Using static code analysis (SAST) and software composition analysis (SCA) together makes your software development process better, faster, and stronger.
Smart organizations in the business of building software know they need a mix of application testing tools to help ensure the code they produce is high-quality and secure. Many have already taken the steps to secure the code their developers write with a static application security testing (SAST) tool such as Coverity®. SAST is critical for uncovering and eliminating issues in proprietary code early in the software development life cycle (SDLC) by scanning code for flaws while that code is in a nonrunning (i.e., static) state.
But what about the code in your applications that your developers didn’t write?
Better, faster, stronger: Using SAST together with SCA
SAST is highly effective in finding bugs in the code developers write by identifying software weaknesses (CWEs) such as buffer overflows and handler errors. But SAST isn’t effective in finding third-party open source software vulnerabilities (CVEs) or identifying open source license types or versions.
Open source is an essential component of application development today, with over 60% of the code in an average application is composed of open source components. Adding a software composition analysis tool such as Black Duck® SCA is as imperative to your software development strategy as using SAST to test the code your developers write. Together, SAST and SCA can help you ensure your applications are built using secure, high-quality code, no matter where it comes from.
What open source is in your code?
The chance that your developers are using open source is better than 90%. Analysts such as Forrester and Gartner note that the vast majority of IT organizations use open source software for mission-critical applications.
But many companies don’t have visibility into the open source they use. Instead, they depend on their developers to follow coding policies and use a manual method—such as spreadsheets—to track open source.
Are you sure that your developers always document every third-party component they use? Are you sure they use only what’s in your binary repository?
Better: A complete, multifactor view of open source with Black Duck SCA
Black Duck SCA provides a complete, multifactor, accurate view of all open source in your applications and containers.
Black Duck multifactor open source discovery combines four methods of open source scan technology:
With Black Duck SCA, you can build an open source inventory that is always up to date and accurate.
What open source licenses are in the code you’re shipping?
Do you know whether the licenses of the open source components your applications include are permissive or viral? Are you using one of the most popular licenses or a one-off variant?
Failure to comply with open source licenses can put businesses at signiﬁcant risk of litigation and compromise of intellectual property (IP). Synopsys’ Black Duck Audit Services team has found that 95% of the scans they conduct for M&A due diligence reveal open source that the target didn’t even know was there.
Do you understand the dependencies of the open source components that are approved in your binary repo?
Better: Eliminate open source license noncompliance with Black Duck SCA
Black Duck SCA uses multifactor scan technology and the industry’s largest open source knowledge base to identify which licenses are relevant to the open source in your applications.
The Black Duck SCA license compliance module enables companies to set policy, whitelist and blacklist, enable approval workflows, and automate open source management in the SDLC.
Even snippets of code can carry license obligations, as can dependencies. Black Duck SCA will identify licenses associated with code snippets from larger components.
Are open source components creating quality, security, and maintenance issues?
Operational risk is an important consequence of open source use. Many open source components are abandoned. In other words, they no longer have a community of developers contributing to, patching, or improving them.
If no one is maintaining a third-party component, that means no one is addressing potential issues such as weaknesses and vulnerabilities. Black Duck Audits found that 85% of the codebases they scanned contained open source components that were more than four years out of date or had no development activity in the last two years.
Even if your organization considers the robustness of a component’s developer community when approving that component for your binary repository, a vibrant community today doesn’t mean it will remain that way months down the road. And even if the community does remain vibrant, do you have a process to make sure the most up-to-date versions of the open source components you use are in your binary repo? How often are you checking and updating those components?
The reality is that few software development teams can produce an accurate, up-to-date inventory (also known as a bill of materials, or BOM) of their open source versions and patch status—especially when it comes to vulnerabilities. While the number of vulnerabilities in open source is small compared to proprietary software, over 7,000 open source vulnerabilities were discovered in 2018 alone. Over 50,000 have emerged over the past two decades.
Of the codebases reviewed by the Synopsys Black Duck Audit Services team in 2018, 60% contained at least one open source vulnerability. Over 40% contained high-risk vulnerabilities, and 68% contained components with license conflicts—none of which could be identified by a SAST tool.
Faster: Continuous quality and security for the open source in your code
Black Duck SCA helps your development teams avoid delays and cost overruns with risk metrics laser-focused on open source code quality and security.
Black Duck SCA quickly identifies known security vulnerabilities, associated licenses, and code quality risks. Black Duck operational risk information uncovers a component’s level of risk on the initial scan and continuously monitors the component to ensure it remains up to date and active.
Black Duck SCA analyzes both source and binary code, so it can scan virtually any software, including desktop and mobile applications, embedded system firmware, and more. And with Black Duck Security Advisories, advanced proprietary research on open source vulnerabilities, you gain a complete picture of the security risk of the open source in your software.
- Map components to known vulnerabilities.
- Monitor for new vulnerabilities in development and production.
- Prioritize and track remediation activities.
- Scan virtually any software, with or without access to source code.
With Black Duck SCA, you can configure your open source security and use policies based on a comprehensive array of criteria, including license type, vulnerability severity, open source component version, and more. You can also enforce development policies with automatic workflow triggers, notifications, and bidirectional Jira integration for accelerated remediation initiation and reporting.
Stronger: Black Duck SCA together with Coverity SAST
Coverity SAST is a critical part of any application testing toolbox, but you can further strengthen your software development strategy with a robust SCA solution.
Boost your software development process by adding in Black Duck SCA, a comprehensive solution for managing open source security, license compliance, and code quality in applications and containers. Black Duck enables you to control open source across the software supply chain and throughout the application life cycle.
Together with Coverity SAST, Black Duck SCA can make your software development better, faster, and stronger.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Fred Bals. Read the original post at: https://www.synopsys.com/blogs/software-security/use-sast-sca-together/