Software Composition Analysis (SCA) is among the most foundational approaches to product security. Understanding the known vulnerabilities (CVE) and leading and lagging indicators of risk are among the most widely leveraged security controls in industry. There are three major types of SCA: Runtime SCA, Manifest scanning SCA and Build/Install-time SCA with and without program analysis. This session will explore not only the hidden costs & pros/cons, but explain why they exist. With any approach to vulnerability management there are a spectrum of trade offs that exista and often complementary approaches are seen as competitive because of a lack of understanding.

No items found.