Selecting a Software Composition Analysis Tool

So, you have decided to take the plunge and implement a tool for Software Composition Analysis (SCA). This is a big step toward improving the security of your applications and the security posture of your organization as a whole. Congratulations!

Or maybe you’ve never heard of SCA, but you’re curious what it is. A Software Composition Analysis (SCA) tool is a software tool used by developers and security teams to identify and manage the use of open-source and third-party components within their software applications.

Either way, while deciding to implement an SCA tool is a necessary and significant first step, it is easy to be overwhelmed by the sheer volume of choices in the market. Not only do these options vary significantly in their pricing structure, but they also have feature sets with varying degrees of overlap from one tool to the next.

Some questions that may come up in the section process might be:

  • If there are free options available, should we pay for a tool?
  • Can we build our own tool?
  • How do we know which features are important and which we can live without?

In this blog, we’ll tackle as many of these questions as possible.

Build vs. Buy

The first key decision to make is whether to go with a homegrown solution or to leverage a third-party tool built for this purpose. Each choice involves some measure of trade-offs, so we recommend a thoughtful approach incorporating your current infrastructure, the maturity of your security initiative, the typical workflow of your developers, and financial considerations. I compare these two options below.

Option 1 – Build Your Own

Most modern package managers like Nuget and NPM have their own built-in utilities for identifying vulnerable dependencies. These can be extremely useful for pre-commit spot-checking by individual developers.

But, what if you desire to centralize and enforce review of any findings produced by the tool? What if you want to automate the scan and results archive in a CI pipeline? These goals often involve custom code to run the corresponding scan, parse the results, and then get them into some format and system that is visible to the entire team. What if you need finely-tuned access controls around who can see and interact with the results? It’s easy to see how this effort could snowball into something much larger than originally planned.

Custom-built tools can be a good option if you have a dedicated (and experienced) security engineering team, and the results can be highly customized to your environment. However, for organizations that do not have a security engineering team, this level of effort is going to be difficult or impossible to justify.

If security tool engineering is not a core competency that you wish to grow within your org this could even distract your developers from more valuable work streams. It is wise to carefully consider your goals before making this decision.

Option 2 – Use a Purpose-Built Third Party Tool

Using a purpose-built tool designed for SCA can be a more palatable option, particularly if the development team will also be the team managing the care and feeding of the chosen platform. The options available range from free and open-source software (FOSS) tools like OWASP Dependency Track to enterprise-grade tools costing thousands or hundreds of thousands of dollars depending on the size of your implementation.

Open source options are indeed free in terms of up-front dollars, but there is still some measure of engineering involved in standing up and maintaining the infrastructure for an on-prem or cloud-based deployment. This infrastructure will naturally require an ongoing investment both to pay for the infrastructure and to pay engineers to make sure patches are applied, vulnerability databases are updated, etc. For smaller teams, the cost of this ongoing maintenance may be greater than the cost of using a paid solution, so you will want to consider the pricing structure of paid solutions alongside the price of your own engineering resources.

In terms of paid options, the variety of tools and range in pricing can actually help guide you toward a decision. Some tools like Snyk offer a free introductory tier that is great for proof of concept work. These tools also generally provide a gentle ramp-up toward a more expensive option as your organization’s security initiative matures. Larger organizations with a mature security team will want to consider the pricing for enterprise-grade options. Thoughtful implementations will make sure the pricing structure is a good match for their intended use.

Technical Considerations

In addition to the aforementioned pricing concerns, there are also a variety of technical questions to answer that can help in selecting a finalist for implementation. Here are some key questions to consider as you work through the options:

  • Does the tool support all of the languages you use?
  • What public and private vulnerability databases does the tool reference in its scans?
  • What features does the tool offer to streamline the review and processing of scan results?
  • Is the tool geared to minimize friction for the developers so that they can quickly resolve issues and remain focused on their “day job”?
  • Does the tool have built-in integration with the various CI and bug-tracking solutions in use within your organization?
  • How easily can you scale the implementation as internal adoption grows?

The answers to these questions will provide significant insight for identifying the right tool for the job. For example, suppose you are comparing two tools that are roughly equivalent in terms of coverage, scan quality, and integration. In that case, a deciding factor might be the level of convenience features available for developers.

For example, some tools will automatically create pull requests with fix actions already in place, leaving the developers only to review the PR and approve/merge. Many tools will also provide detailed guidance about their findings that save the developer minutes or even hours of research per finding. Such advantages should not be overlooked, as it could mean the difference between an investment of minutes and an investment of days per scan.

Conclusion

As you can see, the decisions involved in selecting an SCA tool are rarely open and shut. We hope that this brief guide can be a helpful starting point for making this decision for your own organization. If this is something you would like assistance with, Trailhead has a team ready to help with your security efforts and we would love to help you make the best decision for your developers and your customers.

Just contact Trailhead to get started.

Related Blog Posts

We hope you’ve found this to be helpful and are walking away with some new, useful insights. If you want to learn more, here are a couple of related articles that others also usually find to be interesting:

Our Gear Is Packed and We're Excited to Explore With You

Ready to come with us? 

Together, we can map your company’s software journey and start down the right trails. If you’re set to take the first step, simply fill out our contact form. We’ll be in touch quickly – and you’ll have a partner who is ready to help your company take the next step on its software journey. 

We can’t wait to hear from you! 

Main Contact

This field is for validation purposes and should be left unchanged.

Together, we can map your company’s tech journey and start down the trails. If you’re set to take the first step, simply fill out the form below. We’ll be in touch – and you’ll have a partner who cares about you and your company. 

We can’t wait to hear from you! 

Montage Portal

Montage Furniture Services provides furniture protection plans and claims processing services to a wide selection of furniture retailers and consumers.

Project Background

Montage was looking to build a new web portal for both Retailers and Consumers, which would integrate with Dynamics CRM and other legacy systems. The portal needed to be multi tenant and support branding and configuration for different Retailers. Trailhead architected the new Montage Platform, including the Portal and all of it’s back end integrations, did the UI/UX and then delivered the new system, along with enhancements to DevOps and processes.

Logistics

We’ve logged countless miles exploring the tech world. In doing so, we gained the experience that enables us to deliver your unique software and systems architecture needs. Our team of seasoned tech vets can provide you with:

Custom App and Software Development

We collaborate with you throughout the entire process because your customized tech should fit your needs, not just those of other clients.

Cloud and Mobile Applications

The modern world demands versatile technology, and this is exactly what your mobile and cloud-based apps will give you.

User Experience and Interface (UX/UI) Design

We want your end users to have optimal experiences with tech that is highly intuitive and responsive.

DevOps

This combination of Agile software development and IT operations provides you with high-quality software at reduced cost, time, and risk.

Trailhead stepped into a challenging project – building our new web architecture and redeveloping our portals at the same time the business was migrating from a legacy system to our new CRM solution. They were able to not only significantly improve our web development architecture but our development and deployment processes as well as the functionality and performance of our portals. The feedback from customers has been overwhelmingly positive. Trailhead has proven themselves to be a valuable partner.

– BOB DOERKSEN, Vice President of Technology Services
at Montage Furniture Services

Technologies Used

When you hit the trails, it is essential to bring appropriate gear. The same holds true for your digital technology needs. That’s why Trailhead builds custom solutions on trusted platforms like .NET, Angular, React, and Xamarin.

Expertise

We partner with businesses who need intuitive custom software, responsive mobile applications, and advanced cloud technologies. And our extensive experience in the tech field allows us to help you map out the right path for all your digital technology needs.

  • Project Management
  • Architecture
  • Web App Development
  • Cloud Development
  • DevOps
  • Process Improvements
  • Legacy System Integration
  • UI Design
  • Manual QA
  • Back end/API/Database development

We partner with businesses who need intuitive custom software, responsive mobile applications, and advanced cloud technologies. And our extensive experience in the tech field allows us to help you map out the right path for all your digital technology needs.

Our Gear Is Packed and We're Excited to Explore with You

Ready to come with us? 

Together, we can map your company’s tech journey and start down the trails. If you’re set to take the first step, simply fill out the contact form. We’ll be in touch – and you’ll have a partner who cares about you and your company. 

We can’t wait to hear from you! 

Thank you for reaching out.

You’ll be getting an email from our team shortly. If you need immediate assistance, please call (616) 371-1037.