Large-Scale Software Composition Analysis: Uncovering Vulnerable Dependencies in 600 Apps

Explore a comprehensive conference talk detailing the successful implementation of a large-scale Software Composition Analysis (SCA) exercise on hundreds of third-party vendor-managed applications in just two months. Learn how the Government Technology Agency Singapore utilized OWASP Dependency-Check to address risks from software supply chain attacks and tackle patch debt from emerging libraries. Discover insights on process design, automation, monitoring, and vendor interaction. Delve into topics such as challenges with outsourced app development, considerations for centralized vulnerability management tools, evaluation of SCA tools, operational architecture iterations, and methods for handling false positives. Gain valuable knowledge on suppression techniques, scanning base products, and addressing vendors' challenges of non-exploitability in this informative 51-minute presentation by Frank Liauw, Senior Red Team Engineer and AppSec Team Lead.

Intro
Possible Challenges with Outsourced App Development
Considerations for Centralized Vulnerability Management Tools
People, Process Technology
Evaluation of SCA Tools
SCA Tool Success Factors
SCA Tool Operational Architecture (3rd iteration)
SCA Tool Operational Architecture (4th iteration, WIP)
SCA Tool Evaluation Comparison (Revised)
False Positive from overly broad NVD CPE
Suppression Method
Scanning base products
Vendor's Challenge of non-exploitability