Contrast Security’s Approach to SCA Enables Vulnerability Prioritization and Faster Remediation

Open source – the basis for modern development

It goes without saying that modern applications today are rarely developed from scratch. Open Source Software (OSS) communities are well organized, and licenses are generally quite understandable. So when developers make applications, their first instinct is to use open source. Open source can provide most of the functionality needed for an application, reducing the amount of user code needed to a small part of the code base.

Development teams that recognize that open source enables them to quickly build feature-rich applications still need to be cautious about protecting the OSS libraries embedded in their code. After all, open source is no more or less secure than any other commercial software. Therefore, there is reason to believe that FOSS should be subject to the same level of control to ensure that there are no shiny attack vectors that can be used by bad actors.

Buying developers Means thatis achieved.

One of the biggest challenges for application security teams is the need to guarantee developers’ purchasing power, especially when it comes to protecting their open source libraries. Too often, developers are overwhelmed by the amount of alerts provided by traditional application security tools. This includes Software Composition Analysis (SCA) tools, which analyze the vulnerabilities of applications in open source software libraries. According to Contrast Security 2020’s Application Security Observability Report, on average 55% of open source libraries are not actively used by this application.

To address these issues, application security teams must be able to prioritise vulnerability resolution, taking into account user and open source vulnerabilities. In the case of open source, patches are often implemented as standard with a priority that depends on the severity of common vulnerabilities and impact (CVE). However, this model is not always applicable, depending on where and how this library is used. As a result, application security teams and developers blindly try to determine which vulnerabilities are worth fixing and which are just warning signals (false positives). This means that less time needs to be spent on the necessary corrections.

Compare the approach to safety with that of SCA

Development teams need tools to determine which vulnerable open source libraries are the most dangerous in their applications. This means that the vulnerable libraries called up by the application at runtime, i.e. the libraries most likely to be used by an attacker, are classified. Instead of relying solely on the VCA ranking of the seriousness of the risks, Contrast analyzes the runtime libraries to determine exactly whether the library is actively invoked by the request. It then determines which specific classes, files or modules are used in the library. By demonstrating specific components of the library in use, developers get a much more efficient and effective patch plan – a result that allows application security teams and developers to avoid hours of unnecessary sorting.

See it in action. By using the contrast-runtime library, you can correct an error faster.

http://server.digimetriq.com/wp-content/uploads/2020/11/Contrast-Security's Approach-to-SCA-Enables-Vulnerability-Priitization-and-Faster.jpeg

Look, look, look, look, look, look. Contrast of runtime in action: https://share.vidyard.com/watch/tzbBavZmkZzRj2xmeMYA2U ?

Everyone wins if vulnerabilities can be fixed faster than.

Developers will continue to focus on innovative, fast applications that are essential for businesses. Anything that distracts them from this goal will almost always be seen as an obstacle to development. Application security teams can help build goodwill among their fellow developers by easing the burden of searching for security data. The integration of the SCA solution enables developers to automate open source discovery and prioritize library patches based on runtime usage. This will help to create a closer relationship between application security teams and developers, as the workload of all parties involved has been significantly reduced. It’s a win-win situation.

More information about Contrast Software Composition Analysis (CCA) is available in our webinar on request and download the Contrast OSSD data table.

You can also sign up for a free trial to learn how Contrast can help you reduce the burden of backing up your open source resources.

Related Tags:

contrast protect,contrast assess,contrast security number of employees,contrast security valuation,contrast security gartner,contrast security pricing,what is contrast security,veracode