I've written about third-party vulnerabilities in the context of Web security - but if it's hard to track and identify vulnerable code across Web surfaces, the problem is even more challenging for traditional software and SaaS. a lot Developers are all too aware of this, because they are stuck with software composition analysis (SCA) tools that render too many false positives, and aren't smart enough to find stacked or modified instances of an open source software (OSS) dependency in their codebase. When the Log4Shell vulnerability was disclosed in December of 2021, companies quickly realized that scanning to find every instance of the main component (Log4j) would be - at least were impacted, affecting an even higher number of systems and platforms. a nightmare 35,000 Java packages SBOMs are Only as Good as the Scan Things aren't getting any easier. While Log4Shell is behind us, software supply chain attacks involving third-party components are not: last year they increased . by over 600% Faced with the looming threat presented by foreign cyber actors, it's no wonder the government to obtain software bills of material (SBOMs) from their vendors. In theory, SBOMs will provide transparency and oversight into all third-party binaries incorporated into a developer's software. is requiring agencies But in reality, SBOMs are only as good as the manual and automatic processes companies use to continually vet their own code - and that's where smarter SCA becomes an absolute necessity. What Does Smarter SCA Mean? To make SCA more effective, companies building AppSec solutions need to prioritize three simple outcomes: - false positives represent noise that slows developers down and prevents real issues from being fixed. As Loic Joly from SonarSource , a limited number of false negatives can be less disruptive and dangerous than too many false positives. Lower rate of false positives argues - SCA based on code matching will only find components integrated into your software stack without modification. Pattern recognition and intelligent analysis is needed for components that have been modified in irregular ways. Pattern recognition - ultimately, SCA is only one aspect of software security analysis. Developers should have access to SCA, OSS detection and Static Application Security Testing (SAST) features from within the same platform, allowing them to collect and combine security insights. Integrated platform While these are not the only factors behind effective code scanning for third-party vulnerabilities, they are a big step in the right direction. A New Generation of SCA Tools While big names in the SCA space - such as Checkmarx and Veracode - have struggled to keep up with the needs of developers, newcomers are working to make a difference. The Apona platform - formerly Labrador OSS - claims to utilize intelligent pattern recognition and deep scanning across file, component, and function levels to detect modified OSS components with close to 100% accuracy. Conclusion We can only hope that more companies in the SCA space will innovate for better accuracy. Faced with challenges from cyber actors, regulators and increasingly concerned customers, developers need all the help they can get. Accurate inventory of OSS and third-party components already make a big difference for competitiveness marketing opportunities - but soon it will just be a necessity of selling software products.

The is an opinion piece based on the author’s POV and does not necessarily reflect the views of HackerNoon.

Developers Need Smarter SCA Tools to Fight Software Supply Chain Attacks

Too Long; Didn't Read

@andrejc

Credibility

RELATED STORIES