|

SCA is good, but app sec needs to evolve to tackle software supply chain security

Software teams are facing growing supply chain complexity and threats. Here's why app sec teams need to go beyond open source licensing and vulnerabilities, to malware and behavior analysis

Matt Rose
Blog Author

Matt Rose, Field CISO at ReversingLabs. Read More...

sca-supply-chain-security-matt-rose

Software Composition Analysis (SCA) tools have become a must-have for software engineering and application security teams, largely because of the increased use of open-source and third-party software. Open-source software (OSS) use in applications is estimated to range from 40% to more than 80%.

OSS has become an essential part of modern software, including DevOps and cloud-native software development, and is on the rise with the wide use of software repositories and newer AI tools like Github's Copilot, which leverages OSS repositories. This reliance on OSS obviates then need for open-source software management of licensing and vulnerabilities.

Visibility into licensing is key, because while OSS is free to use, use can be restricted. For example, a license may allow code to be used for free, as long as it's not used in a commercial product. If it is used in a commercial product, then a license might require that royalties be paid to the open-source software project to help maintain it.

SCA tools can also identify vulnerabilities in open-source software dependencies, which can be a complex task because open-source developers often share code with other open-source developers. Project A may use code from project B that uses the code from project C. So if a developer includes project A in an application, projects B and C will be in included, but the software development team may not be aware of it, nor will they be aware should a vulnerability pop up in project B or C. 

The new Forrester Software Composition Analysis Landscape Q1 2023 report seeks to make sense out of what's becoming an increasingly complicated SCA tools marketplace. Here's what you need to know about the state of SCA tools — and why the complexity of  modern software development and related threats demand going beyond SCA with a comprehensive software supply chain security approach.

[ Related ReversingGlass: SCA is good. Software supply chain security is better | Special Report: The Evolution of Application Security Get Forrester's Software Composition Analysis Landscape, Q1 2023 Report ]

SCA is good, but supply chain threats demand more

In recent years, the need to identify and address open source software vulnerabilities has become painfully apparent because of a number of high-profile vulnerability disclosures, such as the one in the widely used Apache Log4j2 utility. The flaw was actually introduced in 2013, but it wasn't discovered until November 2021. And despite all the efforts to clean up the problem, around 25% of all daily Log4j downloads still contain vulnerable versions of the software's libraries.

In addition to concerns about open source software security, governments are also making SCA tools a must-have for organizations. Concerned about software supply chain security, governments are encouraging organizations to embrace SCA tools that provide visibility into the applications and software they develop, embed, package, assemble, and buy.

The increased demand for SCA tools has forced a lot of "me-too" companies to come out of the woodwork and put their spin on SCA and scanning of open source software packages. If something is hot, and people see an opportunity to generate more revenue by adding a capability, they will do it.

The 16-page Forrester Software Composition Analysis Landscape Q1 2023 report includes charts analyzing more than 20 SCA vendors, their geographic and industry focus, and the types of products they offer, as well as the extended services offered by some of the vendors, such as open source component health and package integrity, policy management, remediation, reporting and analytics, and container, serverless and Infrastructure as Code (IaC) scanning.

Understand SCA tools, and how app sec is evolving

The report also alerts security and application development leaders about important dynamic areas in the SCA market. One such area is the expansion of SCA capabilities to protect software supply chains and select healthy open-source libraries.

The market demanding greater flexibility from SCA solutions, so reports and data can be used by a variety of stakeholders in an organization, including lawyers, security analysts, developers, auditors, customers, and C-level executives.

Government will be another driver. Forrester sees federal involvement as a top disrupter, driving transparency through the use of Software Bills of Material (SBOMs). The federal government has been driving the use of SBOMs, first with Executive Order 14028 in May 2021, and later with guidance in February 2022 from U.S. Department of Commerce’s National Institute of Standards and Technology (NIST).

Although the executive order and guidance don't require an SBOM, they make it clear that if you want to do business with the federal government, you're going to have to tell it what's in your software, with the implication that the best way to do that is with an SBOM. After SBOM use becomes widespread in the federal government, it's likely the private sector will start demanding them, too.

Gartner expects adoption of SBOMs to increase from 5% in 2022 to 60% in 2025, prompting the research firm to suggest software development organizations be prepared to provide their customers with SBOMs if they want to remain competitive in their software markets.

Supply chain threats demand going beyond traditional app sec

As critical as SCA tools are for securing software supply chains, they are only part of the picture. All too often, organizations equate SCA to software supply chain security. SCA is important to software supply chain security, but it's only a facet of it — the facet that deals with open-source packages. An SBOM can contain information above and beyond just open-source package information.

Software supply chain security needs to be recognized for what it has become: A separate discipline within the application security ecosystem.

It's surprising that SCA and software supply chain security are still seen as the same thing. As Forrester points out, SCA is a foundational part of any security program to protect a software supply chain, but SCA alone is not enough. SCA and application security testing tools only look at a narrow set of risks associated with code. Software supply chain security is a much bigger problem than that.

Threat actors aren't limited to compromising software repositories when attacking a software supply chain — and neither should defenders limit themselves to code analysis when protecting the SSC.  A modern software supply chain security platform needs to protect both infrastructure and applications — and shift the emphasis from vulnerabilities to malware. Binary analysis allows deeper visibility for teams to ensure their software is secure by focusing on how code behaves, regardless of where it came from.

Software supply chain security needs to be recognized for what it has become: A separate discipline within the application security ecosystem.

See Matt Rose's related ReversingGlass for a discussion about how software composition analysis (SCA) needs to evolve to focus on malware vs vulnerabilities, for one.

 

[ See Special Report: The Evolution of Application Security Get Forrester's Software Composition Analysis Landscape, Q1 2023 Report ]

See our Evolution of Application Security special report to learn how app sec is evolving to tackle supply chain security. Plus: Explore how ReversingLabs Software Supply Chain Security — and its new secrets capabilities — can help your team modernize its approach.