Case Study: World’s Critical Infrastructure and Manufacturing Company achieves reduction of 700+ known ICS vulnerabilities to 40 in two months with Synopsys Software Composition Analysis (Protecode Supply Chain)

World’s Critical Infrastructure and Manufacturing Company - Customer Case Study

Synopsys tested an industrial control system (ICS) SCADA software package downloaded from a vendor site and discovered hundreds of known vulnerabilities in third‑party components—more than 700 total, with over 300 flagged as critical (notably a jre 1.6.0 bundle with 150+ high‑severity CVEs). The analysis showed a sharp rise in vulnerabilities coinciding with vendor releases between 2012 and 2014 and highlighted the common industry assumption that upstream components are already secure.

Using Synopsys Software Composition Analysis (Protecode Supply Chain), the team produced a bill of materials, mapped components to NIST/MITRE CVEs, and provided prioritized remediation guidance. The vendor acted quickly: within two months known vulnerabilities dropped to 40 after updating Java and addressing internal dependencies, and customers were informed of mitigations while updates were deployed—demonstrating how SCA in the development lifecycle can dramatically reduce supply‑chain risk.