Contrast SCA: Now from repo to runtime

Contrast Security now offers Software Composition Analysis (SCA) both in the code repository as well as in application runtime.

Contrast has introduced SCA into the code repository because as of our 2021 State of Open-Source Security report, 90% of modern applications rely on third-party libraries. It’s well-established that these third-party dependencies are riddled with known and latent security vulnerabilities. This security risk carries over into the applications that use these vulnerable packages.

For better or worse, there are a lot of tools that development teams can run to figure out which of the packages in their applications are vulnerable and, if so, which newer version of that package to use instead. 

Upgrading dependencies is easier said than done

It’s a lot of work — especially if an update introduces a breaking change — to make sure your application uses the very latest version of every dependency. That’s why most development teams don’t do it. Rather, they wait until there’s a good reason to upgrade, with new functionality being a primary motivator. Another good reason for a team to update is that their SCA tool is reporting a vulnerability in a package that’s present in their manifest. 

However, not every vulnerable package introduces security risk into the application. Vulnerable packages that are not actually used by the application, which is about 62% of libraries,  do not introduce significant risk into the application. Even though a vulnerable package may be declared as a dependency, it could be that none of its classes are instantiated; nor are its functions executed. In such cases, upgrading these packages offers limited security value. But the same tools that discovered which vulnerable packages are included in your projects won’t be able to determine whether that package is actually used by your application. This leads to teams losing confidence in the tool or in the team frequently asking to upgrade.

Introducing Contrast SCA in the code repo

Contrast has stepped up to solve the dilemma by offering SCA in the code repository as well as  in application runtime. Contrast SCA can not only detect vulnerabilities in packages that are declared as dependencies in code repositories; it can also determine whether those packages are actually used by the application at runtime. The former is done by analyzing project manifests, while the latter is done by leveraging agent technologies to observe whether a package’s classes were loaded into memory during application runtime.

When using Contrast in code repositories and application runtime, development teams can prioritize the upgrade of packages that actually introduce risk into their applications. This allows them to avoid wasting time upgrading packages that don’t pose significant security risk.

Contrast customers can get this visibility today. Technical leads and security engineers can install the new Contrast Security SCA GitHub App from the GitHub marketplace to quickly get visibility into all of the potential security risks from known vulnerabilities within their entire application portfolio — visibility that reaches across all their portfolios’ included packages. The analysis summary is presented as status checks in pull requests, in the GitHub Actions logs and in the Contrast web interface that summarizes the results:

Then, teams can leverage Contrast’s agents to determine which of those packages are actually used by applications and thus introduce security risk (documentation can be found here). Once the runtime analysis occurs, development teams can then confirm that a particular package needs to be upgraded by ascertaining whether it’s used by the application.

Following this approach will cut down on the potential security risks from these vulnerable packages and ensure development teams focus on writing and shipping code. In addition, security teams can be reassured that development teams are effectively mitigating true security risk, and the organization’s overall risk exposure will be significantly reduced.