News and Notes from the Makers of Nexus | Sonatype Blog

Real talk: What users really look for in a software composition analysis (SCA) solution

Written by Alyssa Shames | May 12, 2020

A few weeks ago, we wrote about the differences in SCA and SAST tools. While you can't really compare the two, for most organizations, software composition analysis (SCA) is likely the best place to start. We also mentioned if you do choose to invest in SCA, you should select a best-of-breed offering that provides end-to-end coverage and a holistic view into the impact of open source risk on your organization.

But what makes a solution best-of-breed? Today, we'll review a few requirements that you should demand from your SCA tool based on real user reviews from IT Central Station. As a baseline, your SCA solution should provide visibility through a software bill of materials and continuous monitoring, including the ability to scan production apps or apps no longer going through development, but there's much more that makes an SCA tool the go-to-choice for DevSecOps teams.

Flexible policy enforcement

Every SCA solution should provide visibility and continuous monitoring, at a minimum. But what does that awareness provide if there is no way to take action against it? Your SCA solution should also offer policy management capabilities that ensure automated and granular policy enforcement and have the flexibility to be different at various SDLC stages. This includes failing builds or blocking a release when policies are violated, based on application type, stage, and organizational structure. Integrating this throughout the SDLC will help speed innovation and enforce secure coding practices.

According to a real user on IT Central Station:

"[Nexus Lifecycle] can even grandfather certain components, because in a real world scenario we cannot always take the time to go and update something because it's not backward compatible. Having these features make it a lot easier to use and more practical. It allows us to apply the security, without having an all or nothing approach."

Precise and accurate data + extensive research

It's important to find an SCA vendor that uses both proprietary and public data. This data should also be further reviewed by researchers, professionally curated with proprietary intelligence, providing insight beyond public databases like NVD and VulnDB. Finding a vendor with proprietary data is key, as they often identify issues faster than public databases, ultimately decreasing mean time to resolution, and find more vulnerabilities faster (before they might be declared publicly).

Precise data also includes remediation guidance so you can actually mitigate the issue and get fixing. These remediation steps include advice like configuration changes, component upgrade details, and code change requirements.

"The data quality is really good. Some of the best in the industry as far as that is concerned."

Low false positives

False positives waste time and lead to user burnout, requiring you to spend extra time reviewing data and fixing issues downstream. Similarly, be wary of solutions with false negatives, which allow security and licensing problems into the code. Ultimately, SCA solutions need to be as precise as possible (through high quality data) so they are not prone to excessive false positives and false negatives.

"The reason we picked [Nexus] Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor, which is something we like about it."

Integrations with other systems

An effective SCA solution must integrate with other DevOps tooling, during builds and CI/CD. SCA should be embedded in existing DevSecOps processes to enforce open source policies at various stages while not slowing down the release process. Gone are the days of scanning an app right before it goes into production and then passing issues back over the fence to developers. If integrated throughout the SDLC in the tools that you are already using, you can release apps to market faster while ensuring they are free of security and license risk.

"The solution also integrated well with our existing DevOps tool. That was of critical importance to us. We built it directly into our continuous integration cycles and that's allowed us to catch things at build time, as well as stop vulnerabilities from moving downstream."

Enhanced developer productivity

Similar to the last point, SCA tools should make a developer's life easier, not harder. A good solution will ultimately reduce the time it takes to release secure applications to market. Integrations to developer IDEs and source repos like GitHub and Bitbucket minimize manual re-work later in the SDLC and enable developers to select the best open source component from the start. Security practices are shifting left. SCA solutions must be frictionless for developers to help organizations realize the benefits.

"We are saving five to ten percent in developer productivity."

Open source is crucial to modern development teams trying to out-innovate their competition, so finding a solution that can govern inherent open source risk is essential. According to real users of Sonatype Lifecycle, the right SCA solution will take a holistic approach to mitigating that risk, providing a seamless platform for security, development, and architecture teams. The Sonatype Platform, powered by our precise Sonatype Intelligence, offers end-to-end visibility and policy enforcement throughout the entire software supply chain.

If you would like to learn more about SCA vendor requirements from real users, download this new report from IT Central Station and InfoWorld, Top 10 Considerations When Selecting a Software Composition Analysis (SCA) Solution.