SCA (Software Composition Analysis) automatically examines all third-party libraries and open-source components of an application for known vulnerabilities and licence conflicts. Tools such as Snyk, Dependabot, or OWASP Dependency-Check match deployed versions against CVE databases. Ideally you integrate SCA into your CI/CD pipeline so that vulnerable dependencies are caught before deployment. In an ISMS, SCA is a control for secure software development and supply-chain security. Together with SAST and DAST, SCA forms the third pillar of application security.