The first, and most critical, capability is securing external dependencies, such as open source and third-party code. By definition, these dependencies were developed by someone else, using practices and tools outside the control of your company. It’s crucial to identify these dependencies in your codebases, maintain a dynamic inventory of them, and use it to track related vulnerabilities and license obligations. The only way to do this effectively and efficiently is with a software composition analysis (SCA) tool.
External code is not your only concern. You can patch every open source vulnerability the day it’s disclosed (if that’s even possible), but if your developers aren’t coding securely, your efforts are futile. However, the security weaknesses introduced by developers can be rather complex and difficult to spot in code review, even by a trained eye. Static application security testing (SAST) analyzes applications to spot potential vulnerabilities automatically, which is why it’s considered one of the most critical capabilities.
If you think handing engineers AST tools designed for the security team is the answer though, I have bad news for you. To truly make developers the first line of defense in securing your supply chain, it’s critical to integrate open source governance into developer tools and workflows. Developer enablement tools such as IDE plugins, actionable risk feedback, and education and training aid in the efforts to shift security left.
And integrations shouldn’t stop at the development phase. APIs and plugins to version control systems, build systems, deployment tools, and ticketing tools are some of the life cycle integrations necessary to seamlessly integrate application security testing into the entire software development life cycle.
Although Gartner details additional capabilities, the four listed above make up over half of the criticality weights assigned in the report.