Ninety percent of your application code is open source software, code your developers did not write. Hence modern security portfolios need to manage risk both in software your developers write, and open source software.
A picture is worth a thousand words, so here you go.
Software Composition Analysis
Software composition analysis (SCA) provides actionable data to security, legal and developer teams by identifying software vulnerabilities and license information for open source components. The most popular Software Composition Analysis platforms allows you to minimize risk from unmanaged open source to accomplish these goals.
- Inventory all open source assets
- Manage open source vulnerabilities
- Manage open source license compliance
- Ship with third party disclosures
“What’s the difference? Are static analysis tools enough?”
Static analysis tools find vulnerabilities in code you write. Along with static analysis, many companies use dynamic analysis, penetration testing, fuzzing and other ways to determine code quality. But managing open source warrants its own space.
Often, a static analysis pricing models encourage users to remove open source from their scans to save money. This creates a situation where tools are in use, but code is not covered. Additionally, in many cases the output of the static analysis tools is so voluminous that the development teams cannot make headway into clearing the results.
Many projects are using out of date versions of open source packages. This means any static analysis may be already out of date due to code fixes already performed by the package’s authors. SCA is best used to reduce vulnerability exposure due to use of older packages, and allows you to best use your limited static analysis time where you get the biggest bang for your buck.
Not sure? Ask your teams these questions.
“Are we using the latest version of Apache Struts 2?”
This is a good test since this component was recently in the news due to the Equifax hack. If your team can’t quickly tell you if they depend on it, or what version they use you likely not up to date.
What if a customer said “Our IT dept refuses to deploy any applications with OpenSSL”?
A software security audit almost always includes a review of third party components. An SCA platform helps you create accurate and complete third party disclosures for your customer’s IT department to speed up a sale. By showing your current inventory and processes to keep your product up to date, you can help change their minds about what is allowed!
“Looks like our application includes a high-risk component. Now what?”
An SCA platform informs you if there is a new version of an open source component to upgrade to. This saves significant remediation and research time.
“Are we vulnerable to that CVE in the news?”
An SCA platform includes dashboards and reports that define and analyze your exposure to specific vulnerabilities across your entire company. Yes, it really can be that simple.
A modern SCA platform integrates into your build cycle and enables you to ‘shift left’ – find and remediate issues early. Look for products with an easy on-ramp to package level analysis to get started quickly. Make sure your platform is ‘future proof’ , and is able to provide detailed analysis as needed.
Contact us if you are looking for guidance or a review of your open source compliance process.