Back to Feed

Reachability in SCA/SAST (Part 1)

Amit Bismut

-

November 28, 2023

The problem - Most SCA tools report 89% inaccurate results.

SCA tools scan application code statically by analyzing dependency files (e.g., requirement, pom.xml, and others) to find the vulnerabilities associated with these packages.

However, the issue lies in the fact that SCA tools are optimized to “report more” rather than “report accurately”. They report on all the vulnerabilities associated with your packages even if they aren't actively used by your applications. While some SCA tools analyze whether the application utilizes the vulnerable package or code, they often cover only 'direct packages,' which constitute just 11% of the total packages. Leaving 89% of the results being reported inaccurately!

Every package you declare introduces 89 transitive packages, which most SCA assume are being used.

The use of inefficient tools leads to ineffective processes and a lack of trust. Engineers may be tasked with fixing a 'critical vulnerability' in a package, only to discover that it's not actually in use. This erodes their trust in the entire process, tools, and security professionals.

The Backslash approach

At Backslash we sought a solution with a fast time-to-value, minimal friction and based on pure static code scanning that allows shifting-left. Unlike other solutions Backslash does not require changing the code for instrumentation, integrating a tool in the build pipeline or adding an agent at runtime.This makes it ideal for both security and development teams.

We leverage our deep technology rooted in our proprietary SAST engine. This engine enables us to statically analyze both direct and transitive packages code, determining whether the application code calls them in a direct or indirect way.

Backslash shows a reachable vulnerability used by the application that should be triaged.

So that’s THE Silver bullet?

What we’ve covered in this blog is a BIG part in enhancing result accuracy and reducing noise. However, it's not enough to fix the longstanding issues this industry has struggled with  regarding vulnerabilities for the past decades. Backslash incorporates additional unique signals, which are quite exciting, but it is a story for another blog.

Watch next for our next blog about the FULL POWER of reachability in part 2. 😉

Backslash customers get 89% less of the noise a traditional SCA tool creates and save hours of work. Want to know how much time Backslash will save you? See a demo