Nowadays, open-source components play a crucial role in application development, but the number of such supply chain attacks continuously increases. Effectively identifying related vulnerabilities requires suitable Software Composition Analysis (SCA) solutions.
Invicti (formerly Netsparker), a DAST leader for web applications, seamlessly integrates with Mend SCA. Combining their approaches, it offers a comprehensive view of vulnerabilities in open-source components.
Supply chain security
Widespread use of open-source components has made Software Composition Analysis an essential tool in AppSec. However, obtaining actionable results goes beyond simply identifying components with known vulnerabilities.
Invicti enables dynamic SCA by using IAST in its DAST solution. This method helps reduce false positives by offering runtime visibility into security gaps that are externally accessible, though it is limited to components in use during the analysis.
In contrast, traditional static SCA operates during the development phase and can assess components that are not used during runtime. While this provides broader coverage, it can generate extra noise, especially when some components are never actually called and thus are not priorities for fixing. Through integration between Invicti and Mend SCA, strengths of both static and dynamic component analysis are being combined within a single AppSec platform. This provides better results with wide coverage.
Invicti’s DAST-based approach to supply chain security combines multiple methods. Initially, all active components undergo the same security checks as the entire application, identifying weaknesses that could lead to attacks such as SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and more. At the same time, application components are checked against known CVEs (Common Vulnerabilities and Exposures). Additionally, tech stack components are identified and marked if they are outdated or vulnerable.
Prioritization for remediation
The integration combines Mend SCA with dynamic analysis to detect open-source components with known vulnerabilities and prioritize them by severity. By leveraging Invicti’s Proof-Based scanning technology, this approach provides the most accurate results, enabling teams to focus remediation efforts based on the actual risk level each open-source component presents.
Integration into CI/CD pipelines and developer workflows
Open-source components help teams build better software faster, so their analysis needs to operate seamlessly in the existing workflows to ensure security without hindering innovation. Invicti integrates with leading CI/CD tools and issue trackers, providing a central hub for static and dynamic SCA alongside DAST and IAST by Invicti, as well as SAST by Mend.io.
This way, companies can ensure their open-source security and include effective solutions in their AppSec strategy.
