Jamie Scott

The SCA Balancing Act: Understanding Tradeoffs, What to Do and Avoid

Software Composition Analysis (SCA) is among the most foundational approaches to application security. Understanding the known vulnerabilities, leading and lagging indicators of risk are among the most widely leveraged security controls in industry. There are three major types of SCA: Runtime SCA, Manifest scanning SCA and Build/Install-time SCA with and without program analysis. Each approach comes with hidden costs and pros and cons along the way. This session will explore not only the hidden costs, pros and cons but explain why they exist. We will round out with effective practices, classes of vulnerabilities that are covered and things to avoid with each approach. Everyone has heard that there is a panacea for managing risk in software composition analysis. You see this in marketing every day. This nirvana is a lie. But there could be a nirvana for you in your context. With any approach to vulnerability management there are a spectrum of trade offs that exist. Often complementary approaches are seen as competitive because of a lack of understanding. For security teams these trade offs are:

1. Context specific about the importance of an application
2. Context specific about if software is in production
3. The time it takes to address a fix (Shift Left vs Shift Right vs Shift All the Places)
4. False positives and false negatives
5. Credibility with key stakeholders
6. Time to value

For development teams these trade offs are:

1. Developer pipeline speed
2. Security and development team triage time
3. Application performance
4. False positives
5. Time spent tuning tooling and solutions