Posted by Patrick Carey on Monday, March 13th, 2017
Last month Forrester Research published their first-ever Wave for Software Composition Analysis (SCA). Wave’s provide enterprise IT and development teams with Forrester’s assessment of the state of the vendor landscape, grading vendors on their strategy, solution, and market presence. Vendors are then ranked in bands: Leaders, Strong Performers, Contenders, and Challengers.
Forrester singled out Black Duck by Synopsys as the sole vendor recognized in the top category of “Leader,” a ranking that testifies to both our current offerings and future plans for delivering new Software Composition Analysis solutions to our customers.
Wait…you say you’ve never heard the term Software Composition Analysis and aren’t sure what it is?
I’m not surprised. While SCA is a term used by Forrester, Gartner and other analyst firms, it’s not exactly a term that rolls off the tongues CTOs, CIOs, or CISOs, much less the developers or DevOps engineers who deal most directly with software composition. Furthermore, there seems to be some confusion about the role of SCA in agile development and DevOps and whether they are even compatible. So, let’s first start by defining some terms:
According to Forrester, “Software composition analysis (SCA) tools provide valuable data to security pros, legal pros, and app developers by identifying software vulnerabilities and exposing licenses for open source components.” As a term, Software Composition Analysis is a bit dry and vague. Unfortunately, it doesn’t sound important as it is, and we find that teams grasp the concepts and value faster when we describe it as Open Source Vulnerability and License Management.
Regardless, the point is that if you develop software using open source components (i.e. if you develop ANY software – Forrester cites that today up to 80-90% of application code is open source) an SCA tool will help you avoid getting bitten by security vulnerabilities hiding in those components or by compatibility issues with open source licenses like GPL.
Unlike SCA, DevOps is a term that almost everybody in development and IT is familiar with, though many are just as confused about what it is. According to Wikipedia, DevOps is “a set of practices that emphasize the collaboration and communication of both software developers and information technology (IT) professionals while automating the process of software delivery and infrastructure changes.”
The key concepts here are integration, which can be thought of as the way teams and tools communicate and collaborate, and automation. In a DevOps model, teams define policies and procedures up front, specifying how their software projects are to be assembled and the criteria for the software to progress through each stage of development and deployment. The goal is to have tools automate as many of these policies and procedures as possible, so that they move forward quickly, continuously and reliably.
Note that I say tools not tool. You can’t go a buy a DevOps tool and in practice, teams adopting a DevOps model assemble their development and deployment framework by selecting and integrating a wide variety of solutions: IDEs, source and binary repositories, build and CI automation solutions, and test tools.
There is no one way to implement DevOps. For these teams, the key factors in their tool selection are their flexibility and ability to a) “plug-in” to their DevOps framework by integrating and communicating with other components, and b) automate development procedures and policy enforcement.
If we combine our two definitions we can define DevOps compatible SCA solution as:
A solution that integrates with teams and a wide variety of other tools to automate the process of identifying, communicating, and acting on open source vulnerability and license risks as part of the development and deployment workflow.
SCA solutions can be compatible with DevOps if, like Black Duck solutions, they provide you with the ability integrate open source management throughout your DevOps environment from IDE through to runtime platform. Having this flexibility is critical as it allows you to tailor your DevOps environment to your needs rather than a rigid vendor-centric framework. This is why we provide a wide range of open-sourced integrations that allow you to integrate Black Duck’s industry leading Open Source Vulnerability and License Management solutions with your other best-of-breed DevOps tools.
So, is SCA compatible with DevOps? Absolutely. You just need select your solutions wisely.
Get the latest AppSec news and trends sent directly to you.