Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Software Composition Analysis

Introduction to Software Composition Analysis

Presented in infosecgirls pune meetup about software composition analysis
https://www.infosecgirls.in/

7ed3345a73a53357426add1c12c6b1ab?s=128

Pratiksha Dhone

February 29, 2020
Tweet

Transcript

  1. Software Composition Analysis (SCA)

  2. Hello!! Application Security Analyst @Qualys I am Pratiksha Dhone

  3. Software Composition Analysis is the process of automating the visibility

    into open source software use for risk management, security and license compliance. Introduction
  4. Component Involve in SCA Component Analysis Common Risk Factor Content

    Tools and Technique used to conduct SCA Use of Software Bill of Material in SCA
  5. Application consist of

  6. Component Analysis is the process of identifying potential areas of

    risk from the use of third-party and open-source software and hardware components. Component Analysis
  7. Common Risk Factors - Component Inventory - Component Age -

    Outdated Components - Known Vulnerability - Component Type - Component Function - Component Quantity - Repository Trust - Pedigree - License - Inherited Risk - Project Health
  8. Use of Software Bill of Material in SCA • CPE

    Product Dictionary Version 2.3: cpe:2.3:a:pivotal_software:spring_framework:3.0.0:-:*:*:*:*:*:* • Package URL specification scheme:type/namespace/name@version?qualifiers#subpath
  9. Jenkins Tools and Technique used to conduct SCA Maven/Gra dle

    Dependency Track Dependency Check IntelliJ IDEA
  10. How SCA Work

  11. Steps Involved in SCA

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. https://owasp.org/www-community/Component_Analysis Dependency Check: https://jeremylong.github.io/DependencyCheck/ Credits & References Dependency Track: https://dependencytrack.org/

    https://dzone.com/articles/the-benefits-of-software-composition-analysis Jenkins: https://jenkins.io/ https://www.youtube.com/watch?v=wuqk-J1aFeQ https://github.com/security-prince/MavenDependencyCheck Big thanks to Ishaq Mohammed
  22. Any questions? Thanks!