The security of your business depends not just on your code but on the entire supply chain, which includes third-party components. The more third-party components you use, the more likely it is that a vulnerability in your web application will be a result of third-party code, not your programming.

The days of software such as Daniel J. Bernstein’s qmail are long over. When Bernstein, a brilliant mathematician, built his popular email server in 1995, he wrote everything from scratch – every single function. He did not use any third-party code at all. This was Bernstein’s ingenious approach to security, which worked very well – qmail was found not to have any security vulnerabilities for a very long time.

Such an approach would be impossible today because it would take you a hundred times longer to write your web application from scratch. Just imagine your front-end developers being stuck without Angular or jQuery and back-end developers having to manually write all functions to access databases.

On the one hand, you have no guarantee that the third-party code that you decide to use is secure. New vulnerabilities in open-source components appear every day, which means you have to constantly watch every component. On the other hand, it takes a lot of time and effort to manually track the available security updates for every component and know when a component upgrade is necessary.

This is why you need software composition analysis (SCA).

Traditional software composition analysis

The concept of software composition analysis is not new and software built specifically for that purpose has been around for a long time. However, such software has always been static, just like SAST tools.

The way that SCA tools work is very simple. They usually interface with software package managers, which are what current development environments use to import components. They check all the software packages that are imported and compare that information against existing vulnerability databases. For example, they can identify that your package manager imports jQuery 2.2.4, and then find CVE-2015-9251, which states that versions of jQuery before 3.0.0 are vulnerable to cross-site scripting (XSS).

Dynamic software composition analysis

A dynamic approach to SCA is a new concept introduced by Acunetix, which involves combining the capabilities of IAST and SCA together. AcuSensor, the Acunetix IAST module, has access to information about installed software packages. Therefore, it can immediately identify all the components that you use for your web application.

Once AcuSensor identifies the components, it checks whether they are secure using industry-standard NVD (national vulnerability database) extended by our team of experts to include other known vulnerabilities. As a result, your vulnerability scan includes information not just about vulnerabilities but also about vulnerable components.

What you get with dynamic SCA

SCA will not help you find more existing vulnerabilities but it will protect you against them in the future. With SCA, you can discover vulnerable components even if you don’t use their vulnerable functions yet. This way, you can avoid the problem before it even happens and upgrade the vulnerable component to a safe version before you even introduce a vulnerability. This saves you time and eliminates the risk of exposing a vulnerable function in the production environment.

The biggest benefit of using Acunetix SCA is that you don’t need any additional software, any additional integrations, your security team doesn’t have to run any extra scans or get any extra reports – SCA information is included in your regular Acunetix+AcuSensor scan. This saves you both time and money. You get a leading-edge SCA tool as part of your DAST+IAST.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.