I've written a lot about third-party vulnerabilities in the context of Web security - but if it's hard to track and identify vulnerable code across Web surfaces, the problem is even more challenging for traditional software and SaaS.
Developers are all too aware of this, because they are stuck with software composition analysis (SCA) tools that render too many false positives, and aren't smart enough to find stacked or modified instances of an open source software (OSS) dependency in their codebase.
When the Log4Shell vulnerability was disclosed in December of 2021, companies quickly realized that scanning to find every instance of the main component (Log4j) would be a nightmare - at least 35,000 Java packages were impacted, affecting an even higher number of systems and platforms.
Things aren't getting any easier. While Log4Shell is behind us, software supply chain attacks involving third-party components are not: last year they increased by over 600%.
Faced with the looming threat presented by foreign cyber actors, it's no wonder the government is requiring agencies to obtain software bills of material (SBOMs) from their vendors. In theory, SBOMs will provide transparency and oversight into all third-party binaries incorporated into a developer's software.
But in reality, SBOMs are only as good as the manual and automatic processes companies use to continually vet their own code - and that's where smarter SCA becomes an absolute necessity.
To make SCA more effective, companies building AppSec solutions need to prioritize three simple outcomes:
While these are not the only factors behind effective code scanning for third-party vulnerabilities, they are a big step in the right direction.
While big names in the SCA space - such as Checkmarx and Veracode - have struggled to keep up with the needs of developers, newcomers are working to make a difference. The Apona platform - formerly Labrador OSS - claims to utilize intelligent pattern recognition and deep scanning across file, component, and function levels to detect modified OSS components with close to 100% accuracy.
We can only hope that more companies in the SCA space will innovate for better accuracy. Faced with challenges from cyber actors, regulators and increasingly concerned customers, developers need all the help they can get. Accurate inventory of OSS and third-party components already make a big difference for competitiveness marketing opportunities - but soon it will just be a necessity of selling software products.