Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

Audit Frequently Asked Questions

Why deliver code to Black Duck Audits?
How can I safely deliver my code to Black Duck Audits?
How does Black Duck Audits manage the safety and security of my software?
What does Black Duck Audits do with my software after I transfer or ship it?

Why deliver code to Black Duck Audits?

The Black Duck audit services group provides solutions and services to help companies manage their intellectual property. This is our core mission, and our reputation in this area is of critical importance to the success of our company. We frequently perform remote open source audits for world-class customers based on the trust we’ve built. In the vast majority of our audits, code owners entrust their code to our care, as we’re able to perform the work more efficiently and unobtrusively that way.

How can I safely deliver my code to Black Duck Audits?

You can deliver code to us using a variety of methods. We’ll arrange the delivery using a method that meets your requirements. Following is our standard process and what we recommend to code owners:

We supply you with our public key for use with PGP encryption as part of data security.
You upload the code to our SFTP (SSH File Transfer Protocol) server.

Regardless of the method of delivery, we recommend the following procedures for all code transfers:

All software objects should be archived to one or more archive files using encryption.
If archives are password-protected, the passwords should be communicated via phone call or text message and not via email.
Archive files placed on a site for upload or download should be removed from those sites immediately after they have been delivered and verified.

More details on data transfer and security procedures are available on request.

How does Black Duck Audits manage the safety and security of my software?

In addition to meeting the standards provided in the information security policy, we manage the safety and security of your software (and all information related to you) by employing the following methods:

Management of physical access to servers
Annual penetration testing (letter of confirmation available on request)

What does Black Duck Audits do with my software after I transfer or ship it?

On code delivery, a member of our audit services management team places the software objects on a Linux file server (the “code repository”) on an isolated network that only our audit delivery team can access. The code is restricted to the code repository and is there strictly for the software audit.

We analyze the code using various tools related to the audit being conducted. The servers with the tools are on the same isolated network as the code repository.

After the audit, we keep the code for a specified time (usually 30 days) in case you have any questions about the audit results that require additional research. At the end of that period, we shred the code (using tools that provide a thorough, secure method for wiping files from a hard drive in a way that makes them unrecoverable). We do not share the code with anyone other than the individuals doing the audit work.

We recommend using PGP encryption and SFTP for code transfers. If you prefer another method, we can work with you to make sure that your code is transferred securely.

Return to overview Audit process