A Framework for Evaluating Software Composition Analysis Tools

According to Gartner’s 2019 Software Composition Analysis Report, over 90% of code in modern applications comes from open source. While the benefits are many, these same critical open source components also come with their own set of issues and risks. Some of them include:

• Security vulnerabilities creeping into software, making it susceptible to malicious attacks.
• Uncertain license requirements that can lead to intellectual, reputational, and financial risk.
• Incomplete inventory of dependencies that can lead to an inaccurate software bill of materials (BoM).

Software composition analysis (SCA) tools have long been the most common approach to understanding and addressing these risks by detecting third-party components and identifying known vulnerabilities, outdated libraries, and license gaps. But, even though SCA has typically included solutions like security patches, it hasn’t really emphasized visibility into the end-to-end open source software supply chain or the benefits of shifting left.

By scanning and blocking possible issues right in the software development lifecycle (SDLC) and deployment workflow, a more modern SCA tool can not only reduce the cost of risk but also help the engineering team improve code quality and lower technical overhead and debt.

As enterprises shop for solutions that deliver these key capabilities, let's examine what the framework for a good risk mitigation solution looks like and what we should keep in mind when we evaluate SCA tools.

Watch the on-demand webinar: Forrester on the Changing Role of SCA in Your Open Source Security Strategy

Automated Scanning

A critical component of risk mitigation is complete and accurate visibility into risk in the software supply chain. This means an inventory of all:

• Direct and transitive dependencies
• Embedded, hidden, and declared licenses
• Security vulnerabilities

Identifying the libraries and all the included dependencies, licenses, and vulnerabilities is the first step to accurately assessing risk in your open source software supply chain. It is important that your software composition analysis tool supports a broad range of languages in your tech stack.

CI/CD Integration

A priority function to look for in a software composition analysis tool is the ease of shifting left on risk mitigation. The later in the software development lifecycle you spot issues, the harder and more expensive it is to remediate them. SCA tools that completely integrate into your existing CI/CD pipelines enable you to continuously monitor your code and prevent vulnerabilities from shipping to production in the first place.

By emphasizing continuity and direct integration with existing development and deployment pipelines, SCA tooling can not only eliminate risk, but also avoid friction that would otherwise decrease productivity and take teams out of their workflows.  

Watch the on-demand webinar: Forrester on the Changing Role of SCA in your Open Source Security Strategy

Programmatic Policy Governance

A strong policy engine is a must-have for enterprises looking to enforce their security and license compliance policies at scale. Having a centralized and automated policy engine helps security, legal, and engineering teams manage the creation and enforcement of their policies to keep pace with the speedy clip of modern development and DevOps processes.

With around 151,196 vulnerabilities and developers shipping code every hour of the day, security and legal teams can’t scale or manage effective software composition analysis programs without programmatic policy governance. Stakeholders must be able to filter, approve/deny, and whitelist/blacklist specific vulnerabilities and licenses to create a risk profile appropriate for their team and project.

Automated, robust, and flexible policy management is key to making sure developer velocity isn’t disrupted by the introduction of new tools and processes.

A modern SCA tool built on a policy engine will facilitate collaboration for easier and seamless triage and remediation, not only by programmatically identifying issues in real time, but also by delivering relevant context and actionable guidance to engineering teams on how to best resolve vulnerabilities and license gaps.

High Signal-to-Noise Ratio

Developer adoption is key for any software composition analysis tool to have a material impact on an organization’s security and compliance posture. As enterprises seek to adopt SCA tools to bolster risk mitigation, they should look for automation that fits the workflows, timelines, and goals of their developers.

In this context, that means:

• Low false-positives. Any SCA tool should minimize the amount of time spent by developers triaging or fixing licensing and security issues. This means proactively and contextually differentiating vulnerability or license issues that will actually impact security and compliance in production. Signal matters.
• Integration with the developer ecosystem. SCA should not interrupt the development process or force developers to leave the friendly confines of their familiar systems. Nor should it require organizations to sacrifice productivity for security. Check for integrations with tools like GitHub and JIRA.

FOSSA offers the most reliable automated policy engine for security, legal, and engineering teams to fix vulnerabilities, maintain license compliance, and improve code quality across the entire software supply chain. As the only developer-native open source management platform for SCA, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. For the first time, teams can collaboratively shift left and audit, analyze, control, and remediate license issues and vulnerabilities right in their existing workflows.

Watch the on-demand webinar: Forrester on the Changing Role of SCA in Your Open Source Security Strategy