Continuously tracking your application’s dependencies for vulnerabilities and efficiently addressing them is no simple feat. In addition, this is a problem shared by all, and is not an area most companies would consider their core competency. Therefore, it is a great opportunity for the right set of tools to help tackle this concern.
As mentioned before, the category of tools addressing this concern is currently known as Software Composition Analysis (SCA). Throughout this book, I’ve referred to different capabilities an SCA solution may or may not have, and the implications therein. Those questions were meant to assist you in designing the right process and selecting the right tools to help.
In this brief chapter, I’d like to offer my opinions about which properties you should care about the most when choosing a tool. The SCA tooling landscape is evolving at an extremely fast pace, so I’ll avoid making statements about which tools handle each requirement well, and instead try to stick to the concepts, which will hopefully stay true over a longer period of time!
To successfully deal with open source security, you need your developers (and DevOps teams) to operate the solution. Given the fast pace of modern development, boosted in part by the use of open source itself, an outnumbered security team will never be able to keep you secure. Therefore, the SCA solution you choose ...