With headline-grabbing vulnerabilities such as Log4Shell drawing attention to the risks presented by open-source components, organizations increasingly need application security programs that address this risk. Invicti Security announced its software composition analysis offering, purpose-built to support companies in tracking, scanning, and securing the open-source components within their applications.
With every company now a software company, developers are under more pressure than ever to rapidly release innovative features and functionality that help them maintain speed to market. Because of this, usage of open-source components has soared over the past half-decade. According to ESG, 80% of organizations report that more than a quarter of their codebases are dependent on open source.
However, according to the same research from ESG, less than half of organizations (48%) have specific security controls to scan for open-source vulnerabilities. Because open-source software has a distributed development model, it can inadvertently introduce significant vulnerabilities that in-house teams may miss.
Invicti SCA was developed to help teams mitigate open-source risks without impeding their pace of innovation. It does so by:
- Detecting all open-source components and where they are in use across the entire application portfolio
- Providing remediation guidance when a vulnerability is identified and identifying the most up-to-date version of the software to prevent vulnerabilities from being introduced into production
- Blending DAST + IAST and SCA, test coverage is maximized in a single scan, enabling comprehensive analysis of the application’s security risk posture in a single pane of glass.
Invicti is the only company that offers DAST, IAST and SCA testing in one scan and provides consolidated results. With a shortage of security skills and the need to rapidly release new functionality, customers can integrate the Invicti platform into their CI/CD pipeline, ticketing systems, and other development tools once and get a comprehensive view of their application security risk before it goes into production.
“Open-source components have changed the game for software development and power many of the consumer and enterprise applications we rely on today,” said Invicti Chief Product Officer Sonali Shah. “Thanks to their growing ubiquity, they have also become increasingly attractive targets for threat actors. We’ve introduced SCA to the Invicti platform to help modern DevSecOps teams secure open-source software at the speed of innovation.”
Invicti SCA is now generally available for PHP, Node.js, Java, and .NET applications.