<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Recap: Why software composition analysis tools are not enough

Caitlin Bixby
by Caitlin Bixby
on October 4, 2022

Don't miss the latest from Tidelift

Last week, Tidelift CEO and co-founder Donald Fischer explored why software composition analysis (SCA) tools alone are not enough to robustly address emerging requirements for application security, and why taking a proactive approach that incorporates not just software but also people is the best means to improving software supply chain resilience. Historically, SCA tools have been helpful in gaining insights regarding the vulnerabilities in the open source packages an organization is using, but as recent supply chain vulnerabilities, along with government and industry responses show, SCA tools alone aren’t enough.

Watch Now

In this webinar, Donald shares a new way to address open source resilience challenges by  establishing a software and people approach. He starts by addressing the two problem areas of open source: the internal security and maintenance challenges organizations face, and the less frequently discussed external open source supply chain resilience challenges—such as maintainer burnout due to lack of compensation or support for their projects, causing inconsistencies in maintenance standards across the open source supply chain.

Screen Shot 2022-09-30 at 3.24.58 PM

He goes on further to reference the Log4Shell attack in December 2021 that brought a magnifying lens to these resilience challenges as organizations went into overtime trying to put out the resulting fires. As a response to incidents like Log4Shell, government and industry leaders are calling for improved security standards to prevent future attacks. However, who is going to do the work to meet these standards? Maintainers, most of whom are unpaid volunteers, shouldn’t be asked to take on more work to meet a growing list of new standards without being fairly compensated for their time and effort.

Also in the webinar, Donald highlights the three reasons why traditional software composition analysis approaches are no longer enough. In short, SCA tools:

  1. Are fundamentally reactive not proactive.
  2. Are too often noisy and time consuming.
  3. And often diagnose without treatment.

Tidelift goes beyond traditional SCA to provide an additional layer of "defense in depth" for application development teams through a proactive software and people powered approach to improving an organization’s software supply chain resiliency. On the software side, Tidelift helps organizations define open source standards and policies and create and maintain catalogs of pre-vetted and approved open source components. And on the people side, Tidelift partners directly with maintainers and pays them to ensure they meet enterprise standards now and into the future.

To hear more about the reasons as to why SCA tools aren’t enough and hear answers to questions you may have, you can use this link to watch the webinar now.

Watch Now

New call-to-action