Software composition analysis is critical due to the fact that an estimated 70% to 90% of software applications today use third-party libraries. Users of third party components rarely allocate resources to ensure the components they are consuming are secure because they falsely assume that security and quality testing are upstream responsibilities. By applying software composition analysis techniques, you and your organization can verify that third-party components within software are secure and thus avoid absorbing unnecessary security risks.
Synopsys Software Composition Analysis (Protecode Supply Chain™) relieves the burden of software component testing by providing a comprehensive bill of materials containing third-party components, their location, and their version in binary packages. Using the US NIST National Vulnerabilities Database (NIST NVD) and various other databases, Synopsys Software Composition Analysis (SCA) Supply Chain analysis engine enumerates known vulnerabilities within each third-party component. For every known vulnerability found, Synopsys SCA Supply Chain provides its Common Vulnerabilities and Exposures (CVE) number, where details of the vulnerability and a criticality score are provided.
The engineering and support staff at Synopsys regularly test our SCA Supply Chain by acquiring binary packages and uploading the contents into its cloud services. The results of the scan are analyzed to not only determine the effectiveness of our SCA Supply Chain, but to also assess the results and relay critical findings to the developers of the analyzed package(s).
In 2014, a Synopsys engineer downloaded a SCADA (supervisory control and data acquisition) software package from the vendor’s developer website. The website advertised that there were over 20,000 licensed users globally, and listed some of their marquee customers, who were distributed among multiple critical infrastructure sectors such as airports and water management.
Upon scanning the downloaded software package, it was discovered that over 700 known vulnerabilities affected the product.
Upon scanning the downloaded software package, it was discovered that over 700 known vulnerabilities affected the product:
Of these vulnerabilities, over 300 were deemed critical, mainly through the scoring system used in the US NIST National Vulnerability Database (https://nvd.nist.gov).
The NIST NVD primarily provides the Synopsys SCA Supply Chain with the CVEs. Sponsored by the US Federal Government, MITRE Corporation (https://cve.mitre.org) compiles CVEs and articulates the details of the vulnerability and assigns a criticality score between 0 and 10. A score between 7.5 and 10 is deemed “critical” by the scoring system and means that the vulnerability is remotely executable with no authentication required.
The Java package (jre 1.6.0) within the SCADA system contained over 300 known vulnerabilities and of these vulnerabilities, over 150 scored between 7.5 and 10.
The package was further analyzed and the vulnerabilities were graphed over time, starting with the oldest known component to the most recent. The results were quite startling:
The vertical axis indicates the number of vulnerabilities (CVEs) affecting the SCADA package and the horizontal axis represents the timeline. As shown by the graph, the number of vulnerabilities affecting the system took a massive upturn around 2012.
The vendor website provided three release dates between 2012 and 2014. These dates correlate with the sudden sizeable increase in known vulnerabilities affecting the SCADA system, clearly indicating (by our analysis) that the use of third-party components during product enhancement drove the vulnerability count up.
As modern society grows increasingly dependent on technology to run our critical infrastructures, security becomes a more critical aspect of control system software. Using Synopsys SCA Supply Chain throughout the development life cycle will help ICS manufacturers and end users identify and mitigate vulnerabilities from control system software, ensuring overall safety in cyber-physical processes.