Developers Need Smarter SCA Tools to Fight Software Supply Chain Attacks

I've written a lot about third-party vulnerabilities in the context of Web security - but if it's hard to track and identify vulnerable code across Web surfaces, the problem is even more challenging for traditional software and SaaS.

Developers are all too aware of this, because they are stuck with software composition analysis (SCA) tools that render too many false positives, and aren't smart enough to find stacked or modified instances of an open source software (OSS) dependency in their codebase.

When the Log4Shell vulnerability was disclosed in December of 2021, companies quickly realized that scanning to find every instance of the main component (Log4j) would be a nightmare - at least 35,000 Java packages were impacted, affecting an even higher number of systems and platforms.

SBOMs are Only as Good as the Scan

Things aren't getting any easier. While Log4Shell is behind us, software supply chain attacks involving third-party components are not: last year they increased by over 600%.

Faced with the looming threat presented by foreign cyber actors, it's no wonder the government is requiring agencies to obtain software bills of material (SBOMs) from their vendors. In theory, SBOMs will provide transparency and oversight into all third-party binaries incorporated into a developer's software.

But in reality, SBOMs are only as good as the manual and automatic processes companies use to continually vet their own code - and that's where smarter SCA becomes an absolute necessity.

What Does Smarter SCA Mean?

To make SCA more effective, companies building AppSec solutions need to prioritize three simple outcomes:

1. Lower rate of false positives - false positives represent noise that slows developers down and prevents real issues from being fixed. As Loic Joly from SonarSource argues, a limited number of false negatives can be less disruptive and dangerous than too many false positives.
2. Pattern recognition - SCA based on code matching will only find components integrated into your software stack without modification. Pattern recognition and intelligent analysis is needed for components that have been modified in irregular ways.
3. Integrated platform - ultimately, SCA is only one aspect of software security analysis. Developers should have access to SCA, OSS detection and Static Application Security Testing (SAST) features from within the same platform, allowing them to collect and combine security insights.

While these are not the only factors behind effective code scanning for third-party vulnerabilities, they are a big step in the right direction.

A New Generation of SCA Tools

While big names in the SCA space - such as Checkmarx and Veracode - have struggled to keep up with the needs of developers, newcomers are working to make a difference. The Apona platform - formerly Labrador OSS - claims to utilize intelligent pattern recognition and deep scanning across file, component, and function levels to detect modified OSS components with close to 100% accuracy.

Conclusion

We can only hope that more companies in the SCA space will innovate for better accuracy. Faced with challenges from cyber actors, regulators and increasingly concerned customers, developers need all the help they can get. Accurate inventory of OSS and third-party components already make a big difference for competitiveness marketing opportunities - but soon it will just be a necessity of selling software products.