I've been rabbit-holing into Supply Chain Security over the last couple of months. After speaking to tens of security leaders and trying almost all existing products on the market, I'm convinced that the tools haven't evolved much since the early movers in the space — most of the fast-followers are largely trying to play catch-up.
Why do most Software Composition Analysis (SCA) tools (for lack of a better word) suck? Here's what I've found:
- Shift-left Kool-Aid: It's true, you want to catch security vulnerabilities early in the lifecycle. But the goal is automation, not just redistribution of tasks. Your SCA tool enables developers to detect new vulnerabilities, and even suggests what version to upgrade to — but doesn't give any information on how to make that decision. Ask any developer and they'll tell you upgrades aren't that easy.
- Lack of context: Raw vulnerability data isn't enough. The "realistic" impact of a CVE goes beyond just the CVSS and EPSS scores — it depends on the context of the application, the environment, and the data it processes. Most SCA tools don't provide this context, and leave it to the security team to figure out. This is how you end up with hundreds of vulnerabilities in your backlog, most of which are irrelevant.
- No baseline analysis: Most SCA tools don't provide a baseline analysis of your application's dependencies. This means you can't tell if a new vulnerability is introduced in a pull request, or if it was always there. Breaking CIs on every commit is how you make developers hate security.
- One-size-fits-all remediation: The "upgrade to the latest version" advice is a lazy way to remediate vulnerabilities. It's not always possible, and sometimes it's not even the best solution. In my research, almost no SCA tools show you alternative remediation strategies, or even the impact of each strategy.
At DeepSource, we think this is a valuable problem to solve. Modern software is built on a complex web of dependencies, and the security of your application is only as strong as the weakest link in this chain. We're working on a new kind of SCA tool that challenges the status quo. I'm excited to share more about this in the coming weeks.