Software Composition Analysis

New Gartner Market Guide highlights the importance of Software Composition Analysis (SCA)

September 1, 2020 | in Open Source, Partners
| By Daniel Berman

The 2020 Gartner Market Guide for Software Composition Analysis (SCA) has been published, highlighting the growing importance of open source software security, and outlining recommendations for effective risk management and mitigation. 

According to the guide, more than 90% of organizations rely on open source software. There are multiple benefits explaining this reliance, but first and foremost—open source enables developers to be more productive and deliver code at a faster pace. 

This reliance introduces a significant amount of security risk. Gartner found that the primary challenge organizations face when using open source are security vulnerabilities, introduced via either direct or transitive open source dependencies. 

To overcome this challenge, Gartner highlights the growing role Software Composition Analysis (SCA) is playing in helping development and security teams successfully identify and mitigate issues. As stated in the guide, “without Software Composition Analysis, the benefits of OSS in application development can easily be overwhelmed by the risks”. 

Let’s take a closer look at the analysis and Gartner’s prescribed recommendations included in the guide. 

Open source software security recommendations

Gartner recommends organizations take the following four steps when managing and mitigating the risk posed by open source software:

  • Adding SCA tools to the application security testing toolkit – SCA tools help organizations identify security vulnerabilities and license issues in the open source components being used and must be defined as a core element of an organization’s overall AppSec strategy.
  • Securing the software supply chain – applications today are composed of different building blocks pulled in from both internal and external repositories. This supply chain has to be tested repeatedly and automatically for security issues.   
  • Establishing policies for automated enforcement – organizations need to decide upon the level of risk they can accept and enforce this across the different stages of the software development lifecycle. 
  • Positioning SCA more prominently – SCA must become an integral part of existing development workflows, with SCA tools “the default behavior, not the exception”. 

Understanding the role of SCA tools

As seen in the list of recommendations above, SCA tools are a recurring theme. The Gartner guide outlines the core functions SCA tools provide that explain why they are so important for successfully managing and mitigating the risk in open source software.

Identification of open source components 

SCA tools analyze applications and identify their reliance on open source packages, either via direct dependencies or transitive dependencies. As Snyk has shown in the past, 80% of vulnerabilities are introduced via transitive dependencies and so this function is crucial for mitigating risk effectively.  

License compliance management 

SCA tools also identify the different open source licenses being used and thus help organizations mitigate the legal risk associated with open source software. Organizations can use SCA tools to establish license policies to ensure legal risk is not introduced in the early stages of development.

Security vulnerabilities

After identifying the different open source dependencies being used, SCA tools will also correlate with vulnerability databases and point to security vulnerabilities in these dependencies. Once identified, some SCA tools will also provide information to facilitate remediation. Snyk, for example, provides full contextual remediation advice as well as precision security patches to help teams fix vulnerabilities in a timely manner.

Governance and control 

SCA tools can be used to automatically enforce security and license policies across the different stages of the software development lifecycle. The most common method SCA tools support is integrating open source security testing to CI/CD processes to ensure vulnerabilities do not make their way further down the delivery pipeline.

Reporting and analysis

SCA tools help organizations to produce BoMs (Bill of Materials), detailed lists of the various dependencies used in the code, and where in the code they are being used. These reports can then be used to assess exposure to future security risk and shared with other stakeholders and support standardization.

Key criteria for assessing SCA tools

As the guide explains, SCA tools are not born equal and come in many shapes and forms. To help organizations evaluate the different SCA tools in the market, Gartner provides a set of precise recommendations to help guide decisions. 

Eco-system and language support 

SCA tools must support the core programming languages and frameworks used by the organization. These needs will vary from organization to organization, but support for Java, JavaScript, Python, Go, .NET, PHP, and Ruby is usually required.

Deep and broad security data

To ensure vulnerabilities are identified and remediated in a timely manner, SCA tools must provide quality security data. SCA tools rely on vulnerability databases to produce this data but as Gartner notes, greater confidence and accuracy in findings is ensured by going beyond merely using NVD. Snyk’s vulnerability database pulls from multiple public sources, as well as academia, the community, and the work of our research team to provide users with accurate, up-to-date, and comprehensive data. 

Prioritization

Development and security teams face an overwhelming amount of vulnerabilities but are limited in terms of the time and resources that they have at their disposal. Therefore, they must prioritize. SCA tools must be able to provide these teams with the information needed to make effective prioritization decisions. Gartner highlights the ability to prioritize vulnerabilities that are reachable as part of the application’s execution path as a required function for an SCA tool.

Developer-friendly

SCA tools not adopted by end-users are not going to be very effective. As part of the “shift-left” and DevSecOps motions that are quickly gaining momentum in the market, developers have become the primary users of SCA tools. To support these motions, it is not enough to simply hand over a list of issues into the hands of developers for them to handle or provide them with access to a tool designed for the security team. SCA tools must be “developer-first”- they need to seamlessly integrate into existing development workflows, introducing a minimum amount of friction.  

Remediation

Finding issues is one thing. Actually being able to fix them quickly is another. Gartner stresses the point that SCA tools have to help organizations with the remediation steps as well. Snyk, for example, provides actionable prioritization and fix advice such as a priority score, full dependency tree, the recommended fix, and precision patches. Snyk will also trigger automated pull requests to streamline remediation even further.

Integrations

The software development lifecycle is complex. Different systems and platforms are used by developers to take their code from development into production. Ideally, organizations should be able to integrate open source security into each of these stages and so SCA tools must provide these integrations as part of their offering. 

Reporting/BoM

SCA tools should be able to help organizations track the open source components in use, over time, and create reports (aka. BoMs) based on this information. As mentioned above, these reports are used to assess exposure and internal tracking but also could be a condition for a specific license or purchasing order. 

Policies 

Gartner recommends using policies to define the security and legal conditions that are acceptable or unacceptable to the organization, and then automatically enforcing these policies across the different projects. SCA tools should be able to support this function.

Endnotes

Where is SCA headed moving forward?

Right now, Gartner estimates that only 40% of organizations are actually using SCA tools as part of their application security testing toolset. However, interest in SCA tools seems to be peaking with a nearly 40% increase in the number of end-user inquiries on the topic. 

Given the growing adoption of open source, that is not surprising. Open source plays a pivotal role in digital transformation and the fast pace of innovation we are witnessing today, especially during COVID19, and there is no reason to assume these trends will change any time soon. 

Organizations are leveraging open source to help them compete in their respective markets while at the same time understanding they must manage and mitigate the accompanying risks. Only SCA tools that answer the key criteria above will help organizations accomplish this goal.

About Snyk Open Source

Snyk Open Source helps organizations like Salesforce, Google and Facebook enhance application security by enabling development teams to automatically find, prioritize and fix security vulnerabilities and license issues in their open source dependencies and containers early in, and across, the SDLC.  Unlike other security solutions in the market, Snyk Open Source is a developer-friendly tool that integrates seamlessly into development workflows, providing automated remediation and actionable security insight to help organizations identify and mitigate risk efficiently.