Jamie Scott

Jamie Scott

Founding Product Manager - Endor Labs

Jamie Scott, CISSP, CCSP is a recovering cybersecurity practitioner turned product manager building the next generation of dependency management solutions at Endor Labs. Previously Jamie was Product Manager at Redis and StackRox (Acquired by Red Hat in Feb 2021) where he was an open source contributor and leader for both projects. Jamie remains an active contributor to the cybersecurity community as co-author and contributor to several benchmarks as a volunteer consultant for the Center for Internet Security.

Presentation Abstract

The SCA Balancing Act: Understanding Tradeoffs, What to Do and Avoid

Software Composition Analysis (SCA) is among the most foundational approaches to application security. Understanding the known vulnerabilities, leading and lagging indicators of risk are among the most widely leveraged security controls in industry. There are three major types of SCA: Runtime SCA, Manifest scanning SCA and Build/Install-time SCA with and without program analysis. Each approach comes with hidden costs and pros and cons along the way. This session will explore not only the hidden costs, pros and cons but explain why they exist. We will round out with effective practices, classes of vulnerabilities that are covered and things to avoid with each approach. Everyone has heard that there is a panacea for managing risk in software composition analysis. You see this in marketing every day. This nirvana is a lie. But there could be a nirvana for you in your context. With any approach to vulnerability management there are a spectrum of trade offs that exist. Often complementary approaches are seen as competitive because of a lack of understanding. For security teams these trade offs are:

  1. Context specific about the importance of an application
  2. Context specific about if software is in production
  3. The time it takes to address a fix (Shift Left vs Shift Right vs Shift All the Places)
  4. False positives and false negatives
  5. Credibility with key stakeholders
  6. Time to value

For development teams these trade offs are:

  1. Developer pipeline speed
  2. Security and development team triage time
  3. Application performance
  4. False positives
  5. Time spent tuning tooling and solutions