Software Composition Analysis 101: Knowing what’s inside your apps - Magno Logan скачать в хорошем качестве

Software Composition Analysis 101: Knowing what’s inside your apps - Magno Logan

The term Software Composition Analysis (SCA) is relatively new to the security world. However, similar approaches have been used since the early 2000s to indicate security verifications on open source components. SCA has become an evolution of that. It is the process of identifying and listing all the components and versions present in the code and checking each specific service and looking for outdated or vulnerable libraries that may impose security risks to the application. These tools can also check for legal issues regarding the use of open-source software with different licensing terms and conditions. Nevertheless, how those SCA tools work, and how can they help identify and remediate issues on open source libraries used in a codebase? This talk aims to focus on and explain to the audience by showing how these tools work and the main pieces of information that these tools rely on, such as the application manifest, vulnerability data sources, and dependency metadata. Audience Takeaways SCA tools and techniques are here to stay, and their usage is increasing in many organizations where security is a priority. Unfortunately, AppSec teams cannot keep up with all the new vulnerabilities published daily. Make sure to look for solutions that can adequately adapt to your own way of building software. They need to cover the programming languages used in your organization and identify issues on indirect dependencies, not just relying on public CVEs to find those issues. Rate Session