SCA Should Be in Your Toolbox to Address Supply Chain Risk
Software composition analysis (SCA) tools provide automated visibility throughout the software development life cycle (SDLC) for more efficient risk management, security, and license compliance.
As organizations accelerate their digital initiatives, they rely on development teams both internally and externally to build the applications that will help them move forward. But applications are also a popular target for criminals. The recent “State of Cybersecurity Resilience 2021″ study from Accenture found that successful breaches — which include unauthorized access to data, applications, services, networks, or devices — jumped 31% over the previous year to an average of 270 per company.
Writing secure applications is a difficult and layered process. These days, open source components are often part of development. The appeal of open source is clear: It comes with lower costs, it has often been improved within the open source community, and it can mean faster time to market for an app. However, it also comes with significant risk.
Gartner estimates that more than 90% of organizations use open source software (OSS) and that 70% of applications contain flaws stemming from its use. The viability and security of open source packages are cited as the top concerns by most of the respondents to the Gartner survey.
IT can automate the application security testing process with tools such as state application security testing (SAST), which conducts checks for proprietary code. However, if your organization has open source components within its software, SAST tools cannot detect open source components, leaving a gap in your application security.
SCA tools identify all open source components and then apply whatever policies are in place about which components may be used to build an app.
As mentioned, software development is complex. Also, developers no longer write every single line of code that goes into an application or product. Instead, they use building blocks to produce software, which are existing open source and third-party components.
Developers take these blocks and build upon them to create something new. This approach enables organizations to build software quickly by reusing existing components.
The development process is now considered a software supply chain, which defines all the steps the developer goes through to create the software. It also introduces risk.
SCA tools are critical to have in the arsenal because attackers are taking advantage of existing vulnerabilities in open source components and exploiting gaps in supply chain controls to compromise organizations or their customers, according to Forrester.
Protecting the software supply chain has grown more complex, with challenges that include code signing and identity and access management (IAM) policy. Recent high-profile supply chain attacks, such as the SolarWinds incident uncovered in late 2020, has just about every security leader thinking about supply chain risk. In an environment where most organizations have many third-party dependencies, no organization is immune from a supply chain compromise.
Defending against a supply chain attack requires visibility into dependencies on open source components in the development pipeline, and that is where SCA comes in.
SCA tools provide visibility into the identification of the third-party components used in code. SCA also provides improved quality by ensuring code consistency and corrective actions. SCA tools aim to ensure accurate detection by discovering potential licensing and security issues in third-party libraries, even at the binary level of scanning.
To do this, various SCA tools use the susceptible disclosure database and the national vulnerability database (NVD) as their main sources. Another value of SCA tools is that they reduce license risk issues, because they confirm security, which is typically the most significant aspect of dealing with open source.
While SCA has long played a role in protecting the software supply chain, vendors have expanded their capabilities.
Select an SCA tool that scans open source components within containerized environments, can identify any vulnerabilities or compliance issues, and automatically enforce policies. The tool should also have native support for the specific container registry IT is using. An effective SCA tool collects susceptibility data from various sources and spots which ones have been authenticated.
Organizations should also use an SCA tool that will not only provide information on which open source libraries have known vulnerabilities, but will also let IT know whether its code communicates with the affected library and suggest a fix when applicable. The tool should also identify open source libraries in the codebase that need to be updated or patched.
Among the new features SCA vendors are expected to add are more data than the NVD provides, as well as direction on remediation. Advanced SCA tools are expected to be incorporated seamlessly into the SDLC and work with code sources or integrated development environments (IDEs) to issue an alert about a susceptible or risk factor. Moreover, growing demand to reduce application security risk is expected to be an opportunity for the SCA market, as it secures and manages open source tools more effectively.
SCA will continue to grow in importance as an element of organizations’ application security testing (AST) toolsets, Gartner notes. Without SCA, the benefits of OSS in application development can easily be overwhelmed by the risks. The firm recommends that organizations include SCA tools in the process of identifying and mitigating risks associated with OSS.
