Avira Enhances Open Source Security with Synopsys' BlackDuck Software

Open source components are almost indispensable in today's software development. Software companies are also looking for effective solutions to help teams manage the security, quality, and license compliance risks brought about by using open source and third-party code in applications and containers. For many years, many companies have been using Black Duck® Software Component Analysis (SCA) to integrate open source governance into DevSecOps and achieve automation to prevent and manage open source risks. Avira Software is one of them.

Avira Background

Avira Operations GmbH & Co. KG has been offering a combination of secure, private, and high-performance software that stands out from the crowd since 1986. Avira is a multinational computer software company that develops products for desktop, mobile devices, and the smart home, offering free upgrades as well as premium versions.

Challenge: Maintaining DevOps speed and ensuring open source software security

Open source software has become the norm and is common in both technology and non-technology companies. Today, open source underlies nearly every application in every industry. Despite the surge in open source popularity and adoption, enterprises often still fail to effectively manage its security.

Synopsys publishes the Open Source Security and Risk Analysis Report every year, providing insights into the current state of open source security, compliance, and code quality risks. The 2020 report found that 99% of the 1,253 applications audited contained open source code, and 75% of these code bases contained vulnerabilities. Clearly, this shows the dominance of open source code and the lack of open source code vulnerability management.

The need for open source security is growing. As enterprises move toward agile DevOps development cycles, security solutions must be able to fully scale and keep pace.

For companies like Avira to deliver industry-leading software products, they must use secure and reliable code, so they must incorporate strong security solutions into their software development lifecycle to fully manage open source.

Marian Schneider, Information Security Officer at Avira, pointed out that the key challenges in Avira's DevOps process include: increasing product complexity, increased market regulations, and the need to replace manual processes. These challenges drove Avira to seek an open source security solution that could keep up with its DevOps needs and maintain its scale.

"Open source security is becoming more and more important from a DevOps perspective, and Avira started looking in the market for tools that could be integrated into the DevOps pipeline," said Marian Schneider.

Solution: Synopsys Application Security Testing Tools

Avira adopted the Synopsys BlackDuck® Software Composition Analysis (SCA) solution to help protect its open source resources and ensure that security measures do not slow down development. Black Duck is a comprehensive SCA solution for managing security, license compliance, and code quality risks of using open source in applications and containers.

To expand the DevOps pipeline and product suite, Avira has adopted Black Duck at scale. All development teams deploy Black Duck across all Avira products and scan frequently. Avira enables Black Duck for every major version release and/or build.

When asked why Avira chose Black Duck SCA, Marian Schneider explained: “Summary scanning (compliance side), security information and integration into the DevOps process from the DevOps side. The Black Duck proof of concept showed that it found and displayed issues, providing the information Avira needed.”

Effect: Simplify safety work and enhance communication

Marian Schneider said: "Security is a right, not a privilege. All customers have the right to secure software, not exclusive to certain people or products."

Prior to implementing Black Duck, Avira's open source risk was managed in two ways: handling licenses through Confluence and Jira, and handling Common Vulnerabilities and Exposures (CVEs) using custom Python scripts based on documented third-party libraries. These disjointed and siloed processes could not scale or keep pace with Avira's DevOps pipeline. Avira needed a comprehensive solution that could keep up with development velocity.

Marian Schneider pointed out that deploying Black Duck brought many benefits to Avira, the most important of which was the addition of automated processes and integrated tools in DevOps.

“Open source security and compliance is now deeply embedded in the development process rather than being managed by compliance teams,” she said.

Marian Schneider found that Black Duck provided greater scalability, eliminated the need for manual operations, and increased overall employee awareness of the importance of open source code security. Moreover, Black Duck brought an unexpected benefit: "With the increased awareness, communication between developers and legal departments increased."

With Black Duck SCA, Avira ensures open source security, and its products have reliable security and excellent performance, further consolidating its leading industry position.