The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Blue Yonder: Extending their SDLC to remediate open source issues

Fred Bals

Nov 12, 2019 / 3 min read

|

With over $1 billion in annual revenue, Blue Yonder has been the world’s leading supply chain provider for the past 30 years. Blue Yonder enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use Blue Yonder’s unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.

As with many organizations in the business of building software, Blue Yonder’s portfolio of 100+ applications contains a mix of custom-built codebases, commercial, and open source components.

“Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses,” says John Vrankovich, principal architect at Blue Yonder.

JDA Software Team Discussing Open Source Management with Black Duck Software

“We have over a hundred products, with each of those having hundreds to thousands of different open source components. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.”

All software development teams need a complete and balanced software development program to ensure their applications stay healthy. Every application testing tool has advantages and disadvantages, and no single solution should be expected to find and fix all code issues. Smart organizations in the business of building software like Blue Yonder know they need to use a mix of application testing tools to help them ensure the code they produce is high-quality and secure.

Complementing SAST with SCA

Static analysis security testing (SAST) tools such as Coverity® are critical for uncovering and eliminating issues in proprietary software early in the SDLC by scanning an application’s code for flaws while that code is still in a nonrunning (i.e., static) state. However, SAST tools aren’t effective in finding open source software vulnerabilities (CVEs) in code, or in identifying open source license types or versions.

JDA Software Case Study Highlighting Open Source Software Vulnerabilities Detection

Given that open source is an essential component of application development today, adding an effective software composition analysis (SCA) tool to application testing should be as imperative to every software development team as SAST is.

Blue Yonder first implemented Black Duck Code Center in 2015. Code Center provides Blue Yonder with software component selection, approval, and tracking of open source and other third-party software components.

“All of our core products are using Code Center,” says Meghan Caudill, project manager for third-party product compliance at Blue Yonder. “About three years ago, we began to use Black Duck SCA when building the CI/CD process for our Blue Yonder 

Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.”

What SCA can do for you

Black Duck® SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables Blue Yonder to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.

JDA Software Team Discussing Open Source Compliance Strategy with Black Duck Tools

“With the Black Duck tools, we were able to write an open source compliance strategy that addressed our requirements and priorities,” says John Vrankovich. “We’re now able to ensure that none of our products are released with open source license risks, quality or security issues. Any issues we discover are tracked and remediated, all license obligations are being met, and only approved open source components are used in our products. We know what we’re using, the licenses we’re using, the versions we’re using, and any security issues and component patch statuses.”

Continue Reading

Explore Topics