Runtime Software Composition Analysis
Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
Software Composition Analysis (SCA) is a powerful tool for locating and analyzing open source and third-party packages used by your code. However, as applications become ever more complex, with more and more libraries and packages in use, results of SCA scanning can be unwieldy. Runtime SCA allows organizations to understand not just what libraries and packages are referenced in code, but what libraries and packages are actually used by the application at runtime.
Runtime Software Composition Analysis (SCA) identifies and manages vulnerabilities in the open-source components and libraries that are used within software applications during execution. Unlike traditional SCA, which analyzes dependencies statically (that is, by examining code and libraries during the build process), runtime SCA continuously monitors applications as they run to detect any use of libraries during runtime.
Runtime SCA provides more accurate context into potential vulnerabilities, and thus helps prioritization issue remediation and resolution.
Runtime SCA can be applied to applications in production or in lower testing environments
- Deploy an IAST agent.
ASoC supports Java and .NET agents for use with runtime SCA.
- Enable SCA runtime-specific environment
variables,
IAST_RUNTIME_SCA
orIAST_SCA_PROD
, in the IAST configuration file. - Test your application by running functional tests, a dynamic scan, or exploring
the application manually.
The IAST agent monitors and reports on every third party library being loaded in runtime.
- Create and run a SCA
scan.
Libraries identified by IAST during runtime and by the SCA scan are correlated and shown in a correlation group. For example: