Software Composition Analysis – Gold Standard for Supply Chain Security, Revisited (A13b)
Tracking known vulnerabilities in open-source libraries as Common Vulnerabilities and Exposures (CVE), and distribution via special databases such as those hosted by MITRE, has been the de-facto standard for supply chain security for several decades. However, the shock waves caused by the log4shell and xz utils vulnerabilities in seemingly inconspicuous and irrelevant libraries were felt well within the larger public. This led to the demand for standardized and automated scanning for potentially dangerous third-party libraries, making the use of Software Composition Analysis (SCA) tools the new emerging gold standard for supply chain security.
Since SCA tools are designed as developer actions, not for evaluation or testing of supply chain security, integrating SCA into certifications requires special care. This talk will present a methodology and workflow for how SCA can be used to assess supply chain security in Common Criteria evaluations.