Over the past year, breaches such as SolarWinds and Kaseya have woken us up to the realities of software supply chain risk. Whether through infiltrating the software delivery pipeline, deliberately uploading malicious components to popular repositories, or taking advantage of existing vulnerabilities in open source components, attackers are leveraging gaps in supply chain controls to compromise organizations and their customers. Protecting the software supply chain is a multifaceted challenge that includes code signing, identity and access management, policy … and software composition analysis (SCA).
SCA has always played a role in protecting the software supply chain, historically by identifying vulnerabilities and licensing risks in open source libraries and advising security and development teams on upgrade paths. During the writing process of The Forrester Wave™: Software Composition Analysis, Q3 2021, I had the opportunity to hear about how today’s SCA vendors are extending their supply chain integrity features. Many SCA vendors have leaned into their role as supply chain protectors, with some expanded capabilities to look for:
- Component control and repository integrations. Integrations with source code and binary repositories let SCA restrict use of components that don’t meet security standards or corporate policies. The top vendors have browser plug-ins that notify developers of at-risk components and suggest alternatives.
- SBOM support. Even before the Executive Order on Improving the Nation’s Cybersecurity mandated that government suppliers provide a software bill of materials (SBOM), government and industry partners were collaborating on SBOM terminology, evangelism, and proofs of concept. Some SCA vendors already produce SBOMs directly in the UI in CycloneDX or Software Package Data Exchange formats; others rely on external tools. Some only produce PDF or CSV files but are looking to add support for the top SBOM formats.
- Dependency confusion protection. Dependency confusion attacks gained prominence earlier this year when a researcher discovered that dependencies in public packages can get priority over those of the same name in a private build and demonstrated a supply chain attack on more than 35 large tech companies. Several SCA vendors referenced dependency confusion protection directly in their Wave responses, describing source location and other integrity checks.
- Malicious component discovery. Attackers trying to poison the supply chain by adding malicious components to popular repositories are running up against new defenders. Some SCA vendors have gone into proactive mode and are leveraging their tools and research teams to find and remove these malicious components before too many unwitting developers download them. Top SCA tools quarantine new or suspicious packages for review before releasing them to developers.
There is still work to be done. Look for those vendors without native SBOM support to add it in the next year. I’d also hoped to find more out-of-the-box integrations with governance, risk management, and compliance and third-party risk platforms to give the risk teams a better view into software supply chain issues — only a couple of vendors had any such integrations. Supply chain security is a popular roadmap item, so ask current or prospective vendors about their plans to expand their offering in this area.
For more on the SCA market and vendor capabilities, please check out the full evaluation, The Forrester Wave™: Software Composition Analysis, Q3 2021, or schedule an inquiry to talk to me about it.