If you were to protect your home against thieves, wouldn’t you first close the main door? Vulnerabilities in open source components are the widest openings calling hackers to come in. Among all alternatives, detecting and fixing these vulnerabilities is easiest, and provides the highest ROI and fastest time-to-value.
In the past few years, it became clear that most dangerous breaches are made possible through security vulnerabilities in the application layer. (See for example reports by Verizon, Akamai, and Veracode). As a result, many CISOs turn their focus to securing their applications.
There are many steps that need to be taken to prevent, or at least reduce the number and severity of security vulnerabilities in applications. It is, of course, best if vulnerabilities can be detected early on in the software development lifecycle (“shift left”) because then the cost is the least. Education and code review play a key role here. However, since not all issues can be detected during the application development phase, it is common to run an application through a variety of application security testing gates before it is released (e.g., SAST, DAST, IAST), and possibly to wrap and protect it in a variety of ways (e.g., RASP, obfuscation). Post-release, one may further protect the application be verifying its inputs, protecting it against devastating surges, etc. (e.g., using WAFs, data filters, restricted communication, etc.)
But out of all approaches, there is one that is easiest, fastest, and provides the highest return, and that is Software Composition Analysis (SCA).
SCA is about identifying and fixing vulnerabilities in the open source libraries that are used in an application. Today’s applications are essentially composed of hundreds of open source libraries that make up as much as 80% of the total code in the application. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Ron Rymon. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/why-your-application-security-journey-must-start-with-a-comprehensive-software-composition-analysis-sca-program