Securing Your Software Supply Chain with Software Composition Analysis

September 12, 2019 Patricia Johnson

Modern life runs on applications. Businesses that a decade or two ago never thought of themselves as anything more than a car manufacturer, supermarket, or one of a million other kinds of businesses have quickly found themselves in need of apps both for internal use and for their customers.

This rapid demand for software has led to companies establishing software development teams inside of their organizations, providing dedicated developers who can build the applications that propel a business forward. However, these teams are generally not working alone, and they are depending on third parties to help them take their projects to the finish line. 

Outsourcing parts of a project or even whole segments of your company’s operations can be an important part of your go-to-market strategy. Turning to an outsourcer who knows how to create powerful mobile apps is a better option than trying to just make your desktop version fit the smaller screen. Perhaps you are trying to make your physical product “smart” and need an app for users to interface with it. 

The list of reasons to outsource is long, including efficiency in reaching deadlines, cost savings, and more. In many cases, the outsourcing team might just be a better option because they focus on a specific type of development and have the expertise to do it better. At the same time, it can bring with it a set of risks that need to be addressed. 

Challenges to Outsourcing your Development

Taking parts of your development outside of your organization can raise challenges since it reduces the level of control that you have over the process.  

Essentially the problem here is that these outsourcers may not uphold your company’s high standards for security in how they build the software which will then go into your final product. These issues might express themselves in a lack of testing during development, not following best practices when it comes to how data is collected and stored, as well as a host of other concerns that can crop up along the way. 

One question that you should ask is are they taking steps to ensure that they are not incorporating open source components into the code that put your organization at risk? Are they checking to see that the open source components have the licenses that are in line with your organization’s policies or have any known vulnerabilities?

Even if you can request that they follow these standards, it can be hard to be sure if they are holding up their end and working correctly. 

If they are like most development teams, then chances are that they are not keeping track of which open source components they are using so they have no real way to prove if they are following best practices. This information can get lost if it is not being properly tracked, making it harder to know if you need to patch when new vulnerabilities are discovered later.

All these challenges and more can come back to haunt your organization if left unchecked, and unfortunately, their poor work standards can quickly become your problem to resolve.

Your customers really do not care if the vulnerability that caused their data to be breached came from your in-house team’s coding or from an outsider. All they care about is that now they need to deal with the fallout of responding to the incident and they will be looking to your company for answers.

If you are providing an endproduct to customers, the expectation is that you have reviewed the code before deployment, so the buck stops with you. Put another way, your customers don’t really want to think about how all the ingredients found their way into the product, but they expect it to be fully baked by the time it gets to them. 

This means that it is up to you to ensure that your product is as secure as possible. So how do you guarantee that it is without losing the benefits of having the outsourcing in the first place?

Automating Your Application Security Testing

Maintaining high security standards without sacrificing speed to deployment depends on making more with less. This is where automation can really play a key role in helping your team reach that finish line with minimal delays.

Automated security testing tools like Static Application Security Testing (SAST) provide checks for your proprietary code, but this only makes up for a small percentage of your overall codebase at somewhere between 10-20% on average. SAST is unable to detect open source components, making it an incomplete solution for your application’s security.

By contrast, open source components are believed to comprise between 60-80% of the codebase in modern applications, making the work of managing vulnerabilities far more difficult to handle at scale. Software Composition Analysis (SCA) tools provide an answer to this challenge, granting both visibility throughout the SDLC by identifying all open source components and enforcing policies as to which components are allowed to be used in your product.   

SCA tracks when new open source components are added to your project from the earliest stages, creating an inventory and alerting you to any known vulnerabilities associated with that component. By automating the task of monitoring for vulnerabilities in your open source with SCA, you can be sure that the policies that you set are enforced without compromising on speed.

So bring on the outsourced crew and continue to release your applications without worrying that you are missing any known vulnerabilities, keeping your company and users secure.

So the post that I would write is that even if you are outsourcing parts of your development, as many orgs which are not historically software companies do, you are still responsible for the security of the final product. Customers don't care if someone else wrote that code, just the end result. However part of the reason that you outsource is for savings and efficiency, so it's not worth it to you if you have to manually check the code. Therefore implementing automated security testing will help you avoid a situation where you pushed out a new version of your product with known vulnerabilities. So even if you weren't the one to introduce the vulnerable component, you can ensure governance.

Outsourcing parts of your development can improve productivity but it can create unseen risks. Learn how to secure your code, no matter who writes it.

No Previous Articles

Next Article
Top 5 New Open Source Security Vulnerabilities in August 2019
Top 5 New Open Source Security Vulnerabilities in August 2019