As the fallout from the Apache Log4J vulnerabilities earlier this year shows, the biggest risks in enterprise software today are not necessarily with insecure code written directly by in-house software development teams. The flaws of the components, libraries and other open-source code that makes up the bulk of today’s software code bases are the underwater part of the insecurity iceberg.
The truth is that so much of the enterprise software and custom applications produced by DevOps teams and software engineering groups is not actually coded by their developers. Modern software today is modular. Developers use what is called a microservices architecture to make new applications by constructing them a lot like a Lego house—using blocks that are made of premade code. Rather than reinventing the wheel every time they need their application to perform a common function, developers root around in their proverbial box of blocks to find just the right one that will do what they need without a lot of fuss.
That box is today’s ever-expanding software supply chain, a sometimes very informal source of code that flows from the millions of GitHub repositories and open-source projects floating around online today. It consists of components and libraries used in myriad applications and in the underlying application and development infrastructure used to construct modern development pipelines.
Of course, the programs provided by this supply chain aren’t really bricks and they don’t always interlock perfectly, so developers create custom code to glue all those pieces together. In fact, many often then turn those creations into yet more open-source projects for others to solve similar problems. Which is one reason why the software supply chain keeps growing.
Applications built with third-party code
A modern application is mostly made up of third-party code. According to Forrester, the percentage of open-source code that makes up an average application’s code base rose from 36% in 2015 to 75% in 2020.
It’s a faster, more scalable way to quickly develop but like all technology innovation it comes with added cyber risk unless proper care is taken. It’s the dirty little secret of the development world that the components co-opted from today’s software supply chain can very easily be out of date and riddled with vulnerabilities. Making things even more complicated is the fact that that flaws are often nested together as different projects may have dependencies to others in the supply chain. Sometimes the flaws can even be purposely added by attackers who seed open-source software intentionally with vulnerabilities.
The vulnerabilities introduced by the software supply chain can be like hidden cybersecurity landmines in enterprise software, particularly when organizations do nothing to formally govern how their developers use the software supply chain. Many organizations barely even track—let alone vet or manage—the kinds of components, libraries, and developer tools that go into or produce the code that their developers commit. According to a study released by Linux Foundation, fewer than half of organizations use a software bill of materials (SBOM) that tracks exactly what goes into their applications from the software supply chain.
Creating an SBOM is foundational for supply chain security, alongside open-source governance and securing the infrastructure as code elements that touch applications throughout the SDLC. The following is a list of tools that help accomplish this, with a heavy emphasis on software composition analysis (SCA) tools that focus specifically on developing SBOM, raising visibility into what goes into software and remediating flaws in components that are the building blocks of software today.
Top supply chain security tools
Known best for its Interactive Application Security Testing (IAST) technology that detects vulnerabilities in applications via an agent running on the application server, Contrast Security provides SCA capabilities as part of a full slate of testing in its open platform, which also does dynamic application security testing (DAST), static application security testing (SAST), runtime application scanning protection (RASP), and serverless security checks on AWS Lambda infrastructure.
The tooling can not only generate an SBOM but also contextualize flaws across the various ingredients that make up an application by visualizing application architecture, code trees and message flow information to aid in threat modeling remediation. Open-source governance is embedded within modern development workflows and tooling and Contrast’s bread and butter is in bridging the divide between developers and security teams, making it a major player in the DevSecOps market.
A relative newcomer in this field of options, ShiftLeft is designed to fit into the development workflow of forward-thinking DevOps teams. The core value is in bringing together SCA and SAST into a single scan that’s done when a developer makes a pull request. The technology uses a technique the company calls Code Property Graph (CPG) to map out dependencies and data flows across custom code, open-source libraries, SDKs and APIs, seeking out not only flaws across the entire application—including its open-source components—but also logical app weaknesses. Supply chain flaws are prioritized by susceptibility to attack using a “reachability” index that’s inserted into the SBOM that puts it in context of how attackable the component is based on how it is used in the application.
Snyk is a cloud-native, developer-centric set of tooling that’s purpose-built for DevSecOps and cloud-native development shops. Best known for its SCA and container security scan capabilities, it also offers SAST and API vulnerability testing. In February, 2022 the company purchased Fugue, a cloud security posture management company. As Gartner explained, its blend of offerings across infrastructure as code security, container security, and application security are representative of the fact that “application and infrastructure layers increasingly blur together. It’s usually bought on the developer side but is worth a look for CSOs and security staff seeking to move toward a democratized model of developer-run security testing and remediation.
One of the longest-running offerings in the SCA market, Sonatype was billing itself as a “software supply chain security” company long before the term was sneaking its way into the titles of security conference and webinar sessions. The heart of the the Sonatype Nexus platform is its capabilities for creating detailed SBOMs and policy management. Forrester analysts say, “Policy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards and a policy engine that allows users to create and assign policies to certain types of applications.” Policies can be applied not only for what goes into the code but also in managing the security and configuration of the surrounding infrastructure as code and containers that are used to develop and deploy applications.
Sonatype also offers repository management to provide a single source of truth for all components, binaries, and build artifacts. Nexus’s visualization of component history and Sonatype’s customer service are also called out by the analysts as its big strengths. Last year Sonatype also picked up MuseDev in an acquisition that helped it build out its Sonatype Lift capabilities, which provide dev-friendly code quality analysis during code review.
Synopsys Black Duck
Synopsys’ Black Duck SCA tool does four types of analysis—dependency, codeprint, binary and snippet—to track and manage the components used within an organization’s software. Synopsis recently improved Black Duck’s SBOM creation capabilities to include BLANK. In addition to creating bills of materials, the tool also performs automated policy management. Black Duck is part of the broader portfolio of AppSec tools offered by Synopsys, which Gartner named as a leader in its Application Security Testing Magic Quadrant. The open platform model it uses to deliver SCA alongside DAST, SAST, penetration testing, fuzzing and a range of other testing capabilities is a key value proposition. It “makes Synopsys a good fit for organizations with complex, multiteam development, using a mix of development styles and programming technologies,” says Gartner.
A longtime powerhouse in the traditional appsec testing market with its mature SaaS product that has long dominated the SAST and DAST arenas, Veracode in the last few years has been putting heavy investment in SCA. Following its acquisition of SourceClear in 2018 there was some bifurcation between its homegrown SCA capabilities and what it offered through SourceClear, but Veracode Software Composition Analysis is now a single product available through the platform. “Veracode’s roadmap focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC [Infrastructure as Code] security capabilities,” explains Forrester analysts. They say the high points for Veracode is its remediation reports and dependency graphing. The biggest point of friction, they noted, was difficulty of integrating it into developer workflows.
A big highlight of WhiteSource Software’s SCA tooling is in the developer-friendly remediation of component security issues, including alerting and fixing out-of-date and malicious components. “WhiteSource’s thought leadership is focused on remediation and prioritization,” wrote Forrester analysts, who deem this vendor a leader in the SCA space. “WhiteSource offers differentiating features, including a browser plugin to help avoid problematic components and removing unreachable vulnerabilities from the developer’s queue to improve developer experience.” One point in which they say it lags is in its lack of out-of-the box policies. WhiteSource launched a SAST solution earlier this year.
Copyright © 2022 IDG Communications, Inc.