Software Composition Analysis – A Toolkit to Manage Open Source Security

by

The way we develop software has transformed dramatically in the last few years. The increasing usage of Open Source in conventional enterprises with critical security needs is one such change.  However, the question that remains is how evolved and mature we are to manage such paradigm shifts in the way we develop applications.

The emergence of opensource clearly has brought in some competitive advantages for the organizations. Organization no more need to focus their limited resources on development of the entire software. Instead, they can use open source libraries for most of their generic requirements and focus their resources on the development of their core business USP that differentiates them from the competitors. Enterprises indeed save significant amounts when using opensource as opposed to building an application from scratch.

While all this is good, the increasing use of opensource libraries brings along, its own set of challenges and risks. The foremost challenge to be addressed being security. Many organizations have rigid coding protocols for their inhouse development teams to help minimize security violations. However, even the enterprises with the most mature of the IT departments are struggling to find a seamless way to manage and monitor their open source components for security adherence.

Enterprise challenges in managing security implications of using opensource

  • Opensource components just like any other piece of software goes through extensive testing. However, an opensource component created for a specific software goal or business goal, over the years gets reused with several customizations and wrappers around the original code. These variations in implementation/usage of the components make them susceptible to various flaws/violations.
  • Furthermore, with widespread use of these components, hackers have a greater incentive to exploit these vulnerabilities
  • Enterprises need to constantly check for the list of vulnerabilities that have been identified in the component and decide whether to continue using the component based on the severity of the violations
  • Enterprises need to manually look for released fixes and make sure they are included in the subsequent builds
  • While the above steps are easy to follow for a couple of components, the process becomes increasingly complex when you must manage hundreds of them

This is where Software Composition Analysis can come to the rescue. What can Software Component Analysis do?

  • Scan the code for Proprietary vs Open Source code and provide you a ratio of the 2 components
  • Check the licensing requirements for each of the components
  • Look for vulnerabilities in the open source components
  • Provide solutions and action items to resolve the issues

Highlight_SCA

Several app security solutions offer SCA (Software Composition Analysis) as part of the core offering. Such an SCA tool, can minimize to a great extent the woes of an enterprise with concerns on the use of opensource components.  Once you decide to use an SCA tool, the next obvious question is how to fit SCA into the new age agile model. It is true that SCA was envisioned at a time when water fall SDLC was the norm but several tools now in the market such as CastHighlight have evolved over the years to adapt their SCA capabilities to the agile and devops model.  The SCA tool can be integrated to the CI Build and results from the tool can be used to fail or pass the build.  Since the SCA tool syncs itself constantly with the latest CVE list, there will be limited to no manual intervention, staying true to the spirit of devops and CI/CD.

SCA by itself is efficient but combined with software intelligence can be much more effective. For instance, an open source framework may have 1000’s of lines of code. An SCA tool used in isolation may find vulnerabilities in the whole code irrespective of whether it is being used or not. However, when used alongside Software Intelligence, it can identify the libraries that are not being used and ignore the respective violations.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|