Software composition analysis and the evolution of application security

Cybersecurity is decades-old, but emerging threats targeting the software supply chain have caused a massive shift in practices to create new and improved tools that address these rapidly growing problems. While dating back several decades, software supply chain attacks were pushed to the forefront in recent years as a result of incidents such as SolarWinds SunBurst and Log4j.

The growing threat of these attacks, has demanded industry change, which was ignited in May 2021 U.S. Executive Order on Improving the Nation’s Cybersecurity (EO). In the EO, securing the software supply chain was made a top priority and was followed by several other federal guidelines and mandates on software security best practices. Best practices in this area are constantly evolving, making it essential that vendors embrace these changes in the solutions they provide.

In Forrester’s newest report, The Software Composition Analysis Landscape, Q1 2023, Software Composition Analysis (SCA), a software security tool category, is named an “established” market, and key solution to adopt in 2023. ReversingLabs was listed alongside 22 other SCA vendors in the report, which was made so that “security and app dev (application development) leaders” can assess which SCA vendor is right for their organization, Forrester says.

Here are key highlights from Forrester’s SCA tools landscape report, as well as some analysis of the state of SCA.

Get Forrester's Software Composition Analysis Landscape, Q1 2023 Report

What is Software Composition Analysis (SCA)?

Forrester’s report defines SCA as “products that scan an application without executing it to generate an inventory of all the open source and third-party components.” In addition to gaining visibility into an app’s components via a Software Bill of Materials (SBOM), SCA reduces license, vulnerability, and operational risk in an app. It also applies consistent open source policies in the software development lifecycle (SDLC).

Forrester sees SCA as being a fundamental tool for an organization looking to transform its development, security, and operations (DevSecOps) approach in securing the software supply chain. Because SCA is automated and integrated into the SDLC, it gives developers timely feedback on an app’s vulnerabilities and license risks. SCA also provides devs with the guidance to prioritize and remediate findings early in an app’s lifecycle, where they are the most cost-effective and easiest to remediate.

The state of the Software Composition Analysis market

According to Forrester’s report, it’s expected that SCA’s place in the software security market will either reach parity with Dynamic Application Security Testing (DAST), a traditional app sec tool, or will surpass it in the market by 2025.

There are many vendors that provide SCA, such as the 23 Forrester lists in its report. Forrester’s report aims to differentiate these 23 options so that organizations looking to transform their DevSecOps processes can choose the best option for them.

Forrester advises that organizations shopping for an SCA vendor keep these points in mind:

• New capabilities will best secure the software supply chain: Forrester advises that organizations should “evaluate startups that focus on a particular use case that is underserved and marketed as software supply chain security tools,” but to also “beware of lack of breadth or depth” in an SCA product.
• Serve the various perspectives in your organization: Forrester’s report asserts that “When it comes to sharing reports and data (such as an SBOM) with external stakeholders such as auditors, customers, and executives, vendors need to offer a different level of metrics, reporting, and access management.” What the SCA tool yields needs to be accessible to all of an organization’s key stakeholders.
  
• Don’t ignore federal guidelines and mandates: Forrester argues that government efforts such as the May, 2021 EO “will drive transparency” in the industry. This is why SCA vendors “must quickly pivot to new requirements and regulations” if they are to be effective in securing the software supply chain.

Keep in mind: Change is on the horizon

As the current threat landscape stands, comprehensive and versatile SCA is essential to securing the software supply chain. However, as the threat of these attacks grows, it will be important for the market as a whole to adapt its solutions to meet the improving abilities of threat actors.

The industry has taken steps in the right direction to focus on the reality of software supply chain attacks, given their rise in popularity over the past few years. However, even in the last year, the attack surface has grown, as well as the kind of attacks that organizations now need to defend against.

In ReversingLabs latest report, The State of Software Supply Chain Security 2022-23, which details the trends and best practices of 2022, it’s evident how the threat of software supply chain attacks is not only here to stay but is becoming greater in number and more complex.

Just looking at attacks on open source repositories alone shows a significant jump. For example, popular repositories npm and PyPI saw a 289% increase in the number of attacks on their platforms over the past four years. Specific to npm, ReversingLabs found that the number of malicious packages uploaded to the popular repository also jumped by more than 40% in 2022.

In addition to the number of attacks, the kinds of attacks being carried out are becoming more technical and varied. Typosquatting attacks, in which a malicious actor creates look-alike packages with names that mimic popular software packages, are an example of a newly successful attack vector. Since these typosquatted, malicious packages look legitimate, developers will download and use them by accident, making them susceptible to an attack. ReversingLabs discovered several typosquatting supply chain attacks in 2022, including IconBurst and MaterialTailwind.

ReversingLabs’ report also estimates that this year, software supply chain attacks are due to accelerate, given the steady growth seen in this attack surface over the past few years. It’s also safe to assume that new threats in this area will emerge, similar to how the industry reacted to SolarWinds, an unfamiliar kind of attack that had a wide-spread impact.

SCA must evolve

This expected growth and complexity are why the software security market has to prepare not only for what’s already out there but also for what’s to come. SCA covers many of the threats posed by software supply chain attacks today, but organizations must continually question whether or not these services they have in place are enough.

Being able to adapt tooling to the speed at which new threats arise will ultimately make the software security market successful and beneficial. As the Forrester report highlights:

Software supply chain security and selecting healthy and secure open source libraries require new capabilities.

See Special Report: The Evolution of Application Security Get Forrester's Software Composition Analysis Landscape, Q1 2023 Report