New EMEA Software Security Data Demonstrates Necessity of SCA

New software security data demonstrates that Software Composition Analysis (SCA) will help bolster the safety and integrity of open-source software usage for organizations in the Europe, Middle East, and Africa (EMEA) region in particular. The EU Cyber Resilience Act makes this research especially crucial and timely. Let’s dive in and look at recommendations for EMEA teams wanting to secure cloud-native development. 

Understanding EMEA Software Security Landscape 

The software security landscape in EMEA is shaken up by the Commission’s proposal for a new Cyber Resilience Act (CRA) from 15 September 2022. It "aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.”  

When it comes to making software that’s secure, application security testing tools like SCA are vital. In addition to the data about SCA below, the State of Software Security 2023: EMEA Snapshot reveals that EMEA is significantly behind the Americas regarding the proportion of applications with any flaws. The report states: “In the Americas, about 73% of applications carry security flaws in their last scan over the last 12 months, whereas in EMEA that number is just over 80%.” 

SCA Reporting Higher Percent of Applications with Flaws from EMEA

Looking below at the Top Flaws by Scan Type figure from the State of Software Security 2023 EMEA Snapshot, you’ll notice that EMEA generally aligns to the overall flaw types and proportion of applications for Static and Dynamic scan types. However, with SCA, the percentage of EMEA applications with flaws is well above other regions. This is not all bad news, though. Flaws found with SCA have been disclosed and an upgrade to a newer version of that code (if already available) can close the finding. If no upgrade path is available, the flaw remains open and tracked for eventual resolution and/or mitigation.

Keep in mind that Software Composition Analysis (SCA) picks up flaws in the composition of open-source code included in applications, so the probability of finding publicly reported flaws using SCA rises commensurately with languages that contain higher percentages of open-source code, such as Java. Java is composed of over 95% open-source code and is the most popular language in EMEA. We have seen a similar picture emerge in another data cut, and we can infer that this correlation is not entirely accidental. It's an interesting correlation we will continue to explore. 

SCA Isn’t the Full Software Security Picture 

Looking back at the figure above, you’ll notice different flaws are found by each scan type. SCA, static analysis, dynamic analysis, and more all have different advantages in managing your application security posture. Navigating all these tools can be cumbersome, so you need a unified platform if you want easy, quality reporting (and to save your team time and many headaches). 

Software supply chain security is also bigger than just SCA. Here’s what analysts think you should look for in an end-to-end solution: KuppingerCole Software Supply Chain Security. 

A Recommendation for Securing Cloud-native Software Development 

In addition to SCA, a best practice from the State of Software Security 2023 is to write simple code yourself. That being said, we understand that many are using generative AI to write code, which has time-saving benefits. However, to save repeated work, ensure control, and reduce introducing flaws, consider writing your own code and setting a threshold of what simple is. 

Since Java applications are overwhelmingly open source, teams need to discuss a purposeful way of when they should include relatively simple libraries that bring dependency chains of questionable value. If it is simple code, write it yourself, but don’t roll your own crypto or dive into a proprietary database. Fewer dependencies (by its nature) should help.  

Read the report for three more recommendations that will help you stay ahead of the cyber resilience curve.