Background
RRI Pte Ltd, a company controlled by principals from Charcot Capital, a merchant banking firm, was looking to invest in a start-up HR tech company. Prior to making a decision, it was critical to understand and evaluate the proposition of the tech company and in particular, verify the integrity of codes used in its applications and systems and ensure that any possible vulnerabilities or license issues could be patched up.
Scantist's Software Composition Analysis (SCA) uses proprietary analysis techniques combined with a highly curated vulnerability database to provide best-in-class results when it comes to understanding your organization's open-source risks.
Solution
An SCA solution was identified to evaluate the open source components in application building and Scantist was tasked to demonstrate our capabilities in this regard. Our objectives were simple – to seamlessly identify security and licensing risks through the use of open-source components for our users with any level of security expertise, which in turn would greatly increase the productivity of their development teams.
With the help of a light-weight agent, Scantist collected open source dependency information using manifest files, signature matches, build logs and other features. The agent is run under the tech company's project directory and collected all dependency information found from the designated project into a single JSON file.
No source code or other sensitive data is collected in this process and end-users can validate the contents of the JSON file before they are moved out for the audit process. Thereafter, an open source inventory for the application is created and analysed to remove false positives while adding necessary remediation recommendations.
Customer Testimonial
"When making a tech investment, verifying the integrity of the code is critical. Scantist provides a thorough solution that's also action orientated. Respect of data is guaranteed, ROI is obvious. We will continue to use Scantist for new investments and to monitor software on a continuing basis."
— Clement Lavallard, Partner of Charcot Capital
The Facts
Scantist's SCA was effectively able to map the application's open-source inventory and presented the following issues:
Vulnerability Statistics
- 778 Vulnerable Transitive Dependencies
- 815 Total Transitive Dependencies
- 54 Direct Open-Source Library Dependencies
- 14 Direct Vulnerabilities
Criticality Breakdown
- 8 High Criticality Issues
- 4 Medium Criticality Issues
License Analysis
- 3 Restrictive Licenses
- 23 Components Without Licenses
- 5 Permissive Licenses
Results
Visibility and Transparency
This audit report provides complete visibility into the open-source components of an application or project by providing you a bill-of-materials.
Reduced Remediation Time
Recommended remediation suggestions were given which resulted in an 85% reduction of time and effort required to fix vulnerabilities.
Reduced Risk of Data Breach
An average data breach costs US $3.886 million globally. By eliminating open-source related vulnerabilities, Scantist helped reduce the application's risk of data breach from 32% to 24% (annualized savings of US $310,000 on average).
Other Benefits
1. Improved Security Posture of Tech Company
2. Reduced Friction Between Security and Development Personnel
3. Helped Approach Application Development with a Security-by-Design Framework
4. Improved License Compliance and Risk Management with Regards to Open Source Use
