The vast majority of activities in modern society rely on software. Software is in websites, e-commerce, fintech, cryptocurrency, office and productivity tools, mobile apps, games, and many more. Even ChatGPT, which is said to be capable of writing code and fixing bugs, depends on software.
With its undeniable importance, it is not surprising that threat actors are targeting software. They intercept software supply chains or find creative ways to contaminate software and achieve felonious goals like stealing data, accessing enterprise IT assets, or disrupting business operations.
This is why there is a need to analyze software composition. Software cannot be presumed safe or free from anomalies even if it was built by an in-house team of developers.
The bane of free software components
Linus Torvalds, the lead developer of the Linux kernel, says that software is better when it's free. This is often understood to mean that software end users are fond of using free software. However, the same point can be made when it comes to software development. Developers also like to use existing free code whenever possible to speed up project turnaround.
Open-source and third-party software components can be readily obtained online. They are available under open-source copyright license agreements such as AGPL, GPL, LGPL, MPL, and Apache Licenses. Sources include GitHub, SourceForce, Bitbucket, GitLab, the Apache Software Foundation website, RubyGems, and Packagist. There are also various small websites that offer free software components.
The problem with free software components is that there is no guarantee that they are safe and secure. They can become a vulnerability to the code being developed. Malicious lines of code may be included in a project because of free software component sourcing. As such, it is crucial to undertake software composition analysis.
Software composition analysis: The basics
Software composition analysis (SCA) is essentially the thorough evaluation of the third-party components used in software to detect anomalies and vulnerabilities. It scans code for possible open-source libraries and components and compares them to a database of known issues. SCA identifies potential security risks, so they can be addressed as soon as possible before threat actors find and exploit them.
The use of third-party components has become an increasingly common practice in software development. As much as 97 percent of codebases contain third-party or open-source components according to a 2022 Open Source Security and Risk Analysis (OSSRA) report. In certain industries, this figure even goes up to 100 percent. The semiconductors, energy and clean tech, IoT, and cybersecurity industries use open-source components in all of their codebases.
Open source components undeniably save time and effort for developers, but they pose potential risks in return. They are not necessarily intended for cyber-attacks or malware dissemination. In many cases, they become risks because they have not been updated. Over time, vulnerabilities emerge in these components that can be taken advantage of by threat actors.
The role of SCA in cybersecurity
Software composition analysis is helpful in the areas of vulnerability management, software supply chain attack prevention, as well as license management, and. These are three areas where enterprise cybersecurity needs bolstering in light of recent major software supply chain attacks such as the GitHub OAuth tokens attack, the Okta hacking, and the SolarWinds-like attack on commercial chat provider Comm100.
As part of vulnerability management, SCA spots open-source libraries that may have exploitable issues that can allow the execution of malicious code. Many enterprises struggle with security visibility over third-party software components. Some may not even be aware that they have open-source or third-party components in their code. SCA can be undertaken as part of the vulnerability management routine to gain security visibility over software components and address common vulnerabilities and exposures (CVEs).
Vulnerability management, in turn, helps protect against supply chain attacks. With cybercriminals increasingly targeting software supply chains for their attacks, it is crucial to have an efficient system to spot malicious code injected into open-source projects used in other applications. SCA effectively identifies issues in an application's dependencies to address them in a timely manner.
Just because a certain software component source is well-known and generally regarded as reliable does not mean it has to be fully trusted. The famous code repository GitHub, for example, became the subject of a software supply chain attack that reportedly affected over 83 million developers. Many may have already learned about this attack, but they may have not known if they were affected without proper software component assessment.
Moreover, software composition analysis helps fend off attacks based on laws involving digital assets. SCA helps in proper licensing management to avoid problems arising from software components. Some libraries or software dependencies that used to be open-source or freely usable for commercial purposes may already require royalty payments after they have been purchased from the previous owner. There are also instances when the use of software components create the obligation to make the function or feature that uses such components freely available to other users. This may affect the competitiveness of an enterprise's products, so it is advisable to prepare for it with SCA as part of software license management.
The SCA process and challenges
Software composition analysis is generally an automated process that makes use of specialized solutions. The process involves three major steps, namely scanning, documentation, and vulnerability detection. The scanning stage produces a software bill of materials (SBOM) that provides a comprehensive list of all open-source code used by apps. The documentation stage accounts for the software version, license details, and app usage. Vulnerability detection entails the comparison of the spotted open-source components with threat information to identify the vulnerabilities.
Ultimately, the whole process results in a report that shows how organizations can address security concerns in relation to the use of open-source libraries or software components. The whole process is not exactly simple and straightforward, though. Some SCA tools may have difficulties identifying dependencies given the different programming languages and ecosystems used by different organizations. Also, some SCA solutions may not be able to detect indirect dependency issues or the security risks posed by the dependencies of dependencies. Additionally, not every SCA solution is up-to-date with the latest vulnerabilities.
It is crucial to use an SCA solution that meticulously goes through all the stages of scanning, documentation, and vulnerability detection. Even the documentation stage should be treated seriously because of mandates and proposed regulations. In the United States, for example, there is an executive order that requires the presentation of software developer SBOMs and process documentation to support code integrity validation.
Conclusion
Software composition analysis is crucial in modern cybersecurity as software is at the forefront of many activities in society. With the widespread use of open-source and third-party software components, it is vital to conduct SCA to detect security risks and avoid falling victim to software supply chain attacks. SCA is an effective way to manage software vulnerabilities, ensure secure software supply chains, and avoid problems associated with software library or code component licenses and compliance requirements.