What is SCA? | Fluid Attacks Help

What is SCA?

Software composition analysis (SCA) is a security technique that automatically identifies third-party dependencies or libraries used by an application and evaluates their security. Therefore, the importance of SCA scans is mainly the following:

  1. Vulnerability detection: SCA tools cross-reference your software's components against extensive vulnerability databases, like the National Vulnerability Database (NVD), to uncover known security flaws. Paired with static application security testing, these vulnerability scanning techniques can identify reachable vulnerabilities, i.e., instances where the dependency's insecure function, method or element is effectively used by the software product under evaluation.
  2. Software bill of materials (SBOM) generation: SCA tools can automatically generate a comprehensive SBOM, providing a detailed, standardized, record of all components and their origins. This is crucial for supply chain risk management and compliance with software development best practices.

Fluid Attacks' SCA scans test whether the application complies with the following security requirements:

  1. 048. Components with minimal dependencies
  2. 262. Verify third-party components

Fluid Attacks' scanner uses authoritative sources to obtain CVEs from reported security advisories so that it can report their existence in the applications under assessment. A list of these sources is available on the Vulnerability signature update page. Our multi-source approach ensures that Fluid Attacks' AppSec tool is up to date with the latest vulnerability information, providing you with accurate and comprehensive security assessments.

More specifically, we update our database every four hours with the information recorded in the listed sources. We identify new CVEs and the affected packages, filter our customers' groups that contain those packages, and queue timely software composition analyses for those groups.
Warning
Fluid Attacks does not evaluate third-party software components copied and pasted into the client's repository. This is a bad development practice that we report as "Non-upgradable dependencies" (no dependency manager is being used). We perform SCA on the files where the client declares dependencies and from there we can determine if vulnerabilities are present and if they are reachable on a case-by-case basis. It is necessary to reiterate that our scope of evaluation is limited to the software developed by the client.
To learn more about Fluid Attacks' SCA capabilities, refer to the following resources in this Knowledge Base:
  1. Supported package managers, languages and files in SCA: See the comprehensive list of supported technology for this technique.
  2. Configure the tests by the standalone scanner: Perform SCA, among other techniques, with Fluid Attacks' free and open-source command-line interface (CLI) tool.
  3. Sign up to Fluid Attacks: Start the free trial of Fluid Attacks' SCA and other automated techniques, in which the scanner is configured for you to continuously monitor your system's security as you develop, and Fluid Attacks provides you with reports, analytics, and remediation suggestions on its platform.
  4. Find reachable dependency vulnerabilities: Learn to view in the platform what open-source software vulnerabilities are actually used by your application's code, ensuring you focus on real threats.
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.