Manage risk in complex supply chains

Software Composition Analysis (Protecode)

Synopsys Software Composition Analysis (SCA) is a comprehensive solution for managing
risk in complex software supply chains. During procurement and operations, Synopsys SCA
can help you gain visibility into the composition of third-party software, make better buying
decisions, and manage the ongoing risk of operating complex systems and software.

The market landscape

To drive innovation and efficiency in critical business infrastructure, organizations consume systems and software from various suppliers. Their demand for better, faster technology drives increasing reliance on a complex software supply chain for third-party components. While this software supply chain has many advantages, it also presents many security challenges:

  • Software as a patchwork: Virtually all software includes third-party components, including free and open source software (FOSS), commercial off-the-shelf code (COTS), and internally developed components, which are rarely sourced with security in mind and often contain vulnerabilities.
  • Deferred accountability: Consumers of software and systems often incorrectly assume that security and robustness are upstream responsibilities—and thus bear the risk of an unchecked software supply chain.
  • Ground zero for attacks: Vulnerable third-party software represents a weak link in the supply chain that provides a point of entry for attacks.

Product overview

Synopsys SCA is a binary and run-time code analysis platform that addresses the challenges
of an increasingly complex and fragmented software supply chain. Synopsys SCA quickly
identifies third-party and open source components, known vulnerabilities, license types, and
other potential risk issues. Because Synopsys SCA analyzes binary code, as opposed to
source code, it can scan practically any software or system, including desktop and mobile
applications, embedded system firmware, and more.

Synopsys SCA at a glance

The power and versatility of Synopsys SCA is balanced by its intuitive user interface and ease of use.

Dashboard summary

Synopsys SCA’s interactive dashboard provides a high-level overview of the composition and overall health of scanned software. The summary includes the following:

  • Software bill of materials (BoM): Synopsys SCA provides detailed information about each identified third-party component, including version, location, license obligations, known vulnerabilities, and more.
  • Vulnerability assessment: Synopsys SCA uses an advanced proprietary engine to provide enhanced, relevant information about each vulnerability from the NIST National Vulnerability Database (NVD), including the Common Vulnerabilities and Exposures (CVE) identifier and severity.
  • Open source licenses report.

Key features

With Synopsys SCA, you can analyze systems and software, without requiring access to source code, to identify weak links in your software supply chain quickly and easily.

  • Scan virtually any software or firmware in minutes. Gain visibility into essentially any software or firmware, including desktop and mobile applications, embedded system firmware, virtual appliances, and more.
  • No source code required. Simply upload the software you want to assess, and Synopsys SCA performs a thorough binary or run-time analysis in minutes. This black box technique emulates an attacker’s approach to detecting vulnerabilities.
  • Obtain a comprehensive BoM. Identify and catalog all third-party software components and licenses.
  • Manage your risk profile. Diagnose software health by identifying known vulnerabilities and licensing obligations within software components. Make informed decisions about the use and procurement of technology with realistic metrics.
  • Proactively combat code decay. Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.
  • Enjoy a flexible delivery model. Synopsys SCA is available as a cloud-based service or an on-premises appliance.