How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)

Software composition analysis (SCA) is crucial for organizations using third-party open-source components in their applications, as it helps manage security risks associated with these dependencies. Common Vulnerabilities and Exposures (CVE) severity ratings provide a useful indicator of a vulnerability's potential impact, but the severity of an SCA risk also depends on other factors such as likelihood of exploitation and business importance of the application system. To determine the severity of an SCA Risk, organizations can use various security frameworks like EPSS, CVSS, and KEV in addition to CVE severity ratings. A Software Bill of Materials (SBOM) is a list of all software components used in an application and helps identify third-party components and their versions. SBOMs enable teams to quickly assess the existence of vulnerabilities in source code and manage risks associated with them. Organizations should also consider their own specific risk tolerance when determining the severity of a risk associated with a third-party vulnerability based on how essential the vulnerable component is in achieving the organization's mission, and whether the vulnerable component would cause material or irreversible harm to public well-being and the organization's business reputation. Strategies for expediting severity measurement for newly published CVEs include setting up automated alerts for new vulnerabilities, regularly updating security databases, and using SCA tools that integrate with existing development workflows.