Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
    • By Category
      • AI/Hyperautomation
      • Cloud/Cloud Wars
      • Cybersecurity
      • Data
    • By Interest
      • Leadership
      • Office of the CFO
      • Partners Ecosystem
      • Sustainability
    • By Industry
      • Financial Services
      • Healthcare
      • Manufacturing
      • Retail
    • By Type
      • Courses
        • Understanding the New Executive Buying Committee
      • Guidebooks
      • Digital Summits
      • Practitioner Roundtables
    • By Language
      • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
Twitter Instagram
  • Courses
  • Summit NA
  • Dynamics Communities
Twitter LinkedIn
Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
        • By Category
          • AI/Hyperautomation
          • Cloud/Cloud Wars
          • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
          • Data
        • By Interest
          • Leadership
          • Office of the CFO
          • Partners Ecosystem
          • Sustainability
        • By Industry
          • Financial Services
          • Healthcare
          • Manufacturing
          • Retail
        • By Type
          • Courses
            • Understanding the New Executive Buying Committee
          • Guidebooks
          • Digital Summits
          • Practitioner Roundtables
        • By Language
          • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
    • Login / Register
Acceleration Economy
    • Login / Register
Home » Why and How Software Composition Analysis Tools Enable DevSecOps
Cybersecurity as a Business Enabler

Why and How Software Composition Analysis Tools Enable DevSecOps

John SiefertBy John SiefertJanuary 19, 2023Updated:April 13, 20235 Mins Read
Facebook Twitter LinkedIn Email
To adjust the volume hover the cursor over the volume bar
Share
Facebook Twitter LinkedIn Email
Acceleration Economy Cybersecurity

In this Cybersecurity special report, John Siefert is joined by Acceleration Economy analysts and CISOs Frank Domizio, Rob Wood, and Chris Hughes. They discuss software composition analysis (SCA), what it means and why it matters. Additionally, they give insights into how SCA works, the use of automation, and how SCA gives an understanding of potential threats and vulnerabilities. Finally, they offer advice on how CISOs can approach SCA strategies with executive teams and board members.

Highlights

00:08 — John, Frank, Rob, and Chris discuss software composition analysis (SCA). Frank recently published a Cybersecurity Minute on the topic — John asks Frank to break down the concept and explain why it matters.

01:00 — Software composition analysis provides a look into the code that organizations run to understand potential threats and vulnerabilities. As code is being built, there are “libraries” that contain various functions in the code. Frank says this can get complex very quickly. Often, third parties are called in to write, build, or change code — software composition analysis helps make sense of any changes to code created by a third party.

02:29 — How much of this process is automated versus manual? “The move is to automation,” says Frank, since a manual process — which would take many humans at a full-time pace — can quickly get complex.

03:13 — Chris has published several reports on the software bill of materials (SBOM). John notes the similarities between SBOM and SCA, then asks Chris to provide more context.

03:36 — Chris agrees that SCA is valuable for teams to understand that most of the code written in modern applications is coming from a third party — using up to 75% of open-source software components. SBOM builds on top of the concept of SCA and allows organizations to see what third parties are using, make informed decisions, and communicate that information to a third party. Essentially, SBOM is a way to convey to software consumers what components are in the software, the existing risks, and considerations to make when engaging with the software.

04:29 — As a CEO, John can recount being on general availability (GA) deadlines for software that is being developed inside organizations. He asks Rob if applying SCA tools slow down the process of meeting such deadlines.

04:53 — Rob doesn’t think so — the push to give software developers feedback on the potential risks of what they’re building will make it faster and cheaper to remediate. If SCA is applied in the later stages of software development, more problems will arise. However, if software composition analysis is applied as soon as the software is built, it will be easier to address any issues that come into play.

06:47 — John confirms that applying SCA tools and managing them from the start of a development project could accelerate the process of meeting deadlines. When SCA tools are applied during the later stages of development, it could slow teams down because they are presented with potential threats and vulnerabilities they hadn’t caught before.

07:17 — Rob equates security debt — insecure configurations, insecure code patterns — to financial debt. All debt has to be repaid. Starting early and with a plan puts an individual in a much better position to start repaying that debt.

08:40 — In mid-market and enterprise companies as well as the public sector, there has been a pattern of budget tightening. How can CISOs approach SCA strategies with executive teams and board members?

09:18 — At some point, organizations will have to start addressing technical debt. Shortened software lifecycles suggest that organizations will catch software issues and threats later on. Software supply chain attacks are an area that is being focused on by malicious actors. Making strategic investments in tools and understanding the open-source software consumption footprint will put companies in a better position for securing their software, suggests Chris.

10:07 — Frank notes that “developers should be developing, security people should be doing security.” Having SCA tools extrapolates developers from having to handle security issues, allowing them to focus on writing good code with tools from which they receive valuable information. By implementing SCA tools, developers can focus on writing code and leave the security vulnerabilities to the security teams.

11:25 — John wonders if SCA tools help tighten the link between software developers and CISOs.

11:25 — Rob agrees; there have been movements from DevSecOps and DevOps that are developer-centric and security teams are starting to recognize the value of a product developer. The bridge between these two roles is strengthening due to the fast feedback loop that has been created as a result of the last 20 years of learning.

13:53 — John asks Chris to describe the security approaches of the Cybersecurity Top 10 companies. Developers including Endor Labs and Snyk “play exactly in the space” which allows developers to focus on their core competencies. These vendors alleviate the “cognitive burden” associated with security.

15:57 — Rob feels that SCA solutions are relevant and necessary for cybersecurity teams and agrees that the Top 10 companies have focused solutions that target particular parts of software supply chain risks. There is no “one size fits all” security solution — the context of the problem that is being addressed really matters.

19:07 — Frank agrees that organizations must identify their core needs and then go after the tools that will address those needs. Certain tools are more appropriate for an organization’s specific requirements. So, before diving in, it is important to identify the issues that need addressing.

20:06 — Everyone’s needs are different. Organizations should look to align their business strategy with the execution of new tools. Implementing software composition analysis tools earlier, rather than later, will better position companies to combat any issues that arise.


Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:

Acceleration Economy Cybersecurity

automation CISO Cybersecurity Open-Source Software Practitioner Roundtables Risk Management software software development software solution supply chain
Share. Facebook Twitter LinkedIn Email
Co-Founderuser

John Siefert

Co-Founder
Acceleration Economy

Areas of Expertise
  • Cloud
  • Digital Business
  • LinkedIn

John Siefert is the CEO of Dynamic Communities and Co-Founder of the Acceleration Economy Network, where he leads the strategic direction, business, and community-based focus of the organization by collaborating with colleagues, customers, partners, and friends. Prior to DCI, Siefert has worked in multiple leadership positions, including President roles at Questex and Informa, SVP at UBM, CMO at STYR Labs, and CEO at Virgo, LLC. Siefert’s passion for creating unique content, community, and event-based programming has helped to build some of the largest media brands in the B2B space serving the business technology and health/nutrition categories. In his personal life, Siefert is a father of two, married to the love of his life, and digs beaches, barbecues, boats, astrophysics, and road-tripping.

  Contact John Siefert ...

Related Posts

How the Rise of Deepfakes and New Technology Challenge Traditional Cybersecurity

June 2, 2023

How UiPath, Peraton Partner To Deliver Automation Benefits To Government Customers

June 2, 2023

How Workday’s Strategic Planning Platform Streamlines Corporate Finance Operations 

Sponsored ContentJune 1, 2023

How CFOs Can Ensure the Success of Finance Transformation Projects

June 1, 2023
Add A Comment

Comments are closed.

Recent Posts
  • Women in AI Empowers Minority Groups Through Events, Education
  • How the Rise of Deepfakes and New Technology Challenge Traditional Cybersecurity
  • How to Make AI Explainable and Unlock Synergy With Humans
  • How Microsoft Executed an Epic Pivot: Embracing OpenAI Alongside Internal Dev
  • How Vanenburg’s Innovation Focus Eases Application Development for Customers

  • 3X a week
  • Analyst Videos, Articles & Playlists
  • Exclusive Digital Business Content
This field is for validation purposes and should be left unchanged.
Most Popular Guidebooks

The Ethical and Workforce Impacts of Generative AI

May 26, 2023

Co-Creation and Growth With Professional Services

May 24, 2023

The Business Impact and Opportunity of Generative AI

May 16, 2023

Healthcare Industry Clouds

May 10, 2023

Advertisement
Acceleration Economy
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Advertising Opportunities
  • Do not sell my information
© 2023 Acceleration Economy.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?

Connect with

Login with Google Login with Windowslive

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.