By Christine Kern, contributing writer
Here’s how the six leading providers stack up.
The security industry is recognizing the importance open source has within enterprise applications and ultimately security, according to Forrester research. The Forrester Wave: Software Composition Analysis, Q1 2017 focused on Software Composition Analysis (SCA) and found developers use open source components as their foundation and highlights how security pros are turning to SCA tools to reduce risks.
The six leading providers, according to Forrester, are Black Duck Software, Flexera Software, Sonatype, Synopsys, Veracode, and WhiteSource Software. The report researched, analyzed, and scored each provider to see how each one measures up to help security professionals make the right choices for their organizations.
To address the market demand for more and better applications and accelerate application development, developers “use open source components as their foundation, creating applications using only 10 percent to 20 percent new code” to address market demand for applications and accelerate app development, according to the Forrester report.
“Unfortunately, many of these (open source) components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability. To reduce these risks, security pros are turning to SCA tools,” the Forrester report stated.
Black Duck has been educating the industry about how software applications are disrupting and transforming the way the world lives, works, and plays and are an essential element of today’s innovative applications. Due to the economic and productivity value it delivers, open source often comprises the majority of an application’s code. Meanwhile, applications are the preferred target for cybersecurity attacks with more than 80 percent directed at the application layer. Thus, organizations must have a comprehensive application security tool kit that includes an open source vulnerability management component.
To reduce application risk, according to the Forrester SCA Wave analysis, organizations are turning to SCA tools for the benefits of:
- gathering more information that helps identify and remediate vulnerabilities quickly
- automating scans to highlight license risk exposure
- flexible policy enforcement that increases alignment with business needs
- integrating products to support existing development processes
Black Duck CEO Lou Shipley said, “For those of us in the rapidly expanding open source ecosystem, probably the most significant element of this SCA Wave is Forrester’s point that ‘developers use open source components as their foundation, creating applications using only 10 percent to 20 percent new code.’ The increasing global reliance on open source and its preeminence in application development increase the need for enterprises to deploy effective open source security vulnerability management tools. It is clear to us that the Forrester Wave report acknowledges the opportunity to reduce application security risk by securing and managing open source more effectively using SCA tools.”