IT Awards 2020 Most popular providers of Code and Composition Analysis 2020
Most current applications are based on open source code. The overview is quickly lost, risks and vulnerabilities are difficult to identify. This is where Software Composition Analysis (SCA) solutions come in.
Companies on the topic
Software Composition Analysis aims to uncover vulnerabilities in open source components and A dependencies.
(Image: © WrightStudio – stock.adobe.com)
Modern software consists of a hodgepodge of code, libraries and APIs. According to Synopsis ‘ Open Source Security and Risk Analysis Report 2020, 99 percent of all applications use open source components, accounting for 70 percent of the code base reviewed. The problem: according to the study, around three quarters of the codes contain vulnerabilities, and around half even contain high-risk vulnerabilities.
In addition, about two thirds of all applications have license problems, one third even contains completely unlicensed components. The timeliness of the open source elements used also leaves much to be desired: 88 percent of the code base contained components that have not been further developed in the past two years. In 82 percent of the codes, components were found that had not received an update for more than four years.
Gain an overview
This naturally raises enormous problems if the applications in question are to comply with security requirements or be used in sensitive areas, for example. Software Composition Analysis (SCA) provides a remedy. In simple terms, this is a detailed inventory of all open source and other third-party components that are part of the application and its components. A so-called” Bill of Materials ” (BOM) is created, which contains, among other things, exact information about versions and license types.
SCA thus helps developers, security and legal representatives to obtain a precise overview of all open source components used and thus also of possible security vulnerabilities and licensing problems. Discovered vulnerabilities or violations can be purposefully eliminated in this way and license conditions can be demonstrably adhered to. This overview does not only include directly used codes and libraries: automated processes also make standard shortcuts of third-party libraries visible. If new vulnerabilities appear during such a scan, the responsible persons will be automatically notified. In addition, it is possible to determine exactly how much of the adopted code is within the self-created source code.
Advantages in practice
Powerful SCA systems are also able to prioritize the problems discovered according to their risk factor. This ensures that serious vulnerabilities are not ignored and are resolved promptly. Ideally, the SCA solution permanently supports the implementation of appropriate measures, such as the regular patching of all open source components.
The use of SCA solutions brings further advantages: for example, compliance requirements can be enforced via automated policies. In addition, the effort required to search for vulnerabilities of all kinds in open source components is significantly reduced, which allows for faster reactions and thus also entails lower costs. This speed advantage is also expressed in a faster time-to-market, while at the same time higher product safety and a lower risk for subsequent litigation.
Trends and developments
According to Gartner’s” Market Guide for Software Composition Analysis”, some trends are emerging in the SCA environment. The market researchers assume that SCA will continue to gain in importance due to the high prevalence of open source. The range of functions of the solutions could also be broadened and include, for example, an assessment of future security, stability and origin of open-source components. This could be done for the entire software supply chain.
SCA tools focus exclusively on open source code. According to Gartner, however, users repeatedly express concerns about proprietary COTS packages (“Commercial Off-The-Shelf”). Here, market researchers see potential for the addition of corresponding functions.