Conference:  Global AppSec Dublin 2023

Authors: Josiah Bruner

2023-02-15

“Reachability analysis” in software composition analysis (SCA) is a recent advancement that help developers and security teams understand which vulnerable dependencies are reachable by the first-party code, thereby reducing noise. However, most existing approaches require manual intervention (e.g., documenting “target functions”, creating rulesets, etc.) In this talk, we present a scalable approach to reachability analysis demonstrated by a new open-source tool named “Narrow”. Narrow combines patch analysis with static program analysis to automatically indicate whether vulnerabilities in third-party software components are truly relevant to your (python) codebase. The best part: no need to create rules for every new vulnerability. Later in the talk we’ll discuss our experience implementing and rolling this out at a large enterprise. It wasn’t easy. There were technical, process, and human perception issues to deal with. Still, by the end we were able to remove a substantial amount of uncertainty from our risk management program and believe you can too.