What is SCA/Component Scanning?
Published on: 2019-10-15
If you're new to security scans, or you've heard mostly about DAST/Active and SAST/Code scans, you may not know what SCA/Component scanning is, or why you need it. If this is you, read on!
How SCA scanners work
At this point, the vast majority of new software written contains several, if not a couple dozen, references to other software libraries, whether open source or otherwise. These libraries have vulnerabilities just like any other software package, and with constant updates it is difficult to know when upgrades are needed vs. merely available.
SCA tools are designed to help with this. There are several organizations that have compiled a list of vulnerable software, such as the National Vulnerability Database and the OSS Index from Sonatype. SCA tools check your list of components against databases such as these looking for matches. Depending on the scanner, you may either get a pass/fail for an individual vulnerability or a score and severity ranking.
It is important to point out that typical SCA scanners do NOT try to evaluate the code of your components. This is important because if you are using a little-known library, vulnerabilities might not get into the database, and therefore might not appear in scan results. But SCA tools can be quite helpful in tracking which versions of your commonly-used software libraries need upgrades because of security concerns.
What SCA scanners don't do
One question I get frequently is: "if the vulnerability is in functionality I don't use, do I still need to upgrade?" My answer is "yes", for two reasons:
- You never know when an attacker might be able to use a vulnerability in an unrelated part of a component against you.
- If a vulnerability shows up in that component in a feature you do use, it is unlikely that you will notice.
