Nature vs. Nurture Tip 3: Employ SCA With SAST

For this year’s State of Software Security v11 (SOSS) report, we examined how both the “nature” of applications and how we “nurture” them contribute to the time it takes to close out a security flaw. We found that the “nature” of applications – like size or age – can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to “nurture” the security of applications – like using multiple application security (AppSec) testing types – can have a positive effect on how long it takes to remediate security flaws.

In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.

For our third tip, we will explore the importance of software composition analysis (SCA) and how – when used in conjunction with static application security testing (SAST) – it can shorten the time it takes to address security flaws.

What is SCA and why is it important?

SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are “more eyes on it,” but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic.

Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don’t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data – including Social Security numbers – of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.

How can SCA with SAST shorten time to remediation?

If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA.

By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ “good” scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts time to remediate 50 percent of security flaws by six days.

For more information on using SCA with SAST, or for additional tips on nurturing your applications, check out our recent State of Software Security report.