A key to code security is knowing what’s in your codebase. But, because of the neverending web of indirect and transient third-party dependencies, it’s not easy to keep track of your code’s components.
Launched this week, software composition analysis (SCA) from Lacework gives customers continuous visibility into their third-party and open-source software packages, indirect dependencies, and any associated vulnerability and license risks.
The unique approach taken by Lacework goes far beyond basic SCA functionality. Lacework provides teams continuous visibility into exactly where and how vulnerable packages are used, how often each is referenced, who owns the code and was responsible for bringing it in, and how to rapidly remediate vulnerabilities.
Better tracking of software supply chains through an always-up-to-date software bill of materials (SBOM) for each application is also now available thanks to the new SCA functionality. With this new capability, Lacework eliminates the risks associated with stale or outdated SBOMs by dynamically generating them each time a merge or pull request is committed.
For existing SBOMs, the tools identify what is new or has changed and continuously append that data to the previous version. The software also makes it easier for customers to share sensitive supply chain information with their customers and partners by giving them the means to programmatically control access to SBOMs.
Finally, Lacework SCA helps assess risk and compliance with open-source software licenses by identifying if the package use violates a particular license. The platform can identify different types of license restrictions and any imposed obligations such as attribution, source code disclosure, and copyleft requirements to ensure teams avoid packaging software that may create any downstream IP or financial risks.