SCA Scanning - Innovating in a Crowded Space
Every week I have formal and informal conversations with a lot of vendors. I often have much more to say about them than what fits in my weekly update posts. In order to better talk about some of the trends that I see on a weekly basis, this weekly newsletter will present an unsponsored look at a product from a state of the market perspective. Due to time constraints - this isn’t a full review of the product itself as much as their positioning in the marketplace.
Table of Contents
Innovation in a Crowded Market - The State of SCA
(Ox also does some stuff that could be considered runtime reachability, but that would make the diagram look weird. Also, Backslash doesn’t do an agent, but does look at runtime deployment context, which doesn’t make them a 1:1 competitor with Oligo and Deepfactor)
To be frank, I often wonder how companies are still get funding to only do SCA scanning. The market is deeply saturated at this point, and while there’s still room for innovation, it’s easy to get buried as “just another open source scanner.” SCA stands for “Software Composition Analysis”, and is the older term for “here’s all the vulnerabilities with your open source packages.” I like it more than general ones like “Supply Chain Security” because there’s a lot more to supply chain security than checking open source versions for vulnerabilities. On the one hand, it’s become trendy to say “SCA scanning is commoditized" because there are so many good open source options available - from Dependency Check to SemGrep. On the other hand, the core problem with these tools is the number of false positives they create compared to how difficult it is to fix them.
I see innovation happening in this category in two opposite directions: one side cares about making the findings more security related and precise. These tools focus on reachability (Endor Labs, Backslash, and SemGrep), malware (Xygeni and Socket), and runtime detection (Oligo and Deepfactor). The other side focuses on improving the fixing process through workflows (Remediation Platforms), fixing it for you (Grit and Seal), and the details of the git workflow for developers (Arnica).
This week, I met with Socket Security.
I wanted to spotlight them because they’re at a lot of these cross-sections. Again, this isn’t sponsored and they don’t know I’m doing this. Socket has the same tradeoffs of many platforms: it’s a good scanner, but the language support is pretty limited (it’s very JS focused, but also supports Python and Go). They’ve created the standard dev PR workflow, but they don’t do reachability analysis. Most interesting to me, they look for malware rather than only CVE’s in the open source packages, although they do detect both. I’m only aware of Xygeni also taking this approach, which I find a lot more focused on actual security than the CVE flooding of most tools.
Some of the Socket Threat Feeds
Tools like Socket really force the customer to ask: why am I looking for an SCA tool? If you’re looking at supply chain security as stopping malware zero days, you’re really limited in your number of options, but Xygeni and Socket both look great. If you don’t go with tools like them that are surfacing zero days directly in product and automated, you’re trusting that the provider you’re using will either detect the zero day on their own, or that the CVE will be published quickly.
While looking for malware as opposed to CVEs is a great approach, this malware workflow doesn’t apply to 95%+ of the typical day to day operation of an SCA scanner - you’re unlikely to ever even see it, so it’s hard to quantify the value of it. Instead, for compliance and less clearly demarked security reasons, most companies are stuck in the sludge of CVEs.
The day-to-day workflow of most SCA scanners is CVE remediation and patching, so should you buy a tool more primarily aimed at that? The trade-off there is that you’re often spinning your wheels and not increasing the actual security posture of your app by that much. Most of these findings are false positives that are only exploitable under specific circumstances, meaning that in theory the malware detection is a more robust approach to take for stopping likely attacks. While in depth reachability analysis is one approach, it’s never going to solve the fundamental problem of having more CVEs than time.
In terms of features, Socket has the one filter you need more than anything: Transitive vs. Direct dependencies. In the below example (from LAST), Google auth gets imported as a result of importing the google-generativeai package. Too many scanners out there would flag me about every vulnerability to exist in google-auth, even though I don’t actually use it here. However, most leading tools in the market now have this basic functionality. The bigger players in this space are more robustly filterable and combine with reachability analysis. The question isn’t just do I import google-auth, it’s if I actually use it anywhere?
Direct vs. Transitive Dependency
I can also appreciate that they have most of the noise generating rules turned off by default. It points to how they’re trying to fix one of the two main problems in this space - finding attacks rather than noise.
Whether a tool like this would interest you or not comes down to how long you can afford to miss a zero day supply chain attack. The bigger providers are doing some of this, but it’s all behind the scenes and you’d have to trust that they’re racing to make a big “Snyk detected a zero day” kind of announcement. I think most companies are okay with that delay, but some will benefit from having detection happen as soon as possible.
A critical caveat here is that while these scanning type of tools can detect zero days better than their alternatives, if you don’t have runtime protection it still requires alerting and patching to fix it after the fact. That’s why for this kind of outcome, I think the runtime approach of DeepFactor and Oligo is more promising if stopping an open source zero day is absolutely mission critical. That’s why Oligo is still my top choice for this category, if you can afford to get an agent deployed.
Oligo, DeepFactor, and Seal are the only vendors I’d feel comfortable saying could (theoretically) stop a zero day open source exploit without you needing to do anything. There are other cool runtime options out there that aren’t focused on this area that might also catch it, but they’re not as explicitly focused on this problem. To be clear, I’m not saying that I think these three vendors are always the best under even most circumstances, only that if stopping a zero day with no intervention is mission critical, they’re the only options.
Conclusion
For all the noise SCA tools generate, most have a fundamental flaw in that they’re lagging indicators of attacks due to their reliance on the CVE ecosystem. Even if many vendors have their own research teams that would theoretically detect some of these exploits, only Xygeni and Socket have uncovered the benefits of putting this directly into the product.
Assessing the time it would take for a vendor to react to a zero day is an almost impossible task, so what’s hard about this pitch is that it relies almost entirely on trust. Do you trust that your existing vendor would publish a zero day response as fast as the automatic detection of a product like Socket?
Other Updates
Latio List v1.6 changes with thoughts are below:
Added Legit Security to Container Vulnerability, IaC, SCA, Secret Scanning, and SAST
Legit is in an interesting place because they went hard into ASPM early on, so focused entirely on SDLC security and pipeline coverage from other tools. They’ve quietly been building out their own versions of these category specific scanners so they can supplement any existing tooling. I take it as validation that my thoughts on ASPM being “buy this tool to secure your application configurations” is correct.
Added Staris to Pentesting, Code Fixers, SAST, and DAST
Staris was the other company I was going to spotlight this week. They’ve built a more robust implementation of LLMs for security than the SAST only providers by wrapping it in the context of pentesting services and having it generate exploits.
Added MindPoint Group to MDR and Pentest
It’s hard to assess service providers in just a call or two, but it sounds like MindPoint tackles more robust projects than most MSSPs by even helping with Terraform and Active Directory rebuild type of projects. They also do auditing, pentesting, SOC, and the more standard suite of MSSP services.
Added Socket to SCA
As always, you can view the updates at https://list.latio.tech/!