SCA Is No Longer Relevant: Insights From the Founder of Black Duck

I founded Black Duck Software in December 2002, and served as its first CEO for many years. Black Duck has long been recognized as a pioneer in open-source compliance and vulnerability management. Since its inception, it has played a pivotal role in shaping the software composition analysis (SCA) industry. My deep history with Black Duck, combined with my early contributions to the SCA space, provides me with a unique perspective on the evolving challenges facing application security (AppSec).

A New Era of Software Supply Chain Attacks

The landscape of cyber threats has shifted. The rise of sophisticated attacks, such as those targeting SolarWinds Orion and 3CX, demonstrates that adversaries are no longer simply exploiting software vulnerabilities — they are infiltrating development pipelines, and injecting malicious code into trusted software before it even reaches end users.

Today’s software supply chain threats extend well beyond outdated open-source packages with known, exploitable Common Vulnerabilities and Exposures (CVEs) — the focus of traditional SCA tools, and an area in which they have historically excelled. Attackers are now leveraging weaknesses in continuous integration/continuous delivery (CI/CD) pipelines, open-source package repositories, code-signing mechanisms, as well as closed source, third-party software modules to compromise software integrity before it is even deployed.

This evolving threat landscape requires organizations to expand their AppSec focus. Visibility must extend beyond open-source dependencies and licensing issues to include build artifacts, proprietary code, and third-party applications.

The Gap in Traditional SCA

The reality today is that most SCA solutions have not kept pace with the changing threat landscape, leaving organizations exposed to risks they simply cannot detect. And despite the rapid evolution of software supply chain threats, many SCA vendors continue to concentrate on known vulnerabilities in open-source libraries — often overlooking the more pressing risks posed by sophisticated code tampering and malware injection.

While the generation of software bills of materials (SBOMs) remains valuable, it is not sufficient to eradicate software supply chain threats — especially when it is only focused on the open-source components. Modern applications are comprised of a complex mix of proprietary, third-party, and open-source components, along with machine learning (ML) model training data, compiled binaries, and other critical build artifacts. AppSec solutions must evolve to meet the demands of these complex supply chains.

This gap between tools and threats leaves many organizations blind to deeply embedded risks within their software supply chains. Attackers recognize these blind spots — and exploit them effectively. The leading SCA firms have been slow to adapt. Instead, the commoditization of SCA tools, combined with a lack of critical investment in innovation, has resulted in flagging demand and market shifts, producing a storm of spin-offs, and acquisitions that highlight the SCA sector’s quandary — and the urgent need for a new approach.

Why a Modern Software Supply Chain Security Strategy Is Required

To effectively secure modern software, organizations must prioritize a holistic, forward-thinking AppSec strategy —one that goes beyond licensing concerns and static vulnerability scanning.

The future of AppSec requires:

• Proactive Detection of Malware and Tampering: Organizations must establish rigorous standards for detecting malware, ransomware, and Advanced Persistent Threats (APTs). Security measures should focus on identifying tampering, malicious code injection, and vulnerabilities actively exploited in the wild.
• Transparency and Verifiable Security Assurance: Software vendors and users must collaborate on security reporting that offers granular transparency. This includes detailed software change tracking, SBOMs, and VEX reports, as well as third-party verification mechanisms that assess software security, safety, and quality.
• Visibility Beyond Source Code: Effective security analysis should extend to compiled binaries, third-party components, and development artifacts, ensuring the integrity of software even when source code is unavailable.
• Automated, Scalable Threat Analysis: Security solutions must integrate seamlessly with development workflows, offering automated assessments that do not impede productivity. Organizations need tools that provide rapid, scalable insights into software integrity.
• Pre-Deployment and Post-Build Security Verification: Both software producers and end users must be equipped to detect unauthorized modifications across all components, scanning software packages before deployment to prevent the distribution of malicious code.

The Path Forward for Managing Software Risk

Securing software supply chains today requires real-time, comprehensive visibility across all application components — not just open-source dependencies. Organizations must rethink their security priorities and invest in solutions that address today’s threats, not just yesterday’s vulnerabilities.

That is why ReversingLabs, a company at the forefront of modern AppSec, caught my attention. ReversingLabs is pioneering solutions that provide deep insights into software integrity, offering organizations the tools they need to detect and mitigate emerging threats. For companies looking to secure their software supply chains with cutting-edge technology, ReversingLabs Spectra Assure represents a powerful step forward. That is why I am honored to serve on the Board of Directors at ReversingLabs, as well as several other AI, security, anti-fraud and blockchain technology companies.

The future of AppSec lies in adaptability, innovation, and a proactive stance against emerging threats. Organizations that embrace these principles will not only enhance their security posture, but also build greater trust with their customers and partners in an increasingly complex digital world.

For more of Doug Levin's perspectives, see his Substack.