Inaccurate SCA results created two problems: wasted time and developer inefficiency. Individuals had to choose between upgrading a package (and entering dependency hell) or waiting for DevOps to investigate.
- Idan Fast, co-founder and CTO @ Grip Security

Grip Security is a security vendor that provides businesses with visibility and control over their SaaS ecosystems. This helps security teams understand how company data is being used across SaaS applications, identify potential risks, and enforce the right security policies. Application security is an especially important part of their strategy because, as with other security vendors, the security of their tool is critical for building trust with customers.

The role of software composition analysis (SCA) in their AppSec program is to reduce breach risk, establish trust in their compliance posture, enable them to quickly respond to questions about vulnerability management SLAs and demonstrate how they reduce the possibility of a security incident. To balance security needs with developer productivity, they required an SCA that identifies packages with security or licensing issues and has a very low false positive rate.

Unfortunately, they realized the incumbent SCA tool wasn’t helping them meet those goals because it marked lots of findings as reachable but in fact they were unreachable in the context of their application. They frequently blocked the use of a package based on these results, but after looking into the details our DevOps team would learn there was no exposure.  

Inaccurate SCA results created two problems:

• Wasted time: Manually evaluating findings to confirm reachability took time away from other tasks the DevOps team needed to perform‍
• Developer inefficiency: Individuals had to choose between upgrading a package (and entering dependency hell) or waiting for DevOps to investigate, when in most cases they could have proceeded with the original package

Difficulties with upgrading dependencies is one reason it’s important for our SCA tool to be highly accurate; upgrading dependencies is time-consuming and difficult, so we want to be surgical in what gets upgraded.
- Idan Fast, co-founder and CTO @ Grip Security

Grip Security co-founder and CTO, Idan Fast, sought an SCA tool that would introduce the least amount of effort for developers. This was an important driver because developer time and productivity is at the highest premium. In looking for a new tool, he had two main requirements:

• Accurate prioritization: How well does the tool identify exploitable vulnerabilities, and can we easily validate the findings‍
• User experience: How easy is it for developers to use within their regular workflows