The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways
The Forrester Wave™ Software Composition Analysis, Q3 2021 report states that open source components made up 75% of all code bases in 2020. This is more than double the 36% in 2015. As organizations increasingly rely on external components to quickly add functionality to their own proprietary solutions, they take on greater risk, especially considering these open source components may contain unmitigated vulnerabilities or violate organizations’ compliance policies.
Software Composition Analysis (SCA) solutions, which scan open source components for security vulnerabilities and license compliance, have become a requirement for any organization developing their own software. In this report, Forrester also states that SCA solutions are a critical component to developing secure products and bringing greater transparency to the software supply chain.
So how do you choose the right solution to evaluate your open source security and license compliance needs?
Evaluating a Software Composition Analysis Solution
Forrester outlines three considerations when evaluating an SCA solution.
Addressing Risk in a Wide Range of Nonproprietary Components
Though the main focus of Software Composition Analysis solutions is managing security vulnerabilities and license compliance issues in open source software, it’s not the sole focus. Some SCA solutions on the market address both open source components and a wide range of other frameworks. This includes containers, serverless, and infrastructure as code (IaC). Also look for solutions that offer complete coverage of all programming languages.
Remediation Advice for Vulnerabilities, License Risks, and Stale Code
Given the number of alerts organizations face on a daily basis, it is no longer tenable to manually review every vulnerability or license compliance issue. Forrester recommends that SCA customers look for solutions that provide developers with advice on how to remediate vulnerabilities and license risks and how to automatically update stale code. Some SCA solutions keep your open source components up to date as out of date components significantly increase your overall risk.
Protecting the Software Supply Chain
Given recent high profile software supply chain attacks such as the SolarWinds breach, it is not surprising that Forrester is shining a spotlight on SCA solutions that offer software supply chain protection. President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity also mandates that any vendors selling to the federal government provide a software bill of materials (SBOM) in SPDX or CycloneDx format.
Learn More About Leaders in Software Composition Analysis
Mend is proud to be ranked a leader in the Forrester Wave™ Software Composition Analysis, 2021. We received the top scores in the remediation and breadth of coverage criteria, and among the highest scores in the vulnerability detection criterion.
