk-free. That’s in part due to the nature of open source communities when compared to commercial software. In the commercial software space, the vendor can push security fixes and advise on roadmaps, but with open source components, the equation changes. When someone consumes an open source component they need to be aware of the channel the obtained it from, the community developing it, and the associated license and security policies for that community. Since most organizations grew up with a commercial mindset, that “community engagement” paradigm translates into risk because most organizations lack visibility into the OSS in use.
These challenges are exacerbated as more companies go to market faster by embracing digital transformation; moving towards agile methodologies, DevOps cultures, and technologies like cloud and containers. Being able to automatically identify and monitor 3rd party open source within container images quickly is essential to the security and license concerns for all companies moving in this direction. As development and deployment timelines shrink, software composition tooling needs to be fast, able to scale, automated, and native to developers and operations teams.
Given that, can you describe your integration efforts with OpenShift?
We started our initial integration efforts in the early spring of 2017. The products’ goal was simple – provide to operations teams an ability to accurately assess the open source risks present in the containers they’re deploying in OpenShift – regardless of source. We also wanted to make this information simple to consume, so annotating objects like ImageStreams with our risk data was a logical choice.
Over the first half of the year we directly engaged with customers to white glove the solution. After all, if your target market is a production data center, you need to ensure it meets their requirements firsthand. In November 2017, Black Duck launched this effort as a new product – OpsSight – providing automatic open source vulnerability detection for containers.
OpsSight is a native OpenShift integration that automatically scans all container images that are created and modified in an OpenShift environment regardless of source registry. The scan identifies all 3rd party Open Source components (think the infinity of open source) and their dependencies within the container images. Vulnerability and policy violation data is then added as annotations and labels on the ImageStream images and any pods. When new vulnerabilities are published that affect components already identified in the container images, OpsSight will update the annotations and labels without the need to rescan. This effectively satisfies regulatory requirements for both continuous monitoring of applications, and the validation requirements for patch management.
What are the next steps for Black Duck and Synopsys?
Since OpsSight was released, we have received a lot of great feedback on the features and future direction of the product. The Black Duck OpsSight team has been working very hard gathering this feedback, designing and developing new features for new releases of OpsSight. Synopsys values the investment and strategic nature of our partnership with Red Hat, and the plan is to remain focused on providing world-class solutions and partnerships that meet our customer’s needs.
In terms of Synopsys’ larger software security portfolio, we’re working quickly to integrate many of the different security testing technologies Synopsys has, including Black Duck’s, into developer-friendly tools that not only support rapid and continuous iteration but also provide a comprehensive view into the security posture of software – including propriety code, open source components, and in the runtime environment.
What is your favorite thing about working at Synopsys?
This is like asking me to pick my favorite child (of which I have 5)! I can’t just pick one. So, it’s a tie between the technology, people, and culture. Both Black Duck and Synopsys are great places to work. Cybersecurity is such a fascinating, important, and growing market. It’s a great feeling to know that I work for a company that provides a lot of value and leadership in that space. Over the past year, I personally have enjoyed learning all the technologies our great partners are producing within the DevOps landscape. I feel like these are exciting times in the digital transformation of application development, and Synopsys is positioned well to help our customers achieve their agile, cloud, and container potential.
By the way, that’s what I tell my kids when they ask about favorites. I tell them, “You are all tied for my 2nd favorite.” (I don’t have to tell them who’s #1, they know it’s Mommy!)
Where can people go to find more information?
Check out the following links for more information on Black Duck OpsSight, our partnership with Red Hat, and the Synopsys Software Integrity Group: