As leaders in software composition analysis (SCA), we know its role throughout today’s software supply chain.
SCA was born out of necessity. How else could innovators discover, identify, and track open source software (OSS) components within their applications? SCA may be best known for tracking capabilities, such as adherence to license requirements (e.g., “you can use this code, just buy me a beer”). Others value it for identifying security vulnerabilities inherent in open source projects (“Red alert! Red alert!”). Yet, the technology can do far more than that.
Our product suite helps developers and security professionals at every stage of software development. Our tools locate, manage, and protect the best quality open source software components.
Of these capabilities, which is most critical?
To find out, we commissioned 451 Research, a global research firm, to evaluate the case for SCA. The report, Software Composition Analysis: Getting to the Signal Through the Noise, written by Scott Crawford, Research Director, is revealing.
Superior Precision Necessary for Secure Software Production
The report identifies precision as the most important element an SCA tool must master. By 451’s measure, Sonatype excels in this domain. Precision ensures secure software development from concept through delivery. Consider:
- Precision pinpoints to the specific nature of vulnerabilities and eliminates false positives. An SCA tool that generates a high volume of false positives also generates a demand for manual review. This slows or eliminates automation at scale.
- Precision guides effective and efficient remediation. It isn’t sufficient to only know the name of a "bad" component in your software supply chain -- this is too broad. Components are infinitely customizable. As an analogy, this is like searching for a criminal using the telephone book. Wouldn’t it be more effective to search a DNA database?
- Precision reveals the depth and breadth of integrations, surfacing the highest quality suppliers. Open source packages contain libraries of libraries, like a nesting Russian doll. Sophisticated SCA technologies, like ours, address this issue and provide best component selection with expert remediation guidance.
Here are three precision-related characteristics found in Sonatype’s elite SCA management tools:
Superior Coverage Beyond Public Datasets
Nexus Intelligence uses proprietary natural language processes. This provides in-depth vulnerability data beyond public databases, such as the NVD. This means:
- 70% more vulnerabilities identified compared to alternative databases
- Increased mean time to remediation (MTTR)
- Decreased exploitation risks because Nexus Intelligence identifies vulnerabilities not yet publicly declared that could be exploited
- Faster time to market with higher production quality
- New and emerging languages, such as Python or Go
Data Precision ‘As Deployed’ Extremely Valuable
Scanning manifest files (“as Declared”) does not identify true risk. That’s because an “as Declared” scan does not analyze embedded dependencies. This introduces the potential for intended and unintended changes in production.
Nexus scans post-build artifacts, including binaries, (“as Deployed”). Our Advanced Binary Fingerprinting (ABF), reveals the truth about third-party risk with in-depth visibility. Scanning “as Deployed”:
- Decreases false positives and negatives
- Increases efficiency cost per developer (saving time fixing issues downstream)
- Increases precision to drive automation at scale
Integrated Toolset an End-to-End Approach
Nexus Platform breaks down siloed security tools. This reduces risk and potential costs, with seamless policy governance across the entire software lifecycle. This end-to-end approach offers:
- Reviews policy across multiple phases of software production
- Reduces ongoing maintenance costs of disparate toolsets
- Decreases gaps in security and quality assurance
- Flexibly defines policies for specific applications
