Contrast Security Adds SCA in Free CodeSec Tool

App security tools provider Contrast Security has added software composition analysis (SCA) capabilities to its free in CodeSec "developer-first" scanner, the company announced this week.

The new SCA feature was added to enable developers to identify vulnerable third-party libraries quickly and accurately. Designed to provide fast scanning of open-source software (OSS) and immediate actionable results, the SCA allows developers begin shipping code confidently while easily creating a standardized software bill of materials (SBOM) to manage supply chain risk, the company says.

According to industry analyst Katie Norton, SBOMs have become a critical component of a secure software supply chain, explained. "As part of US Executive Order 14208, the US National Institute of Standards and Technology (NIST) includes a key directive for organizations to 'Establish and maintain a software inventory or an SBOM,'" Norton, noted in a recent report ("Contrast Security Targets Developers with Free DevSecOps Solution"). "Free solutions for developers, like CodeSec SCA, will play an important role in helping ramp up the adoption of SBOMs.

Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation, the company says. The new SCA feature within CodeSec enables developers to identify the vulnerable libraries in OSS while providing actionable remediation guidance to ship code faster and manage software supply chain risk by allowing developers to create SBOMs easily.

Los Altos, CA-based Contrast bills itself as "the leader in code security
that empowers developers to secure as they code," with a customer base of hundreds of thousands of developers at some of the largest brand-name companies in the world. The company made the announcement this week, claiming it's the first to offer free application security testing and SCA in a single, developer-friendly interface.
The company's flagship tool was designed to makes developer security more efficient and accurate by delivering the three key capabilities to the developer's laptop:  

  • Discover dependencies: Secures vulnerable libraries (in Java, Javascript, Python, Ruby, GO, PHP, .NET) in OSS with fast, accurate scans (SCA), and actionable remediation guidance to ship code faster and create standardized SBOMs.
  • Secure the code: Optimizes code security for Java, Javascript, and .NET apps with fast, static application security testing (SAST) scans and actionable remediation guidance from a command line interface (CLI). Devs can also secure GitHub pipelines with Contrast GitHub Actions for free.
  • Secure cloud native applications: Takes advantage of new application security tool for serverless environments in Amazon Web Services (AWS) Lambda Functions (Java + Python) that detects cloud-native vulnerabilities quickly and accurately while providing actionable remediation guidance in a CLI.

"Deploying code quickly is key in this market," said Contrast's co-founder and CTO Jeff Williams, in a statement. "That's why current-day developers heavily rely on open-source code to keep pace with the demands of companies. Those same companies are getting pressure to develop SBOMs and increase visibility into the components that make up the applications they're creating and using each day. CodeSec is… a single free tool that quickly and accurately identifies vulnerabilities in custom code, open-source, and serverless functions. Instead of wasting time configuring, integrating, and running multiple different security tools, CodeSec provides exactly what developers need."

According to the market watchers at Gartner ("Market Guide for Software Composition Analysis"), 70%  of modern software solutions contain applications that hold flaws stemming from their use of open source. Every industry, from finance, to healthcare, to governments, trust and rely on applications and APIs built with open source. With the Log4J vulnerability and the SolarWinds attack, organizations around the world are in desperate need of generating SBOMs to understand the components in their software supply chain.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].