Industry Observations-Technical Insight

Software Composition Analysis: Identify Risk in Open Source Components

An estimated 90 percent of your code is from open source and third-party libraries. How are you verifying that you have the latest version?

In order to fully understand your application vulnerabilities and the overall security posture of your web and mobile applications, you need in-depth visibility into the third-party components that you are using. Software Composition Analysis (SCA) allows you to identify third-party and open source components that have been integrated into all your applications. It informs you about the licenses for each of them an identifies out-of-date libraries that should be upgraded or patched. Software Composition Analysis tells you if any open source frameworks have open CVEs that must be addressed.

When Open Source Goes Wrong

In March of 2017, it was reported that certain versions of the Apache Struts 2 Framework were vulnerable to Remote Code Execution attacks. If you were using a vulnerable version of the Apache Struts 2, the recommended remediation was to upgrade to Apache Struts 2.3.32 or The issue was a Remote Code Execution bug in the Jakarta Multipart parser of Apache Struts 2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

Using Software Composition Analysis, you can easily know which applications are using a particular library – either directly or transitively.

Here are a few items to look for when searching for an SCA solution:

You Must Fix Vulnerabilities, Not Just Find them

Typically, Software Composition Analysis is only considered a testing tool, flagging security problems at relevant times. However, this is missing the boat. The ultimate goal is not to just simply find the vulnerabilities. We must fix them! Fixing vulnerabilities must be part of your plan for addressing risk in open source code.

Integrated in SAST (Static Application Security Testing)

Flexibility is also an important feature, depending on your needs. Solutions that show an SCA dashboard with CVEs, versions, and license details but also creates vulnerabilities out of these CVEs that can be integrated with ALM and Bug Tracking, is your best bet.

Ensure Your Tool Understands Your Dependencies Well

Understanding dependencies can be a challenge that might seem easy until you look under the hood. If you have an SCA solution, you may rely on its ability to detect the libraries you’re using. If it happens to miss a library, it can therefore miss vulnerabilities.

SCA Should Give Security Teams Visibility into Development

Given the speed of development and the adoption rate of DevOps release automation platforms, security teams will never be able to keep up and keep that code secure. Therefore, the SCA solution you choose needs to be designed to give security teams visibility into development environments.

Choose a Solution or Service that Can Grow with Your Company

Whether in our personal or professional lives, we’ve all seen and experienced the continuously faster pace of software development. This won’t change as many organizations are either in the middle of their digital transformation journey, or looking to increase productivity and speed going forward. Maintaining security is crucial.

Obviously, the solution or service you choose should fit the needs you have now, but keep in mind that it’s just as important to choose technology that will help you get where you want to be the future.

Given that most code is open source, and that applications are a popular attack surface, coupled with more attackers targeting vulnerabilities in open source code, SCA is an integral part of application security and secure DevOps. It’s not a “check-the-box” requirement.

Want to know more? Our Principal Product Manager, Sandeep Potdar offers a free webinar, Software Composition Analysis, the Linchpin of Modern Software Development. He will walk you through the importance of SCA, why it’s essential for secure DevOps, and how SCA helps you manage open source vulnerabilities, including issues with compliance.