• Home
  • Blog
  • The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways

The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways

The Forrester Wave Software Composition Analysis 2021 Key Takeaways
The Forrester Wave Software Composition Analysis 2021 Key Takeaways

The Forrester Wave™ Software Composition Analysis, Q3 2021 report states that open source components made up 75% of all code bases in 2020. This is more than double the 36% in 2015. As organizations increasingly rely on external components to quickly add functionality to their own proprietary solutions, they take on greater risk, especially considering these open source components may contain unmitigated vulnerabilities or violate organizations’ compliance policies.

Software Composition Analysis (SCA) solutions, which scan open source components for security vulnerabilities and license compliance, have become a requirement for any organization developing their own software. In this report, Forrester also states that SCA solutions are a critical component to developing secure products and bringing greater transparency to the software supply chain.

So how do you choose the right solution to evaluate your open source security and license compliance needs? 

Evaluating a Software Composition Analysis Solution

Forrester outlines three considerations when evaluating an SCA solution.

Addressing Risk in a Wide Range of Nonproprietary Components

Though the main focus of Software Composition Analysis solutions is managing security vulnerabilities and license compliance issues in open source software, it’s not the sole focus. Some SCA solutions on the market address both open source components and a wide range of other frameworks. This includes containers, serverless, and infrastructure as code (IaC). Also look for solutions that offer complete coverage of all programming languages.

Remediation Advice for Vulnerabilities, License Risks, and Stale Code

Given the number of alerts organizations face on a daily basis, it is no longer tenable to manually review every vulnerability or license compliance issue. Forrester recommends that SCA customers look for solutions that provide developers with advice on how to remediate vulnerabilities and license risks and how to automatically update stale code. Some SCA solutions keep your open source components up to date as out of date components significantly increase your overall risk.

Protecting the Software Supply Chain

Given recent high profile software supply chain attacks such as the SolarWinds breach, it is not surprising that Forrester is shining a spotlight on SCA solutions that offer software supply chain protection. President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity also mandates that any vendors selling to the federal government provide a software bill of materials (SBOM) in SPDX or CycloneDx format.

Learn More About Leaders in Software Composition Analysis

Mend is proud to be ranked a leader in the Forrester Wave™ Software Composition Analysis, 2021. We received the top scores in the remediation and breadth of coverage criteria, and among the highest scores in the vulnerability detection criterion.

Want to learn more about SCA?

Meet The Author

Adam Murray

Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.

Subscribe to Our Blog