As the fallout from the Apache Log4J vulnerabilities earlier this year shows, the biggest risks in enterprise software today are not necessarily with insecure code written directly by in-house software development teams. The flaws of the components, libraries and other open-source code that makes up the bulk of today\u2019s software code bases are the underwater part of the insecurity iceberg.The truth is that so much of the enterprise software and custom applications produced by DevOps teams and software engineering groups is not actually coded by their developers. Modern software today is modular. Developers use what is called a microservices architecture to make new applications by constructing them a lot like a Lego house\u2014using blocks that are made of premade code. Rather than reinventing the wheel every time they need their application to perform a common function, developers root around in their proverbial box of blocks to find just the right one that will do what they need without a lot of fuss.That box is today\u2019s ever-expanding software supply chain, a sometimes very informal source of code that flows from the millions of GitHub repositories and open-source projects floating around online today. It consists of components and libraries used in myriad applications and in the underlying application and development infrastructure used to construct modern development pipelines.Of course, the programs provided by this supply chain aren\u2019t really bricks and they don\u2019t always interlock perfectly, so developers create custom code to glue all those pieces together. In fact, many often then turn those creations into yet more open-source projects for others to solve similar problems. Which is one reason why the software supply chain keeps growing.Applications built with third-party codeA modern application is mostly made up of third-party code. According to Forrester, the percentage of open-source code that makes up an average application\u2019s code base rose from 36% in 2015 to 75% in 2020.It\u2019s a faster, more scalable way to quickly develop but like all technology innovation it comes with added cyber risk unless proper care is taken. It\u2019s the dirty little secret of the development world that the components co-opted from today\u2019s software supply chain can very easily be out of date and riddled with vulnerabilities. Making things even more complicated is the fact that that flaws are often nested together as different projects may have dependencies to others in the supply chain. Sometimes the flaws can even be purposely added by attackers who seed open-source software intentionally with vulnerabilities.The vulnerabilities introduced by the software supply chain can be like hidden cybersecurity landmines in enterprise software, particularly when organizations do nothing to formally govern how their developers use the software supply chain. Many organizations barely even track\u2014let alone vet or manage\u2014the kinds of components, libraries, and developer tools that go into or produce the code that their developers commit. According to a study released by Linux Foundation, fewer than half of organizations use a software bill of materials (SBOM) that tracks exactly what goes into their applications from the software supply chain.Creating an SBOM is foundational for supply chain security, alongside open-source governance and securing the infrastructure as code elements that touch applications throughout the SDLC. The following is a list of tools that help accomplish this, with a heavy emphasis on software composition analysis (SCA) tools that focus specifically on developing SBOM, raising visibility into what goes into software and remediating flaws in components that are the building blocks of software today.Top supply chain security toolsContrast SecurityKnown best for its Interactive Application Security Testing (IAST) technology that detects vulnerabilities in applications via an agent running on the application server, Contrast Security provides SCA capabilities as part of a full slate of testing in its open platform, which also does dynamic application security testing (DAST), static application security testing (SAST), runtime application scanning protection (RASP), and serverless security checks on AWS Lambda infrastructure.The tooling can not only generate an SBOM but also contextualize flaws across the various ingredients that make up an application by visualizing application architecture, code trees and message flow information to aid in threat modeling remediation. Open-source governance is embedded within modern development workflows and tooling and Contrast\u2019s bread and butter is in bridging the divide between developers and security teams, making it a major player in the DevSecOps market.Shiftleft A relative newcomer in this field of options, ShiftLeft is designed to fit into the development workflow of forward-thinking DevOps teams. The core value is in bringing together SCA and SAST into a single scan that\u2019s done when a developer makes a pull request. The technology uses a technique the company calls Code Property Graph (CPG) to map out dependencies and data flows across custom code, open-source libraries, SDKs and APIs, seeking out not only flaws across the entire application\u2014including its open-source components\u2014but also logical app weaknesses. Supply chain flaws are prioritized by susceptibility to attack using a \u201creachability\u201d index that\u2019s inserted into the SBOM that puts it in context of how attackable the component is based on how it is used in the application.SnykSnyk is a cloud-native, developer-centric set of tooling that\u2019s purpose-built for DevSecOps and cloud-native development shops. Best known for its SCA and container security scan capabilities, it also offers SAST and API vulnerability testing. In February, 2022 the company purchased Fugue, a cloud security posture management company. As Gartner explained, its blend of offerings across infrastructure as code security, container security, and application security are representative of the fact that \u201capplication and infrastructure layers increasingly blur together. It\u2019s usually bought on the developer side but is worth a look for CSOs and security staff seeking to move toward a democratized model of developer-run security testing and remediation.Sonatype NexusOne of the longest-running offerings in the SCA market, Sonatype was billing itself as a \u201csoftware supply chain security\u201d company long before the term was sneaking its way into the titles of security conference and webinar sessions. The heart of the the Sonatype Nexus platform is its capabilities for creating detailed SBOMs and policy management. Forrester analysts say, \u201cPolicy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards and a policy engine that allows users to create and assign policies to certain types of applications.\u201d Policies can be applied not only for what goes into the code but also in managing the security and configuration of the surrounding infrastructure as code and containers that are used to develop and deploy applications.Sonatype also offers repository management to provide a single source of truth for all components, binaries, and build artifacts. Nexus\u2019s visualization of component history and Sonatype\u2019s customer service are also called out by the analysts as its big strengths. Last year Sonatype also picked up MuseDev in an acquisition that helped it build out its Sonatype Lift capabilities, which provide dev-friendly code quality analysis during code review.Synopsys Black DuckSynopsys\u2019 Black Duck SCA tool does four types of analysis\u2014dependency, codeprint, binary and snippet\u2014to track and manage the components used within an organization\u2019s software. Synopsis recently improved Black Duck\u2019s SBOM creation capabilities to include BLANK. In addition to creating bills of materials, the tool also performs automated policy management. Black Duck is part of the broader portfolio of AppSec tools offered by Synopsys, which Gartner named as a leader in its Application Security Testing Magic Quadrant. The open platform model it uses to deliver SCA alongside DAST, SAST, penetration testing, fuzzing and a range of other testing capabilities is a key value proposition. It \u201cmakes Synopsys a good fit for organizations with complex, multiteam development, using a mix of development styles and programming technologies,\u201d says Gartner.Veracode A longtime powerhouse in the traditional appsec testing market with its mature SaaS product that has long dominated the SAST and DAST arenas, Veracode in the last few years has been putting heavy investment in SCA. Following its acquisition of SourceClear in 2018 there was some bifurcation between its homegrown SCA capabilities and what it offered through SourceClear, but Veracode Software Composition Analysis is now a single product available through the platform. \u201cVeracode\u2019s roadmap focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC [Infrastructure as Code] security capabilities,\u201d explains Forrester analysts. They say the high points for Veracode is its remediation reports and dependency graphing. The biggest point of friction, they noted, was difficulty of integrating it into developer workflows.WhiteSource SoftwareA big highlight of WhiteSource Software\u2019s SCA tooling is in the developer-friendly remediation of component security issues, including alerting and fixing out-of-date and malicious components. \u201cWhiteSource\u2019s thought leadership is focused on remediation and prioritization,\u201d wrote Forrester analysts, who deem this vendor a leader in the SCA space. \u201cWhiteSource offers differentiating features, including a browser plugin to help avoid problematic components and removing unreachable vulnerabilities from the developer\u2019s queue to improve developer experience.\u201d One point in which they say it lags is in its lack of out-of-the box policies. WhiteSource launched a SAST solution earlier this year.