Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

Security Commitments

Compliance

Inquiries

Security Commitments -

As an organization dedicated to protecting and securing our customers’ applications, Black Duck is equally committed to our customers’ data security and privacy. This statement is meant to provide Black Duck customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.

Information Security Policy

Black Duck has defined and published a set of information security policies which is:

Based on ISO 27001, ISO 27002, NIST SP 800-53, and NIST CSF
Approved by management
Communicated to all employees and relevant external parties
Reviewed annually by stakeholders

Product Security Assessments

Black Duck regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

Product-on-product (PoP) testing—each release of a product is scanned for security vulnerabilities using Black Duck products, including Black Duck SCA and Coverity Static Analysis.
In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
Threat modeling—for major new releases, Black Duck creates and/or updates threat models that provide a baseline for other security testing activities.

Security for Software as a Service

Our SaaS offerings utilize industry leading cloud services providers including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), which are known for their security and protections.
In addition to the security provided by our cloud service providers (CSP), Black Duck uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Privacy

Please see our Privacy at Black Duck page here containing our Data Privacy and Protection Statement and our Website Privacy Policy.

Incident Management

Black Duck has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
Black Duck will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.

Network Security

Black Duck has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
Network environments are physically and logically segregated; customer data are logically segregated.
Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
Vulnerability scans are performed daily.

Encryption

All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.

Availability, Backup, and Disaster Recovery

High availability is achieved using the native cloud orchestration capabilities of AWS and GCP.
Customer data are backed up daily with a 7-day retention policy.
If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region. This process is manual and takes 15-30 minutes, excluding the time to load the new customer database with a copy of the backup.
In general, across all types of disaster situations, including failures beyond core infrastructure, Black Duck’s recover time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.

Access Management

Only the customer has access to their own data. If Black Duck employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
Multi-factor authentication (MFA) capability is provided to customers for accessing Black Duck applications.

Logging and Monitoring

User and system administrator activities are logged and:

Routed to a centralized SIEM for monitoring, analysis, and alerting
Protected from tampering
Retained for at least one year

Change Management

Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
All changes are logged via a ticketing system, and approvals are required and tracked.
The technical review includes a risk assessment and all other technical aspects of the change.