Posted by on Friday, December 4th, 2020

The rise of open source software is creating more risks for today’s applications. Use a software composition analysis tool to mitigate these risks.

Gartner, in its “Market Guide for Software Composition Analysis,” details the need to make software composition analysis (SCA) part of your application security testing tool suite. We discussed the what and why in a recent blog post; today let’s discuss the how.

A growing number of companies are adding SCA tools to their toolbelts as the need for and use of open source software continues to grow unabated. The explosive growth of open source use is not new, and at the heart of open source usage is its primary benefit in commercial software development: speed. When paired with another growing trend in software development, the adoption of DevOps, the importance of speed, automation, and tight integration into existing toolsets increases even more.

Four options for adding software composition analysis to your toolset

Gartner lays out the options available for adding SCA to the development toolset:

1. Open source

Many open-source tools perform SCA tasks. Most are designed to support a specific programming language or application framework. Thus, they are limited in scope, and may lack the functionality available in commercial solutions. Although some — such as Dependency-Check from OWASP — provide support for multiple languages (e.g., .NET assemblies, JAR files and JavaScript) or file formats (such as archives, CMake and Node.js). Most open-source tools focus only on identifying vulnerabilities or outdated packages, and may rely on limited sources of vulnerability data, such as exclusive reliance on the National Vulnerability Database (NVD). Such tools don’t check for license type, or for other project attributes (e.g., the number of maintainers, frequency of updates and speed at resolving vulnerabilities). Despite their limitations, especially as organizations revisit budgets in the wake of COVID-19 business disruptions, open-source tools have become a primary choice for more organizations.

2. Standalone products

These commercial offerings deliver a broader range of important functionality — license checks, remediation guidance, OSS governance and policy enforcement, etc. Examples include Snyk and WhiteSource (both also offer container scanning products that search out issues in container images), as well as Sonatype and Revenera (formerly Flexera), which offer associated capabilities, such as a repository, or governance capabilities (to control OSS use).

3. AST suite components

As demand for SCA tools has grown, an increasing number of application security testing (AST) platforms or suite vendors have added SCA capabilities to their portfolios. Examples include Checkmarx, Contrast Security, Veracode and Synopsys. In many cases, these are offered as an add-on component, requiring separate licensing to SAST or IAST offerings. SAST and IAST testing tools provide the necessary code-scanning capabilities, while the SCA component identifies and reports on relevant OSS warnings. The trend is for these SCA tools to be offered as stand-alone products in the portfolio.

4. Application development platforms

An emerging source of application security tooling, application development tooling vendors have begun to include security capabilities as features in their offerings. Although there are few vendors, this trend is expected to continue and to become disruptive to the established AST market.

The best approach will be determined by the organization’s unique requirements and current toolset. However, Gartner’s “Technology Insight for Software Composition Analysis” offers specific advice around adding SCA tools into an existing AST program: “Organizations evaluating SCA tools should generally first consider the tools offered by their existing testing tool provider. As noted, the combination of [static application security testing (SAST)] and SCA can help deliver higher-fidelity results.”

There are benefits to looking to one vendor for multiple AST needs, according to Gartner. Not only do you get the benefits of easier administration and maintenance, and fewer vendors to manage, but often the tools can come with tighter integration points and easier installation than using multiple point solutions.

Combining SAST and SCA provides added benefits

Important to consider, especially when thinking about adding SAST and SCA to your testing suite, is the added benefit you get from bringing the results from these two tools together. Synopsys offers two specific ways of executing on this convergence:

• Code Sight™: The Code Sight IDE plugin works within the developer’s IDE context, analyzing dependencies and flagging security issues as developers code. Plus, in addition to integrating with Black Duck® for SCA results, Code Sight also works with our industry-leading SAST tool, Coverity®, to display SAST and SCA issues side-by-side right in the IDE.

• Vulnerability impact analysis: Black Duck analyzes vulnerabilities to determine whether a vulnerability is in your call path, providing an additional data point to consider when prioritizing remediation efforts. This data point, in conjunction with our advanced Black Duck Security Advisories data, allows teams to quickly prioritize, triage, and fix critical vulnerabilities first.

In addition to our Coverity SAST and Black Duck SCA tools, Synopsys also offers tools for interactive application security testing (IAST) and fuzzing. And given the rapid adoption of DevOps and DevSecOps, organizations can find themselves looking for expert guidance on how to integrate these practices into their development life cycle. The Synopsys services team offers the Building Security in Maturity Model (BSIMM) report that assesses your current security program, benchmarks that program against your peers, and highlights the areas to focus on first to move your organization forward. And the Maturity Action Plan (MAP) identifies the best path forward to execute on your security strategy.

Gartner makes it clear in its “Market Guide for Software Composition Analysis” that adopting an SCA tool is a vital part of application security: “Multiple risk factors and explosive growth in open source software usage make software composition analysis an essential tool for application security.” Deciding which approach to take will ultimately depend on the goals and priorities each organization sets. But given the trends in the application security space—explosive growth of open source, rapid adoption of DevOps, and a need to shift security as far left as possible for optimal results—choosing an AST vendor like Synopsys that can help assess your current state, recommend a path forward, and partner with you to achieve not only your SCA goals, but your wholistic AppSec strategy, can provide unmatched benefits.