With the rapid rise of open source software, especially after the Solarwinds and Log4J vulnerabilities in 2021 attracted global attention, software composition analysis (SCA) has attracted more and more attention from the industry. SCA products have gradually become an indispensable and important part of enterprise software chain asset management, vulnerability management, and open source compliance governance.It is worth mentioning that the concept of "SCA" and related tools were proposed by manufacturers as early as 2002, but SCA products at that time mainly focused on the analysis of the source level, so it was more accurately called source composition analysis. At present, SCA products are still in a stage of rapid development, constantly updated and optimized to adapt to the complex software development environment and the risk of the first chain.
The open source component security and compliance management platform (SourceCheck) is an early SCA product independently developed by the open source network security SCA team, focusing on solving the security and software chain risk challenges faced by enterprises when introducing open source software. After years of in-depth communication and practice with customers, the SCA team of open source network security has concluded that a mature SCA product not only needs to have advanced technical strength, but also needs to be polished and improved from five dimensions: business architecture, detection capabilities, management capabilities, knowledge base volume, and early warning and emergency response, so as to truly meet the actual needs of customers and ensure that customers get a comprehensive, efficient and accurate open source software security risk management experience.
After years of optimization and iteration, SourceCheck has constructed a clearer business architecture and powerful comprehensive capabilities to meet the urgent needs of customers in various industries for software chain security, open source software risk management and open source governance. By combining multiple detection capabilities, management capabilities, security warning capabilities, integration capabilities, and a large SCA knowledge base capabilities, SourceCheck provides a comprehensive and reliable open source software governance solution to help enterprises manage and optimize the use of open source components and third-party libraries in their digital projects.
At the same time, SourceCheck also supports seamless integration with existing tools and platforms of enterprises to ensure the sharing and circulation of analysis and inspection data, so that enterprises can easily integrate SourceCheck into their existing processes, expand and extend application scenarios and capabilities, and improve work efficiency and collaboration results. With powerful self-developed algorithms and engines, SourceCheck is able to comprehensively identify and analyze open-source components and third-party libraries in digital projects. It can perform in-depth inspection of projects at component-level, file-level, function-level, and fragment-level detection granularities, which can not only detect known vulnerabilities and malicious intent levels, but also discover non-compliant license information, and identify risks such as component tampering and component poisoning.
Through in-depth scanning and intelligent analysis, SourceCheck provides enterprises with accurate and reliable software bill of materials (SBOM) and risk reports, helping development teams make timely security decisions. SourceCheck optimizes the user experience and display form, provides customers with a more intuitive interface and easy-to-use management form, supports multi-level project application architecture management, and facilitates customers to classify and manage applications. Through the multi-level architecture, it can better manage and view the asset information such as components, vulnerabilities, and licenses under the project, so that customers can comprehensively monitor and track their software projects.
With customization options and flexible configurations, businesses can easily monitor and manage component usage, security status, and compliance requirements across multiple projects.
In terms of knowledge base, SourceCheck provides a full localized knowledge base, including open source project information, version information, open source protocol information, vulnerability database information, etc. The number of vulnerabilities included is 400,000+, the number of component versions is 100 million+, and the number of files exceeds 1 billion.
With intelligent query matching, SourceCheck can quickly and accurately identify and analyze the components used by the enterprise, and provide corresponding recommendations and best practices, so that the enterprise can better understand the components in its software projects and make decisions based on the latest security information and compliance requirements. When a new vulnerability affects the open source components in the system, the system automatically associates the project information corresponding to the open source components, and carries out vulnerability site messages and email reminders and alarms, among which the vulnerability** includes international and domestic authoritative vulnerability databases, including NVD, CNNVD, CNVD, Google, GitHub, etc.
Through intelligent analysis, you can accurately determine potential security threats and impact scopes, and provide emergency response and remediation suggestions for enterprises. In addition, SourceCheck supports customized security policies and rules to meet the specific security needs and compliance requirements of enterprises. Adhering to the principle of "seeking truth and pragmatism and pursuing practicality", the SCA team has gone deep into enterprise application scenarios, fully understood customer needs, and polished the open source network security SourceCheck. SourceCheck not only pursues comprehensive functions, but also pays more attention to business convenience and security, truly embodying the concept of "customer-centric". SourceCheck helps enterprises fully grasp the risk profile of software assets and open source, so that enterprises can more accurately evaluate the value of software assets and provide powerful assistance for enterprise technology security decisions.
SCA Perspective: The development of software composition analysis technology SCA.
Life insurance companies ensure digital innovation through open source governance and safely open up new channels for high-quality services.