# What you'll learn

After watching this video, you will be able to: 
* Describe software component analysis (or SCA).
* List key features of software component analysis.
* Describe the goals of software component analysis.

# What is SCA?

* The use of open source software is expanding across most sectors, and you need to track components more than ever.
* Securing your business from potential issues and vulnerabilities in open source development is becoming increasingly important.
* **Software component analysis** (or **SCA**) is the process of determining which open source components and dependencies are used in your application.
* You can use SCA tools throughout your software development workflow to ensure that any imported libraries or dependencies do not cause security risks or legal compliance issues in your code.
* Properly incorporating SCA tools into your software development workflow is a big step toward increasing the security and integrity of your code.


# Features of SCA

![image.png](attachment:5621b432-e086-48a3-953a-021742985c8b.png)

SCA looks for all the dependencies linked to your code, including some that you might not be aware of.
* For example, if you are importing Flask, Flask may require and install dependencies that you may not need.
* Even if you are using a version that is not vulnerable, one of the dependencies that Flask is using might be vulnerable.

If you are working for an enterprise, you must ensure that the libraries you use do not contain a GNU General Public License (or simply a GPL License).
* If you link to a GPL License library, you must be willing to give away your source code.
* That wonâ€™t be a problem if you are in an open source environment.
* But if you do not want to give away the source code of your product, you will be in trouble! And you will be giving away all of your classified information.

Overall, SCA gives developers visibility into and control of potential security flaws in the open source components that they use.


# Goals of SCA

![image.png](attachment:cd2a076b-c865-4fba-a1a2-c71bb94f4384.png)

Here are four goals.
1. All open source components should be discovered and tracked.
2. Open source license compliance should be tracked to reduce risk.
3. Open source vulnerabilities should be identified.
4. A variety of scans should be run, depending on the situation and requirements.

# Identifying software components

Three industry efforts to identify software components are: 
* **The National Institute of Standards and Technology (or `NIST`) CPE Dictionary**, which is a centralized database for common platform enumeration (or CPE) of product.
* **Software Identification Tags (or `SWID` Tags)**, are a standard to describe commercial software.
* **Package URL specification**. 

An example of a package URL specification is a string that starts with scheme followed by type slash namespace slash name at version question mark qualifiers hashtag the subpath.

![image.png](attachment:776f3619-4b1a-4c17-85af-c776cabacde8.png)

# Verifying software components

To verify software components, follow industry standards.

![image.png](attachment:d05f90ea-c649-485a-862f-25462c4d9c26.png)

Two standards that you can use are: 
* **OWASP Software Component Verification Standard (or `SCVS`)**, which is a community-supported effort to build a sustainable framework for reducing risk within a software supply chain.
* **Supply-chain Levels for Software Artifacts (or `SLSA`)**, which provides a security framework for improving integrity and preventing tampering by implementing standards and controls.

# SCA Tools

![image.png](attachment:ff288ed3-dea4-46ef-bf21-a0a651f36362.png)

Consider using these four popular SCA tools: 
* **GitHub SCA** is for viewing dependency packages and vulnerabilities while using GitHub.com.
* Two SCA tools that OWASP offers are **Dependency-Check** and **Dependency-Track**.
* **Dependency Check** is for checking for vulnerabilities within project dependencies.
* **Dependency-Track** is for identifying any risks within the software supply chain.
* Finally, **Snyk** is for analyzing codebases to evaluate security, code quality, and licensing.

# Summary

In this video, you learned that: 
* The goal of software component analysis (or SCA) is to discover open source components in a codebase so that you can better manage security and license compliance risks.
* SCA looks for all dependencies linked to your code and helps prevent you from disclosing your source code.
* Identifying and verifying software components are both important for reducing risks.
* You can use SCA tools like GitHub SCA, OWASP Dependency-Check and Dependency-Track, and Snyk to evaluate your software components.