How software composition analysis can help you go from good to great

May 31, 2023 By Nitin Phadnis

9 minute read time

We live in a world that is difficult to imagine without open source software. Although open source — and DevSecOps testing methods and tools — have been around for a long time, it is only over the past few years that Software Composition Analysis (SCA) has started gaining more attention relative to other popular security testing techniques, including the following:

  • Static Application Security Testing (SAST) - commonly used to detect vulnerabilities in proprietary code, but traditionally known to return high false positives.
  • Dynamic Application Security Testing (DAST) - best applied in the later stages of a software development lifecycle after an application is deployed, meaning vulnerabilities are generally fixed in the next lifecycle.

SCA meanwhile is the ongoing, precise, and in-depth review of the open source components, dependencies, and license requirements embedded in a particular piece of software and/or across a software supply chain. SCA tools can be used to automate the identification of vulnerabilities in entire container images, packaged binary files, and source code. They are also useful to identify and manage software licenses.

The rise of SCA has in some ways coincided with the rise of open source software in modern software development. Given the fact that open source software now comprises about 90% of modern codebases, organizations need a clear strategy and the right tools to get ahead of the open source software risks.

With an estimated 1.2 billion vulnerable dependencies being downloaded each month, there is no shortage of threats to software development. Traditional, manual methods of tracking vulnerabilities or sifting through lines of code simply cannot cope with the volume and complexity. SCA has stepped easily into this niche — it automates visibility into open source software to help with risk management, security improvements and license compliance — at DevOps scale and speed.

What’s put SCA at the forefront?

So, what’s triggered the tilt towards advanced SCA platforms? And why should organizations, irrespective of industry, take notice and act now?

A major shift happened with the 2021 Executive Order aimed at enhancing U.S. software supply chain security. It intends to put the onus on suppliers by requiring them to provide a software bill of materials (SBOM) to:

  • demonstrate secure development practices and processes.
  • enable a foundation of software transparency.

While SAST and DAST tools were already in place, it was SCA solutions that took the lead and developed the capabilities to generate and export SBOMs in widely accepted formats such as CycloneDX and SPDX. SBOMs help government and private sector customers validate the integrity of software components.

That capability put the spotlight squarely on SCA.

Then, in December 2021, a high-profile disclosure of a vulnerability in Log4j made headlines everywhere. The widely used open source utility posed a severe risk to millions of software distributions from consumer products to enterprise software and web applications.

Organizations using SCA were able to quickly:

  1. Identify affected applications (find).
  2. Apply patches to affected systems to stop the threat from spreading further (fix).
  3. Strengthen their security posture (fortify).

Many organizations that did not use SCA tools were left scrambling to find vulnerable versions of Log4j within their applications and then patch them.

Similarly, the highly sophisticated SolarWinds hack in 2020 highlighted threats to the software supply chain. It prompted companies to seriously reprioritize software security, with government officials calling for stricter review of software security policies and controls.

These announcements and incidents have brought SCA into sharp focus.

What SCA means for DevSecOps

Hesitancy around making the right decisions and investments in mature SCA platforms still exists, leaving organizations exposed to serious cybersecurity risks. Entrenched attitudes and cultures are also slowing adoption. Simply put, you cannot cross your fingers and hope that:

  • It won’t happen to us, OR it won’t happen again. (Think again. There has been an astonishing 742% average annual increase in software supply chain attacks.)
  • Risk management of open source in our tech stack will happen organically, OR automatically, OR somehow magically.
  • Open source software risk should be exclusively managed by IT.
  • Generating SBOMs is good enough, and we don’t really need mature SCA tooling.

SCA is a fundamental building block of application security (AppSec). Organizations need to rapidly transform their DevSecOps and software development lifecycle practices and processes from rarely seen back-end teams to being at the forefront of fueling the company’s innovation strategies. Let’s understand why advanced SCA tooling is a must-have for any company today.

Reasons to embrace SCA 

Here’s how investing in the right SCA software platform can help you make the transition from good to great!

Know what’s in your software (and your supply chain)

Open source software is both valuable and vulnerable. While it is the catalyst that puts your digital transformation into overdrive, it also offers a large enough attack surface for bad actors. The sheer mind-numbing volume of open source downloads — of which 1.2 billion are estimated to be vulnerable — makes a compelling case to inspect what is coming into your software development pipeline.

SCA tools give DevSecOps teams timely information about these vulnerable components and malicious packages and, more importantly, provides contextual guidance about how to remediate them. This helps developers choose safe components and get products out the door, without being overly burdened with security concerns.

Get the balance between speed and security right

When the worlds of developers and AppSec collide, it's not a pretty sight! Developers are under pressure to get products to market faster, while security teams need the assurance that the code being shipped is safe and clean. Getting to this balance, let alone sustaining it, can be a nightmare and quickly derail organizational objectives.

Modern SCA solutions not only report key risks and issues involved, but also offer automatic policy enforcement and remediation, unifying teams with the same level of insight while ensuring DevOps speed and outcomes.

Reduce risk

In today’s fast-moving business landscape, disruptions can prove costly, especially those that directly impact revenue goals such as faster time to market and agile product development. Modern SCA platforms protect you against security risks that can be harmful to your business, customers, and reputation. In addition, they protect against legal risks from open source license obligations and low-quality components. By using key metrics to assess quality, including age and popularity, SCA can find and continuously monitor for problematic code in your applications. This will in turn help systematically anticipate and reduce risks that may not only affect the SDLC but business outcomes as well.

Apply consistent policies

Security teams need to:

  1. Assemble an accurate picture of the overall risk presented by open source usage across all applications.
  2. Define consistent policies to keep risk to acceptable levels.
  3. Work in harmony with development teams to guide remediation efforts.

Automating your process and practices across the software development lifecycle with SCA solutions helps ensure successful moves into a DevSecOps operating environment.

Advance your innovation priorities

Companies must innovate in order to sustain competitive advantage. And every company today, as the saying goes, is a software company. Companies who choose open source are also some of the most successful in the world. 99% of Fortune 500 companies use open source software, according to consulting firm BCG. Moreover, research from McKinsey found that the top 25% of the best performing companies had adopted open source software.

How SCA powers business-critical outcomes

Investments in software platforms invite discussions and scrutiny into what tangible outcomes they can deliver for the organization. SCA software is no different. An enterprise-grade SCA platform should help companies drive:

  • Developer productivity. We often hear the term “developer velocity.” This is not merely an aspiration, but something that is critical to driving innovation and giving the company a competitive edge. Simply put, developers need to get quality products out to market fast. Purpose-built SCA platforms improve business performance through software development by empowering developers to do what is central to their work — code fearlessly.
  • Intelligent security. SCA tooling helps companies harmonize the dynamic between developers and security teams. By surfacing security issues and vulnerabilities to all concerned, SCA can minimize friction and foster collaboration, provide a comprehensive view of software security, and enable better decisions.
  • Operational excellence. This goes beyond operational efficiency, which is table stakes for any SCA platform. Capabilities such as high availability, replication, effortless scalability and cloud, among others create a foundation of operational excellence that enables improved build times, while helping onboard more applications, users and policies with intelligent automation across multi-level management hierarchies.

Looking ahead

Open source software continues to grow, and the future of SCA looks promising. An estimated 95% of IT leaders now feel open source software is an essential part of their enterprise. As this space rapidly evolves, we will increasingly witness SCA platforms welcoming and assimilating new trends and technologies such as:

  • SCA in the cloud. Scalable, secure, and always-available. Software teams will increasingly look for these features in their SCA deployments to maximize business outcomes, reduce management overhead, and accelerate secure software delivery.
  • Proactive versus reactive SCA. Managing organizational risk holistically now extends to all of your software supply chain risks. While finding and fixing vulnerabilities in your SDLC pipelines is a well established practice, companies that can block these from gaining an entry in the first place have a distinct advantage. Proactive SCA will be embedded in the organizational risk framework to counter the ever-expanding threat surface that exposes organizations.
  • Always-on SCA: Large enterprises can’t afford operational downtime and require a resilient system to ensure SDLC pipelines are always available by minimizing single points of failure. They also need an ability to scale on-demand and ease of managing multiple instances. This calls for creating an always-on architecture which includes having multiple approaches such as high-availability, replication, and disaster recovery.
  • Extended SCA: SCA will continue to evolve to reflect ongoing innovations and the ever growing demands to make software more secure than ever. This will potentially  include integration with other security tools and increased sophistication in terms of blocking, finding, and fixing vulnerabilities with the trifecta of artificial intelligence, machine learning, and carefully curated human analysis.
  • Artificial intelligence and machine learning (AI/ML) will proliferate. As companies onboard hundreds or even thousands of applications, it becomes important to automate regular tasks, reduce the noise (false positives and false negatives), and improve risk visibility.  Automating at scale will be only possible by advancing the use of AI/ML into SCA.

The final word

As software supply chain attacks increase in frequency and sophistication, constant vigilance is needed to stay on top of shifting approaches. But that alone is not enough. Much is at stake, and companies need a state-of-the-art SCA platform that gives them full control over their software supply chain and allows them to define open source security, license, and architectural policies that work best for their organization. 

Sonatype Lifecycle helps control open source risk across the SDLC while minimizing risk and accelerating digital innovation, which are no longer nice-to-have but table-stakes for any organization to grow and thrive in today’s digital-first environment. Sonatype has also been named in the 2023 Gartner Magic Quadrant for Application Security Testing (AST), solidifying its position as a leading provider in the industry. This recognition further demonstrates Sonatype's commitment to providing cutting-edge solutions that help organizations safeguard their software supply chains.

Want to know how Sonatype can help? Our team is here to help you secure your software supply chain and ensure your success. Let’s begin.

Sonatype runs anywhere — self-hosted, on the cloud, or air-gapped. Sonatype's cloud offers can be found and are hosted on AWS.

Tags: secure software supply chain, Sonatype Lifecycle, devsecops, AppSec, Open Source

Written by Nitin Phadnis

Nitin Phadnis is a Senior Product Marketing Manager at Sonatype. When he's not working, Nitin loves spending time with family, reading, and watching F1 races.