A guide to supply chain security tools

The following is a listing of vendors that offer tools to help secure software supply chains, along with a brief description of their offerings.


Featured Provider

HCL Software: HCL AppScan empowers developers, DevOps, and security teams with a suite of technologies to pinpoint application vulnerabilities for quick remediation in every phase of the software development lifecycle. HCL AppScan SCA (Software Composition Analysis) detects open-source packages, versions, licenses, and vulnerabilities, and provides an inventory of all of this data for comprehensive reporting.

See also: Companies still need to work on security fundamentals to win in the supply chain security fight

Other Providers

Anchore offers an enterprise version of its Syft open-source software bill of materials (SBOM) project, used to generate and track SBOMs across the development lifecycle. It also can continuously identify known and new vulnerabilities and security issues.

Aqua Security can help organizations protect all the links in their software supply chains to maintain code integrity and minimize attack surfaces. With Aqua, customers can secure the systems and processes used to build and deliver applications to production, while monitoring the security posture of DevOps tools to ensure that security controls put in place have not been averted.

ArmorCode‘s Application Security Posture Management (ASPM) Platform helps organizations unify visibility into their CI/CD posture and components from all of their SBOMs, prioritize supply chain vulnerabilities based on their impact in the environment, and find out if vulnerability advisories really affect the system.

Contrast Security: Contrast SCA focuses on real threats from open-source security risks and vulnerabilities in third-party components during runtime. Operating at runtime effectively reduces the occurrence of false positives often found with static SCA tools and prioritizes the remediation of vulnerabilities that present actual risks. The software can flag software supply chain risks by identifying potential instances of dependency confusion.

FOSSA provides an accurate and precise report of all code dependencies up to an unlimited depth; and can generate an SBOM for any prior version of software, not just the current one. The platform utilizes multiple techniques — beyond just analyzing manifest files — to produce an audit-grade component inventory.

GitLab helps secure the end-to-end software supply chain (including source, build, dependencies, and released artifacts), create an inventory of software used (software bill of materials), and apply necessary controls. GitLab can help track changes, implement necessary controls to protect what goes into production, and ensure adherence to license compliance and regulatory frameworks.

Mend.io: Mend’s SCA automatically generates an accurate and deeply comprehensive SBOM of all open source dependencies to help ensure software is secure and compliant. Mend SCA generates a call graph to determine if code reaches vulnerable functions, so developers can prioritize remediation based on actual risk.

Revenera provides ongoing risk assessment for license compliance issues and security threats. The solution can continuously assess risk across a portfolio of software applications and the supply chain. SBOM Insights supports the aggregation, ingestion, and reconciliation of SBOM data from various internal and external data sources, providing the needed insights to manage legal and security risk, deliver compliance artifacts, and secure the software supply chain.

Snyk can help developers understand and manage supply chain security, from enabling secure design to tracking dependencies to fixing vulnerabilities. Snyk provides the visibility, context, and control needed to work alongside developers on reducing application risk.

Sonatype can generate both CycloneDX and SPDX SBOM formats, import them from third-party software, and analyze them to pinpoint components, vulnerabilities, malware, and policy violations. Companies can prove their software’s security status easily with SBOM Manager, and share SBOMs and customized reports with customers, regulators, and certification bodies via the vendor portal.

Synopsys creates SBOMs automatically with Synopsys SCA. With the platform, users can import third-party SBOMs and evaluate for component risk, and generate SPDX and CycloneDX SBOMs containing open source, proprietary, and commercial dependencies.

Veracode Software Composition Analysis can continuously monitor software and its ecosystem to automate finding and remediating open-source vulnerabilities and license compliance risk. Veracode Container Security can prevent exploits to containers before runtime and provide actionable results that help developers remediate effectively.

Open Source Solutions

CycloneDX: The OWASP Foundation’s CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. Strategic direction of the specification is managed by the CycloneDX Core Working Group. CycloneDX is also backed by the Ecma International Technical Committee 54 (Software & System Transparency).

SPDX is a Linux Foundation open standard for sharing SBOMs and other important AI, data, and security references. It supports a range of risk management use cases and is a freely available international open standard (ISO/IEC 5692:2021).

Syft is a powerful and easy-to-use CLI tool and library for generating SBOMs for container images and filesystems. It also supports CycloneDX/SPDX and JSON format. Syft can be installed and run directly on the developer machine to generate SBOMs against software being developed locally or can be pointed at a filesystem. 

Leave a Comment

Scroll to Top