Introduction
Software composition analysis (SCA) tools concern themselves with the identification of open source libraries and tools that have been built into or support an application, an identification that helps evaluate unpatched code, licensing issues and potential security vulnerabilities. The continued growth in the percentage of open source in newly created applications, and one big data breach, have led to a significant increase in the in-use percentage of SCA, according to 451’s Voice of the Enterprise, Information Security studies.
The 451 Take
Software Composition Analysis Growth
The numbers tell a fairly straightforward story: 13% of all enterprises participating in the study had SCA in place in 2018, with 11% having fairly solid plans to add SCA in the near future. In 2019, that rose to 21% of surveyed enterprises having SCA in use, and 12% reported being in a pilot phase. Among those with SCA in place in 2019, half planned to increase spending in the next year. Larger companies are more likely to have SCA implemented (just as they are more likely to have in-house application development): those organizations with more than 1,000 employees have SCA in use 32% of the time. Approach to technology adoption also makes a difference: 24% of those that consider themselves more on the early adopter side of technology adoption already have SCA. Finally, while 38% of respondents have any type of application security solution in place, that shoots up to 47% in those organizations that do in-house application development, and 30% of those organizations have implemented SCA.
There are likely two primary drivers, the first identified above is simply the rise of open source composition in modern applications and the need to then manage it. Beyond security, that extends to license management, patch or version management, and simply ensuring that hundreds of different versions of the same open source library aren’t being implemented in an organization. A second driver, though, follows that Santayana aphorism: “Those who cannot remember the past are condemned to repeat it.”
A Big Breach
Much of the criticism centers on Equifax’s response being a case study in how not to handle a data breach. But the entry point of an open source vulnerability, one that had a fix available, is relevant. Amid the tut-tuts of the security industry, 33% of IT professionals revealed in a 451 Voice of the Enterprise: Digital Pulse study (see Figure 2 above) that they are pretty sure their organization could be compromised the same way, and 70% acknowledged the possibility. How does that drive forward open source risk assessment? Sometimes it’s about learning from the mistakes of others:
"[With breaches] it's more of an evaluating our overall posture and trying to adjust for any new threats or what you see in Equifax or the other large breaches. What do we have to do to protect against that, or to identify, to limit the damage on that? So it is definitely an overall theme, looking at those big breaches, to adjust our security program and work plans.”
– IT/Engineering Managers and Staff, 2,000-4,999 employees, $1-2.49bn, Telecommunications
What's Next?
The industry has definitely caught up with [my SCA vendor]. I would say probably 60% [likely for us to switch away]…. It's like I'm doing my compliance, I'm doing my dev portion of it. And then we got to make them take the same code that they just scanned and put it into the open source scan …..so you got to do two scans. It would be much easier for the developer to ship at one time and get two [reports].
–Senior Management, 10,000-49,999, $5-9.99bn, Telecommunications
We made the point fairly emphatically last year that the pace of modern application development, and the organic standardization of DevOps toolchains, was both forcing and enabling AST earlier in the system development lifecycle. The Voice of the Enterprise Information Security data showed both a shift left for AST to the construction phase of application development and greater usage of AST tools by, in particular, developers. Adapting to those conditions will be the battleground for SCA going forward. As the quote above points out, simple things like running a single scan for both static analysis and SCA results is but one example of a desire for greater efficiency. Vendors have integrated SCA checks on code commit, with an IDE or even as browser plug-ins as developers search for a relevant piece of open source software. Supporting a low-friction approach to SCA that enables developers to use open source while preventing sprawl and reducing security risk at the organizational level will continue to be a key differentiator for SCA vendors going forward.
After-the-fact scans will still be appropriate for certain use cases – evaluating an application in a merger or acquisition or conducting a point-in-time evaluation of an organization’s open source risk, for example. Increasingly, however, adequate coverage of open source risk will only be achieved through continuous processes built into developers’ day-to-day operations, with reporting that allows security teams to gain a precise view of the organization’s open source risk posture over time.
Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation