Software Composition Analysis (SCA)

What is software composition analysis (SCA)?

Today’s software applications rely heavily on open-source components. SCA is the process of automating visibility into the use of open source software (OSS) for the purpose of risk management, license compliance and security. SCA tools help ensure that the open source components that developers embed in their applications meet basic security standards and do not introduce risk to the organization.

SCA tools not only identify open source security risks and vulnerabilities of third-party components, they can also provide licensing and vulnerability information about each component. More advanced SCA security tools, like Contrast SCA, can automate the entire process of open-source selection, approval and tracking, saving developers precious time and significantly increasing their accuracy. Increasingly, SCA tools are becoming an essential part of application security portfolios.

What are the benefits of software composition analysis?

• End-to-end software supply chain visibility
• Third-party software testing throughout the software lifecycle
• Ability to prioritize risks
• Ability to manage dependency risk
• Real-time governance of third-party software 

How did SCA tools come to be?

The adoption of third-party OSS has increased significantly over the last few years to help augment proprietary code developed in-house and accelerate time-to-market. It’s important to recognize that free code comes at a cost, and that cost is responsibility. Businesses need to “own their sources,” because it is the business that will bear the brunt of any losses, both financial and reputational. Read more about Open Source Security.

How do SCA tools work?

During the building of software applications, vulnerabilities can be introduced into the process at different stages of the SDLC, both in custom code and third-party libraries. To ensure that your codebase is secure, you need visibility into your open-source code dependencies and a  clear understanding of what that code is doing across your applications and systems.

Standalone software composition analysis solutions, or SCA tools, are often added into your software security testing —alongside DAST and even additional IAST and SAST—to scan software, identify and document all its dependencies, components and versions. 

OSS is the primary focus of analytics. Some SCA tools audit open-source code for known vulnerabilities, and databases that can be searched for detailed information and remediation guidance. Runtime SCA tools like Contrast SCA  provide a more precise open-source risk management by showing which dependencies are really being used and highlighting license violations. All these verifications are done automatically and continuously throughout the SDLC.

The software scan can generally be in the form of binary scanning, manifest scanning, or a combination of the two. The resulting software bill of materials (SBOM) is checked against vulnerability databases and licenses. For non-public vulnerabilities, an SCA tool with a license is required.

Because OSS components keep growing and new vulnerabilities and exploits are always being discovered, it is a good idea to scan all assets with SCA tools daily, from early stages of the SDLC all the way through production – especially if only static SCA scans are being performed on a point-in-time basis. It is important to remember that SCA tools can be static or dynamic.

What is the difference between static SCA and dynamic SCA?

Static SCA scans a software’s code and dependencies without running it. It identifies security risks, outdated libraries and licensing issues. This method helps developers fix vulnerabilities early in development. Since static software composition analysisit doesn’t execute the program, it can analyze source code, binaries or packaged software for potential threats.

Static SCA tools are used during the beginning build stages of the software development process, scanning the application’s build manifest files and third-party dependencies for pre-release vulnerabilities. This is a proactive approach, but not without problems. Static SCA tools can fail to identify components with vulnerabilities by missing dependencies not on a package manifest or find code it deems vulnerable because it references unused dependencies based on the manifest.

Dynamic SCA tests software while it runs. It detects security weaknesses by monitoring real-time behavior, interactions, and execution flows. This method identifies vulnerabilities missed by static analysis, such as runtime misconfigurations or injection attacks. Dynamic software composition analysisIt provides insights into how third-party components behave within a live application environment.

Dynamic SCA tools can be integrated into the continuous integration/continuous deployment (CI/CD) pipeline and at runtime, looking at front- and back-end open-source components from both the inside and outside. Dynamic SCA can use a binary or combined approach of scanning artifacts and recognizing components with known vulnerabilities. The vulnerabilities’ remediation can then be prioritized depending on importance.

What are the benefits of dynamic SCA?

Dynamic SCA tools can find components’ vulnerabilities during runtime that previously hadn’t been discovered. A runtime SBOM provides visibility to understand what is in use when the system is running. It can also include information about whether components are active and what parts are used. The prioritization of security assessments by dynamic SCA can tell a team the likelihood of vulnerabilities that can be exploited at runtime. 

Because dynamic SCA is deployed at runtime, it can also reduce the noise of false positives that static SCA tools can deliver. Dynamic SCA can also scan for continual software license use compliance down the road, which can be very challenging to track. 

These continual data updates from dynamic SCA benefit many of the organization’s stakeholders, including DevOps and engineering. Another benefit is that as Contrast SCA keeps an up-to-date listing of active dependencies that users of the Contrast platform will get notified if new vulnerabilities are being reported for listed dependencies – without having to perform any new scans.

What does Contrast SCA analyze and protect?

Contrast Security offers SCA capabilities both in the code repository and in application runtime, providing full SCA testing coverage across the entire software development lifecycle. As a shared service across the Contrast Runtime Security Platform, Contrast SCA provides third-party software visibility without deploying any additional tooling.

By using a single platform for both static SCA analysis and runtime SCA analysis and protection, Contrast SCA not only detects vulnerabilities in packages that are declared as dependencies in code repositories, Contrast’s dynamic SCA also determines whether those packages are actually being used by the application at runtime, down to the class, module or file. The former is done by analyzing project manifests, while the latter is done by leveraging agent technologies to observe whether a package’s classes were loaded into memory during application runtime in the scope of Contrast’s interactive application security testing (IAST).

Contrast SCA also provides support for GitHub, Bitbucket and GitLab and empowers customers to choose the platform that best meets their needs, unlocking flexibility and control.