The Forrester Wave™ Software Composition Analysis, Q3 2021 report states that open source components made up 75% of all code bases in 2020. This is more than double the 36% in 2015. As organizations increasingly rely on external components to quickly add functionality to their own proprietary solutions, they take on greater risk, especially considering these open source components may contain unmitigated vulnerabilities or violate organizations’ compliance policies.
Software Composition Analysis (SCA) solutions, which scan open source components for security vulnerabilities and license compliance, have become a requirement for any organization developing their own software. In this report, Forrester also states that SCA solutions are a critical component to developing secure products and bringing greater transparency to the software supply chain.
So how do you choose the right solution to evaluate your open source security and license compliance needs?
Forrester outlines three considerations when evaluating an SCA solution.
Though the main focus of Software Composition Analysis solutions is managing security vulnerabilities and license compliance issues in open source software, it’s not the sole focus. Som SCA solutions on the market address both open source components and a wide range of other frameworks. This includes containers, serverless, and infrastructure as code (IaC). Also look for solutions that offer complete coverage of all programming languages.
Given the number of alerts organizations face on a daily basis, it is no longer tenable to manually review every vulnerability or license compliance issue. Forrester recommends that SCA customers look for solutions that provide developers with advice on how to remediate vulnerabilities and licence risks and how to automatically update stale code. Some SCA solutions keep your open source components up to date as out of date components significantly increase your overall risk.
Given recent high profile software supply chain attacks such as the SolarWinds breach, it is not surprising that Forrester is shining a spotlight on SCA solutions that offer software supply chain protection. President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity also mandates that any vendors selling to the federal government provide a software bill of materials (SBOM) in SPDX or CycloneDx format.
Mend is proud to be ranked a leader in the Forrester Wave™ Software Composition Analysis, 2021. We received the top scores in the remediation and breadth of coverage criteria, and among the highest scores in the vulnerability detection ciretion. Want to learn more about the SCA market and how Mend was ranked as a leader? Download the full report to read all of Forrester’s insights.