Software Composition Analysis - Software Bill of Materials
Analyse the software you have created - looking for security vulnerabilities, licensing problems, copyright issues and poor code management. Provides a Bill of Materials highlighting problems. This service supports requirements in the PCI Secure Software Standard.
- Create a Bill of Materials for your software
- Identify known security vulnerabilities
- Identify licensing issues including copyleft
- Understand application depndencies
- Ongoing notification of new vulnerabilities
- Understand components used - their security and licensing issues
- Ensure your software is correctly copyrighted - protecting your IP
- Streamline your software by identifying code management problems
- Meet PCI secure software standard requirements
£4500 to £10000 per unit
- Free trial available
Source Code Control Ltd
+44 118 328 2962
|Software add-on or extension||Yes|
|What software services is the service an extension to||Flexera Code Insight|
|Cloud deployment model||Public cloud|
|Service constraints||The service provides a public cloud based implementation of Flexera Code Insight for Software Composition Analysis. Direct access to the tool will require the purchase and implementation of a specific license.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||During a project, the customer has an assigned licensing technician who will lead the project. All issues raised over email would be addressed by the customer's contact or a named substitute.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||We have a single support level which is a named contact throughout the life of a project. All project issues would be raised with them and answered within a business day. If they are unavailable, a named substitute would be available.|
|Support available to third parties||Yes|
Onboarding and offboarding
We follow a similar process each time...
1- Kick off call / requirements and expectations setting
2- Online training / workshop
3- Scan and preliminary report
4- Report discussion with developers / project team
5- Final report
6- Ongoing support and alert
|End-of-contract data extraction||
The user can receive the following:
- Report - PDF
- Supporting data - .XLS
- Bill of Materials for the Software - PDF or HTML
- Notices.txt file - TXT
The customer exits the contract with an time-stamped, independent, expert report. Also the data, Bill of Materials and Notices.txt file (if requested).
Additional costed items:
1- 2nd report once issues are fixed
2- Ongoing monitoring of the software for new vulnerabilities
3- Private instance.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|What users can and can't do using the API||The API allows the connection of Software Development Lifecycle tools e.g. Jenkins, WSTS, Maven to the composition analysis part.|
|API documentation formats||Other|
|API sandbox or test environment||Yes|
|Description of customisation||Customers can apply their own policies (excluded licenses and components) and add their own workflows.|
|Independence of resources||
The cloud based service is well used, but not concurrently.
We have 2 different service levels:
1- Reports based on a shared cloud service - this could be affected by heavy concurrent use, but the work is carried out by local operatives on the customer's behalf.
2- Private instance - which is a dedicated platform based in the public cloud and would not be subject to demand based performance.
|Service usage metrics||No|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Flexera|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||Never|
|Protecting data at rest||
|Other data at rest protection approach||The data is held on Microsoft Azure|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||All of the data is provided to the customer via a pre-arranged secure process e.g. email; secure folder; SFTP|
|Data export formats||Other|
|Other data export formats||PDF, XLSX, HTML and TXT combination|
|Data import formats||Other|
|Other data import formats||.ZIP for the source code|
|Data protection between buyer and supplier networks||Other|
|Other protection between networks||These are separate systems with dedicated security, roles and permissions.|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
The service is available during business hours UK time.
For notifications of new vulnerabilities, users are alerted within 24 hours of the alert being received.
|Approach to resilience||The system is completely stored on Microsoft Azure public cloud.|
|Outage reporting||We would provide an email alert to active users with an estimated resolution time and regular updates.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Access to each level of the system stack is on an "as needed" basis.
Where necessary, system account passwords are known by just two members of staff with appropriate level of clearance.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||The site is secured with SSL|
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||Between 6 months and 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||OpenChain|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
Are security infrastructure is all based on Microsoft Azure physical and logical security.
We implement the best available OS level and application level security settings e.g. highest level of password enforcement; unique complex passwords to each level
|Information security policies and processes||
We are registered with the ICO as a data processor.
We have a Information Assurance Policy which all new hires are required to read, understand and sign. We also include data handling in our Standards of Business Conduct.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
We manage a service for a customer at SC level and apply the same standards to all of our configurations.
Our implementation staff are trained in ITIL and follow the ITIL approach to change management.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Our business is based on helping people understand vulnerabilities, so we are by definition very attentive to vulnerability management.
Patches for the OS is applied either immediately for high priority items or for lower priority, they are assessed and applied weekly.
The FNCI system is updated quarterly.
The system has a clear, well understood stack, so patch management is easy to undertake.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||The server is continually monitored for failure and intrusion.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
Users can report incidents to their named project manager or through Salesforce.
Outages alerts are sent to all users and an alternative platform is available for urgent projects.
Incident reports are available on request.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£4500 to £10000 per unit|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||We provide a "smoke test" whereby the customer provides a copy of their source code and we create a 1 page report for them using the Flexera Code Insight system.|