The problem with licenses
Thinking of the hundreds of SOUPS used in a standard software development project, the SCA can be a time- consuming task. Especially if you do not have a huge legal department reading through license agree, engineers might also be overwhelmed with license agreements and – let’s be honest – you don’t become a software engineer because you like reading license agreements.
In recent years, more and more companies have emerged who specialize in buying open-source SOUPs and suing the manufacturer using these SOUPs in the event of license violations and getting justice in court. The penalties can run into the millions and mean ruin for some companies. Even if a SOUP is open source, that doesn’t automatically mean that you can use the SOUP as you wish. Many license agreements contain clauses that in the case of commercial use the manufacturer of the SOUP should be identified somewhere in the software or in the accompanying documentation. Some license agreements generally exclude commercial use of the SOUP.
SOUPs as a gateway for hackers
Unidentified vulnerabilities in SOUPS are gateways for hackers to access your software. A “famous” vulnerability that came up in 2021 was the Log4J vulnerability where hackers could inject malicious code and caused a remote code execution. Log4J is a java- based logging utility used to log messages within software and is used as a SOUP in several software projects.
This is where the SCA comes into play
A manual inspection of all used SOUPs for security, quality or license issues is not practical. SOUPs evolve and different versions of the SOUPs might be used in the manufacturers code. Tools were developed by different suppliers that scan your software code for open- source software and provide you with a SBOM. The SCA tools search for known security, quality or license issues associated with the identified SOUPs in vulnerability databases (e.g., National Vulnerability Database or Black Duck Knowledgebase) and provide you a SBOM.
SCA should ideally be run as soon as any new software is defined for the build rather than just before the baseline, hence allowing time to remedy any non-conforming code.
Available Tools
There are a lot of SCA tools available on the market with a wide price range. The next section of this blog discusses the advantages and disadvantages of some of the tools and the experience our customers had with the tools.
Synopsys is the market leader and offers with Black Duck a comprehensive solution for managing security, license and quality issues arising from SOUPs. Synopsys maintains its own vulnerability database, which, according to Synopsys, goes beyond the content of other vulnerability databases.
The Synopsys analysis is based on a dependency analysis, code print analysis, a binary analysis, and a snippet analysis. The dependency analysis tracks declared and transitive dependencies. The code print analysis compares strings, files, and directory information to the database to identify the COTS or SOUP. The identification of compiled open-source code is done with the binary analysis. The snippet analysis avoids license issues by searching for copied code.
Black Duck provides you with a first- party SBOM and a third- party SBOM. The first- party SBOM is produced by a software builder and tracks dependencies and risks of the own software code. The third- party SBOM lists third- party software code and its dependencies and risks. Synopsis makes customized offers and has no pricing published.
Another popular SCA tool is Snyk. Snyk also established an own Snyk Vulnerability database. Snyk claims itself as the most developer- friendly SCA tool on the market. The claims are based on an intuitive and easy setup of Snyk and the possibility to integrate Snyk in existing workflows. Snyk can be integrated in the requirement management system Jira. Snyk offers a free trial and charges $ 52 per contributing developer/ month. For enterprise customized offers are made.
A tool that focuses on vulnerability detection in Java applications is Azul. Azul does not support license or code quality issues. Azul receives its information about vulnerabilities from the National Vulnerability Database. The pricing is based on the chosen support level and start at $6,000 per year for 250 vCores in the server variant and $14,000 per year for the standard support. Individual offers are made for the prime support. A free version is also available.
Cybellum not only creates SBOMs but offers the possibility to summarize SBOMs from different sources. Cybellum maintains these SBOMs in an own SBOM library. Cybellum also provides the possibility to validate compliance with regulatory requirements for different industries (e.g., automotive, medical devices). Cybellum has no solution for license clearing or detecting code quality.
An open – source solution is the OSV scanner developed by Google. This solution also provides its own database for vulnerabilities including – beside other databases- GitHub Security Advisories, PyPA, RustSec and Global Security Database. The OSV scanner focuses on vulnerabilities and does not offer support for license clearing or code quality.
Conclusion
There are many SCA tools on the market that offer different possibilities. Before starting the search for a SCA tool, you should summarize your expectations of the tool and derive requirements. The requirements are also necessary for the SCA validation, as the tool has critical influence on your product quality.
SCA should be supported by a tool, as manual SCA is too time consuming. Some manufacturers who have the capacity available write their own SCA tool but the available solutions on the market are already mature.
Manufacturers should not see SCA as an overhead required by some auditors but as a method to produce safe and secure software code. Before purchasing a SCA tool you should identify your requirements on the tool and evaluate different tools. The SCA offers the benefit of improved security by identifying vulnerabilities and ensures compliance with legal requirements in safety- related industries. Another advantage is the identification of license violations, which can save a lot of money. The manufacturers can be comfortable that the chosen SOUPs are secure and reliable.
By Verena Wieser, Medical Device Consultant & Alastair Walker, Consultant & Owner