ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

What is SCA/Component Scanning?

Published on: 2019-10-15

Image by rafamiga from Pixabay

If you're new to security scans, or you've heard mostly about DAST/Active and SAST/Code scans, you may not know what SCA/Component scanning is, or why you need it. If this is you, read on!

How SCA scanners work

At this point, the vast majority of new software written contains several, if not a couple dozen, references to other software libraries, whether open source or otherwise. These libraries have vulnerabilities just like any other software package, and with constant updates it is difficult to know when upgrades are needed vs. merely available.

SCA tools are designed to help with this. There are several organizations that have compiled a list of vulnerable software, such as the National Vulnerability Database and the OSS Index from Sonatype. SCA tools check your list of components against databases such as these looking for matches. Depending on the scanner, you may either get a pass/fail for an individual vulnerability or a score and severity ranking.

It is important to point out that typical SCA scanners do NOT try to evaluate the code of your components. This is important because if you are using a little-known library, vulnerabilities might not get into the database, and therefore might not appear in scan results. But SCA tools can be quite helpful in tracking which versions of your commonly-used software libraries need upgrades because of security concerns.

What SCA scanners don't do

One question I get frequently is: "if the vulnerability is in functionality I don't use, do I still need to upgrade?" My answer is "yes", for two reasons:

  • You never know when an attacker might be able to use a vulnerability in an unrelated part of a component against you.
  • If a vulnerability shows up in that component in a feature you do use, it is unlikely that you will notice.
In both cases, you really should just update the component just to be on the safe side.

Further reading

Why you should use multiple scanners

Why running automated scans isn't enough