Introduction to Software Composition Analysis

Transcript

1. Software Composition Analysis (SCA)

2. Hello!! Application Security Analyst @Qualys I am Pratiksha Dhone

3. Software Composition Analysis is the process of automating the visibility

   into open source software use for risk management, security and license compliance. Introduction

4. Component Involve in SCA Component Analysis Common Risk Factor Content

   Tools and Technique used to conduct SCA Use of Software Bill of Material in SCA

5. Application consist of

6. Component Analysis is the process of identifying potential areas of

   risk from the use of third-party and open-source software and hardware components. Component Analysis

7. Common Risk Factors - Component Inventory - Component Age -

   Outdated Components - Known Vulnerability - Component Type - Component Function - Component Quantity - Repository Trust - Pedigree - License - Inherited Risk - Project Health

8. Use of Software Bill of Material in SCA • CPE

   Product Dictionary Version 2.3: cpe:2.3:a:pivotal_software:spring_framework:3.0.0:-:*:*:*:*:*:* • Package URL specification scheme:type/namespace/name@version?qualifiers#subpath

9. Jenkins Tools and Technique used to conduct SCA Maven/Gra dle

   Dependency Track Dependency Check IntelliJ IDEA

10. How SCA Work

11. Steps Involved in SCA

12. None
13. None
14. None
15. None
16. None
17. None
18. None
19. None
20. None

21. https://owasp.org/www-community/Component_Analysis Dependency Check: https://jeremylong.github.io/DependencyCheck/ Credits & References Dependency Track: https://dependencytrack.org/

    https://dzone.com/articles/the-benefits-of-software-composition-analysis Jenkins: https://jenkins.io/ https://www.youtube.com/watch?v=wuqk-J1aFeQ https://github.com/security-prince/MavenDependencyCheck Big thanks to Ishaq Mohammed

22. Any questions? Thanks!