Hot Topics
Application Security Security Bloggers Network 
SBN

Real Talk: What Users Really Look For in a Software Composition Analysis (SCA) Solution

by Alyssa Shames on May 12, 2020

A few weeks ago, we wrote about the differences in SCA and SAST tools. While you can’t really compare the two, for most organizations, software composition analysis (SCA) is likely the best place to start. We also mentioned if you do choose to invest in SCA, you should select a best-of-breed offering that provides end-to-end coverage and a holistic view into the impact of open source risk on your organization.

But what makes a solution best-of-breed? Today, we’ll review a few requirements that you should demand from your SCA tool based on real user reviews from IT Central Station. As a baseline, your SCA solution should provide visibility through a software bill of materials and continuous monitoring, including the ability to scan production apps or apps no longer going through development, but there’s much more that makes an SCA tool the go-to-choice for DevSecOps teams.

Flexible Policy Enforcement

Every SCA solution should provide visibility and continuous monitoring, at a minimum. But what does that awareness provide if there is no way to take action against it? Your SCA solution should also offer policy management capabilities that ensure automated and granular policy enforcement and have the flexibility to be different at various SDLC stages. This includes failing builds or blocking a release when policies are violated, based on application type, stage, and organizational structure. Integrating this throughout the SDLC will help speed innovation and enforce secure coding practices.

Precise and Accurate Data + Extensive Research

It’s important to find an SCA vendor that uses both proprietary and public data. This data should also be further reviewed by researchers, professionally curated with proprietary intelligence, providing insight beyond public databases like NVD and VulnDB. Finding a vendor with proprietary data is key, as they often identify issues faster than public databases, ultimately decreasing (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Alyssa Shames. Read the original post at: https://blog.sonatype.com/what-users-really-look-for-in-a-sca-solution

Alyssa Shames , , , , , ,