Ashlyn Chapman

The best SWEs need SCA

The best developers work smarter, not harder. They are lazy.

They don't build a tool from scratch when it already exists. They don't duplicate coding efforts.

Instead, the best software engineers use third-party packages, libraries, frameworks, and tools.

Yet, they don't blindly trust these third-party tools. Someone else wrote it. Something could be wrong with it. Open-source doesn't mean secure--consider the log4j vulnerability. The best engineers double-check the open-source tool is secure and maintained before they develop and deploy their app.

How do they know if the open-source package they want to use is secure? They use a SCA (software composition analysis) tool to check. SCA is an automated way to ensure any code you use that someone else wrote is okay.

Let's cook

Imagine you are a chef at a restaurant.

You need to know what ingredients to order, where they come from, and if they are safe to eat. Also, you can't rip off all the recipes from the last restaurant you worked at.


Contaminated ingredients make people sick. Although I don't know anyone who actually got salmonella from eating bad eggs.

Software can also have contamination--weaknesses, vulnerabilities. A misconfigured network. A direct insert into the database from a user form.


Upon writing I discovered you can't copyright a recipe. But if you opened a restaurant and took all the recipes from the last place you worked, your boss could sue you. You infringed on trade secrets. You don't have permission to cook their food.

You must also make sure you have the proper license to use the open-source tool. Sometimes open-source tools are free for individuals but an expense for enterprises. Open-source maintainers deserve to eat too.


Ingredients rot. Bananas go brown. Avocados get squishy.

Software can also become obsolete. The people who developed the tool no longer work on it or maintain it. They have other priorities.

Unmaintained dependencies makes it harder for you to maintain your own app. You never know what introduces a breaking change. What seems like a small upgrades breaks the whole app.

Shift Left

So you've heard of DevOps. Developers are taking more responsibility for how their code operates in production.

Developers secure their applications as they write code by using only secure tools. Why wait until production to find out your application has a vulnerability?

Automated security tooling, such as SCA, enables developers to address security concerns sooner. Some tools include Black Duck by Synopsis and Syft.

SCA tools identify known vulnerabilities in the tools you use. It even suggests which version to upgrade your insecure package to.


CVEs are common vulnerabilities and exposures. It's a huge list of known vulnerabilities that the SCA tool checks your dependencies against.

That's all, folks

Completing a SCA scan is common in massive enterprises to ensure:

If you are using code someone else wrote, you should scan it.

#security #software #tech