OWASP DevSecOps Guideline - v-0.2
Software Component/Composition Analysis (SCA)
Component Analysis is the process of automating application security for managing third-party and open source components of codebase. SCA will find any potential vulnerable components in our codebase to prevent high security risks like Supply-Chain Attack, not only that but also provide licensing about each components. By doing this, it helps organization to reduce security risks in their codebase libraries and needed to be early in modern software development life cycle.
For more information about the Component Analysis please visit the OWASP page
We should put the Component Analysis earlier, before security testing like SAST, DAST to prevent any vulnerable libraries pushed to live environment (Production) and implemented Continuous Monitoring of its libraries to reduce Supply Chain Attack risk rapidly.
Tools
-
Open-source:
- OWASP Dependency-check - Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies and it supports Java, .NET, JavaScript, Ruby
- RetireJS - JavaScript-specific dependency checker
- Safety - Python dependency checker for known security vulnerabilities
- bundler-audit - Patch-level verification for Bundler (Auditing Ruby 3rd party libs versions)
-
Commercial:
- Hakiri - A commercial tool that offers dependency checking for Ruby and Rails-based GitHub projects using static code analysis
- HCL AppScan on Cloud - SAST tool built as a service that can perform both SAST, SCA & IaC at the same time.
- Snyk - SCA tool offer as a SaaS solution.
- WhiteSource - WhiteSource identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle.
- Synopsys BlackDuck - Black Duck automated policy management allows you to define policies for open source use, security risk, and license compliance up front, and automate enforcement across the software development life cycle (SDLC).