Forrester SCA Analysis Essential for Software Supply Chain Protection
Attacks such as SolarWinds and Kaseya have shown the risks that can lie in the software supply chain. According to Forrester, various approaches and policies as well as the use of software Composition Analysis (SCA) are suitable for their protection.
Companies on the topic
Sandy Carielli, Principal Analyst at Forrester
In a blog post, principal analyst Sandy Carielli points out that SCA has always played a role in protecting the software supply chain. The method helps to identify vulnerabilities and licensing risks in open source libraries, for example. As part of the study “The Forrester Wave: Software Composition Analysis, Q3 2021”, the market researchers have now examined the topic in more detail.
The “protectors” of the supply chain
The study shows that current SCA providers are expanding integrity functions for the supply chain. Many are increasingly focusing on their role as “protectors” in this area, expanding their offerings accordingly.
This is especially necessary in view of the sharp increase in the proportion of open source components in audited code: While 36 percent of the code was created from open source components in 2015, this figure was already 75 percent in 2020. Although the use of such components is practical and time-saving, it also entails risks such as unknown vulnerabilities or lack of conformity with company policies.
Note the range of functions
Forrester therefore advises SCA customers to pay attention to certain features when looking for a partner. For example, SCA solutions should be able to scan risks across open-source, third-party and closed-source libraries in order to largely cover everyday processes. They should also help developers eliminate vulnerabilities, licensing risks, and outdated code. Appropriate remediation features should not only be designed as simple and safe as possible, but also provide a risk assessment of the proposed error surveys.
Current solutions also point to dependency confusion and even remove malicious code from repositories. In accordance with the requirements of the US Cybersecurity Executive Order, some SCA solutions are already creating SBOMs (“Software Bill of Materials”) in SPDX or CycloneDx format to ensure the required transparency.
Market leader and challenger identified
The Forrester study also analyzed the SCA market environment and divided it into categories such as “Leader”, “Strong Performers”, “Contenders” and “Challengers”. The market leaders are WhiteSource and Synopsys, while Sonatype, Snyk, Checkmarx, Veracode and Revenera are seen as “strong performers”. Among the” Contenders ” are FOSSA and JFrog, while GitLab is categorized as a “Challenger”.
The detailed study “The Forrester Wave: Software Composition Analysis, Q3 2021” is available for purchase on the Forrester website.