Why Software Composition Analysis (SCA) Demands Precision

As leaders in software composition analysis (SCA), we know its role throughout today’s software supply chain.

SCA was born out of necessity. How else could innovators discover, identify, and track open source software (OSS) components within their applications? SCA may be best known for tracking capabilities, such as adherence to license requirements (e.g., “you can use this code, just buy me a beer”). Others value it for identifying security vulnerabilities inherent in open source projects (“Red alert! Red alert!”). Yet, the technology can do far more than that.

Our product suite helps developers and security professionals at every stage of software development. Our tools locate, manage, and protect the best quality open source software components.

Of these capabilities, which is most critical?

To find out, we commissioned 451 Research, a global research firm, to evaluate the case for SCA. The report, Software Composition Analysis: Getting to the Signal Through the Noise, written by Scott Crawford, Research Director, is revealing.

Superior Precision Necessary for Secure Software Production

The report identifies precision as the most important element an SCA tool must master. By 451’s measure, Sonatype excels in this domain. Precision ensures secure software development from concept through delivery. Consider:

  • Precision pinpoints to the specific nature of vulnerabilities and eliminates false positives. An SCA tool that generates a high volume of false positives also generates a demand for manual review. This slows or eliminates automation at scale.
  • Precision guides effective and efficient remediation. It isn’t sufficient to only know the name of a “bad” component in your software supply chain — this is too broad. Components are infinitely customizable. As an analogy, this is like searching for a criminal using the telephone book. Wouldn’t it be more effective to search a DNA database?
  • Precision (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: