Most modern applications are developed and built using many 3rd party components and libraries, some of which are licensed and maintained as open source. These components are assembled together and integrated with custom developed code and business logic as part of the integration and build processes. In a sense, these 3rd party components are some of the key building blocks of any modern application, and enable development teams to quickly deliver sophisticated functionality and speed up time-to-market.
While the benefits of using open source 3rd party components are obvious, organizations essentially introduce risk and have to be responsible for vulnerabilities that are introduced via someone else’s code.
Software Composition Analysis (SCA) is the process of identifying known vulnerabilities in 3rd party open source software components.
We certainly hope that the answer to the question above is - No! After all, your applications are unique, and implement your own organization’s business logic. As such, your applications contain plenty of custom built code, which was developed in-house by your own teams.
SCA scanners are great at flagging known (published) vulnerabilities in open source software. These are known weaknesses that have already been indexed in public repositories such as MITRE’s CVE and the NIST National Vulnerability Database (NVD). As such, they cannot possibly detect any vulnerabilities in your own custom code, such as SQL Injection, Cross-Site Scripting, Path Traversal or OS command injection, which were inadvertently introduced into your application by the non-security savvy developers.
While you might have read or heard that SCA vendors claim that open source software makes up anywhere between 50% - 90% of all modern software, you have to remember that they are trying to sell you a tool that is 100% focused on open source software scanning, so you can’t really blame them. And even if you were to accept these statistics - SCA solutions alone will never provide accurate and thorough scanning of your own cloud-native applications, which are composed of dozens of in-house developed microservices, suited specifically for your own needs and implementing your own business logic.
Should your development team use Software Composition Analysis (SCA) as part of your overall security best-practices? Definitely! There’s really no doubt about it. Your applications probably contain large amounts of 3rd party open source software, and some of it probably contains vulnerabilities - all software does.
But, would SCA be enough to give you the peace of mind and assurance that your own applications don’t contain application layer vulnerabilities? Not likely. Claiming that SCA will save your cloud-native applications from all vulnerabilities, is essentially burying your head in the sand.
I welcome you to see Oxeye's cloud native application security testing in action.