Software Composition Analysis-Curious in Shreveport
Dear Sloan,
By now, most everyone is aware of the 2021 Cybersecurity Executive Order signed by President Biden. Since then, I’ve been hearing a lot about “software composition analysis”, which seems related. What’s the correlation?
Thank you,
SCA-Curious in Shreveport
Great question, Software Composition Analysis-Curious in Shreveport!
I get really excited when someone asks me questions related to open source software (OSS) risk. It means that they are thinking proactively about minimizing their applications’ risk. And that is precisely the context surrounding your question.
First, a Definition of “Software Composition Analysis”
Let’s start by defining “software composition analysis”, or SCA. This is an automated process through which analysis tools comb through an app’s open source components, dependencies, and license requirements and look for any red flags or causes of concern. I picture Sherlock Holmes if he’d had a microscope. Software composition analysis tools exist for basically every format, including container images, binary file packages, manifest files, and the source code itself.
SCA identifies and manages risk brought into an application from malicious OSS components. The statistics reflect the serious nature of this work. According to the 8th Annual State of the Software Supply Chain report, open source software appears in approximately 90% of modern codebases. The report also indicates that developers download nearly 1.2 billion vulnerable open source dependencies in a single month. It’s certainly easy to appreciate the work and value of SCA.
I cannot emphasize enough the benefits of software composition analysis:
- Since it’s an automated process, teams can produce higher-quality code faster;
- SCA tools enable development teams to take a proactive approach to risk management – and this happens early in the development process to minimize possible dreaded rework;
- Reviewing SCA-generated information allows developers to choose safer components, resulting in more secure code;
- Development teams know with certainty what is in their app – the good, the bad, and the ugly — which is simply a good practice.
It’s a win-win scenario for development teams and the apps they create. It provides them a certain level of assurance in the background while they are working.
So, Back to Your Original Question…
Software composition analysis tools help development teams to fulfill the Executive Order’s requirements. President Biden’s Cybersecurity Executive Order states that anyone supplying software to any of the nation’s software supply chains must provide a software bill of materials (SBOM). A SBOM is akin to the itemized list of contents contained in a package that you receive in the mail, except that a SBOM lists all contents of an application. This establishes a foundation of transparency associated throughout the software supply chain.
The Final Word
I know what you’re thinking — “So, a software composition analysis process not only protects me proactively from open source risks but it also helps me to fulfill newly established legal requirements AND provides greater transparency into my app? Sloan, that’s fantastic!”
Yep. Pretty amazing, huh?
I hope this has answered your question. Now go do some SCA-ing! And in the meantime, be sure to check out our guide on “What is Software Composition Analysis?”
Great article, thanks Sloan!
Well written article. Definitely something I can share with the development teams to share why this is important.