What is SCA and why you need it | Acunetix
What is SCA and why you need it
Traditional software composition analysis
The concept of software composition analysis is not new and software built specifically for that purpose has been around for a long time. However, such software has always been static, just like SAST tools.
The way that SCA tools work is very simple. They usually interface with software package managers, which are what current development environments use to import components. They check all the software packages that are imported and compare that information against existing vulnerability databases. For example, they can identify that your package manager imports jQuery 2.2.4, and then find CVE-2015-9251, which states that versions of jQuery before 3.0.0 are vulnerable to cross-site scripting (XSS).
Dynamic software composition analysis
A dynamic approach to SCA is a new concept introduced by Acunetix, which involves combining the capabilities of IAST and SCA together. AcuSensor, the Acunetix IAST module, has access to information about installed software packages. Therefore, it can immediately identify all the components that you use for your web application.
Once AcuSensor identifies the components, it checks whether they are secure using industry-standard NVD (national vulnerability database) extended by our team of experts to include other known vulnerabilities. As a result, your vulnerability scan includes information not just about vulnerabilities but also about vulnerable components.
What you get with dynamic SCA
SCA will not help you find more existing vulnerabilities but it will protect you against them in the future. With SCA, you can discover vulnerable components even if you don’t use their vulnerable functions yet. This way, you can avoid the problem before it even happens and upgrade the vulnerable component to a safe version before you even introduce a vulnerability. This saves you time and eliminates the risk of exposing a vulnerable function in the production environment.
The biggest benefit of using Acunetix SCA is that you don’t need any additional software, any additional integrations, your security team doesn’t have to run any extra scans or get any extra reports – SCA information is included in your regular Acunetix+AcuSensor scan. This saves you both time and money. You get a leading-edge SCA tool as part of your DAST+IAST.