The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways

Forrester Wave Software Composition Analysis 2021 Takeaways
Table of Contents

The Forrester Wave™ Software Composition Analysis, Q3 2021 report states that open source components made up 75% of all code bases in 2020. This is more than double the 36% in 2015. As organizations increasingly rely on external components to quickly add functionality to their own proprietary solutions, they take on greater risk, especially considering these open source components may contain unmitigated vulnerabilities or violate organizations’ compliance policies.

Software Composition Analysis (SCA) solutions, which scan open source components for security vulnerabilities and license compliance, have become a requirement for any organization developing their own software. In this report, Forrester also states that SCA solutions are a critical component to developing secure products and bringing greater transparency to the software supply chain.

So how do you choose the right solution to evaluate your open source security and license compliance needs? 

Evaluating a Software Composition Analysis Solution

Forrester outlines three considerations when evaluating an SCA solution.

Addressing Risk in a Wide Range of Nonproprietary Components

Though the main focus of Software Composition Analysis solutions is managing security vulnerabilities and license compliance issues in open source software, it’s not the sole focus. Some SCA solutions on the market address both open source components and a wide range of other frameworks. This includes containers, serverless, and infrastructure as code (IaC). Also look for solutions that offer complete coverage of all programming languages.

Remediation Advice for Vulnerabilities, License Risks, and Stale Code

Given the number of alerts organizations face on a daily basis, it is no longer tenable to manually review every vulnerability or license compliance issue. Forrester recommends that SCA customers look for solutions that provide developers with advice on how to remediate vulnerabilities and license risks and how to automatically update stale code. Some SCA solutions keep your open source components up to date as out of date components significantly increase your overall risk.

Protecting the Software Supply Chain

Given recent high profile software supply chain attacks such as the SolarWinds breach, it is not surprising that Forrester is shining a spotlight on SCA solutions that offer software supply chain protection. President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity also mandates that any vendors selling to the federal government provide a software bill of materials (SBOM) in SPDX or CycloneDx format.

Learn More About Leaders in Software Composition Analysis

Mend is proud to be ranked a leader in the Forrester Wave™ Software Composition Analysis, 2021. We received the top scores in the remediation and breadth of coverage criteria, and among the highest scores in the vulnerability detection criterion.

Stay up to date on open source licenses

Recent resources

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more

Cybersecurity Awareness Month: AI Safety for Friends and Family

This blog is for your friends and family working outside of the security and technical industries.

Read more