OWASP 2024 Global AppSec San Francisco

OWASP dep-scan v6: The S in SCA is not an SBOM

The principle behind Software Composition Analysis (SCA) has remained the same for over a decade. It involves a single Software Bill-of-Materials (SBOM) document and a vulnerability database to identify potential vulnerabilities and advisories that might affect the given application or service. Such a technique of scanning an application with limited context creates both false positives and false negatives, a problem that is well-understood. Solving these inherent weaknesses requires some bold ideas. For OWASP dep-scan v6, we are revisiting every single word in the SCA acronym, to rethink SCA as we know it. In this mini session, we discuss the thinking behind the v6 release and offer insights into our technology and development efforts.