Fejléc

Understanding your software ingredients matters

Szerző ikon Gergely Lesku

Dátum ikon 2026.06.04

Modern software is built not only from custom code but also from open-source libraries, frameworks, and third-party packages. While this speeds up development, it also introduces security, licensing, and maintenance risks that organizations need to understand and manage.

Applications depend on more than internal code

Most applications rely heavily on external components for functions such as authentication, logging, database access, and user interfaces.

These dependencies include both direct dependencies, which developers intentionally add, and transitive dependencies, which are automatically pulled in by other packages. A single framework can introduce dozens or even hundreds of additional components that become part of the final application.


Looking beyond source code

Reviewing and testing internally developed code remains important, but it provides only part of the picture.

What is ultimately deployed contains not only proprietary code but also third-party components, licenses, metadata, and potential vulnerabilities. Organizations therefore need visibility into everything included in the final software package.

This is the role of Software Composition Analysis (SCA).

What SCA helps you discover

SCA provides insight into the components that make up an application and the risks associated with them.

A typical SCA solution can:

  • identify component versions;
  • detect known vulnerabilities;
  • reveal licensing obligations;
  • highlight outdated or unsupported packages;
  • trace dependency relationships;
  • generate an SBOM (Software Bill of Materials).

Unlike package managers, SCA tools add security, compliance, and risk context to dependency information.


Growing risks in the software supply chain

Attackers increasingly target software supply chains rather than applications directly. Build environments, CI/CD systems, and package repositories have become common attack vectors.

Typical risks include:

  • vulnerable or outdated packages;
  • abandoned dependencies;
  • leaked credentials or secrets;
  • malicious packages;
  • typosquatting attacks;
  • dependency confusion attacks.

In some cases, malicious code can execute during package installation, compromising systems before the application even runs.


AI adds a new challenge

AI-assisted development tools can improve productivity, but they may also recommend non-existent package names.

Attackers can exploit this by publishing malicious packages under those names. If developers or automated tools install them, the software supply chain may be compromised.

As a result, supply chain security now extends beyond vulnerability management to include development practices, build processes, and AI-assisted workflows.

Managing findings effectively

The first SCA scan of a mature application often reveals a large number of issues. This does not necessarily indicate poor development practices; vulnerabilities, outdated dependencies, and licensing risks naturally accumulate over time if external components are not continuously maintained.

The key is prioritization. Teams need to determine which findings represent real risk in the context of the application and which can be addressed later. Some results may also be false positives, but transitive dependencies should not be ignored, as vulnerabilities deep in the dependency chain can still become exploitable.


Assess or update?

A common SCA challenge is deciding whether to analyze a finding in depth or simply upgrade the affected component. In many cases, verifying that a vulnerability is not exploitable requires almost as much effort as applying an update.

Overriding transitive dependencies directly can also create compatibility risks if the parent dependency was not tested with the newer version.

Often, the safer approach is to upgrade the direct dependency to a version that already includes a secure transitive component. SCA tools can help identify the appropriate update needed to eliminate vulnerabilities deeper in the dependency chain.

SCA throughout the development lifecycle

SCA should not be treated as a single CI/CD pipeline check.

It can help developers evaluate new dependencies, verify the contents of release artifacts, generate SBOMs, and continuously monitor deployed applications for newly disclosed vulnerabilities.

This ongoing visibility enables faster response when security issues emerge.

When to introduce SCA

The right time to adopt SCA depends on business risk, customer expectations, and regulatory requirements.

Many organizations start with monitoring and reporting before enforcing stricter policies. This gradual approach improves visibility without disrupting development workflows.


Final thoughts

Open-source and third-party components are essential to modern software development. The challenge is not avoiding them but understanding and managing them effectively.

SCA helps organizations identify what their applications contain, assess associated risks, maintain compliance, and respond quickly when vulnerabilities are discovered. In today’s software ecosystem, knowing your dependencies is just as important as knowing your own code.

Read the full article on our International subsidiary’s website by clicking on the logo: