OWASP DevSlop | Software Composition Analysis
“Software composition analysis” is a term coined by the industry, and refers to identifying the dependencies and components used in a piece of software that is shipping, and their vulnerabilities, licenses, and other metadata. It’s about protecting your software supply chain.
As more developers and companies rely on open-source code - that anyone can contribute to, including attackers - this opens the door to a new vector of attack. As a developer, to protect yourself against this vector of attack, how can you determine your dependencies, and ensure they’re secured?
We’ll discuss the common components of software composition analysis.
To be successful in addressing supply chain risks, you need to know your environment, manage your dependencies, and monitor any changes.
First, we’ll cover how you can determine your dependencies, track metadata for these. Then, we’ll cover how to keep your dependencies up to date and be notified of new security patches you should apply, including best practices to make this easier on your dev team. And lastly, we’ll cover how to prevent issues from occurring in the first place, including how to evaluate and monitor your dependencies for potential risks, although this is a newer area of development.
We’ll demo open source and free tools that help you with these needs today.
You’ll come away with a better understanding of what you can do for supply chain security for your organization and the projects you maintain.