• Home
  • Resources
  • Blog
  • The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways

The Forrester Wave™ Software Composition Analysis, Q3 2021: Key Takeaways

The Forrester Wave Software Composition Analysis 2021 Key Takeaways
The Forrester Wave Software Composition Analysis 2021 Key Takeaways

The Forrester Wave™ Software Composition Analysis, Q3 2021 report states that open source components made up 75% of all code bases in 2020. This is more than double the 36% in 2015. As organizations increasingly rely on external components to quickly add functionality to their own proprietary solutions, they take on greater risk, especially considering these open source components may contain unmitigated vulnerabilities or violate organizations’ compliance policies.

Software Composition Analysis (SCA) solutions, which scan open source components for security vulnerabilities and license compliance, have become a requirement for any organization developing their own software. In this report, Forrester also states that SCA solutions are a critical component to developing secure products and bringing greater transparency to the software supply chain.

So how do you choose the right solution to evaluate your open source security and license compliance needs? 

Evaluating a Software Composition Analysis Solution

Forrester outlines three considerations when evaluating an SCA solution.

Addressing Risk in a Wide Range of Nonproprietary Components

Though the main focus of Software Composition Analysis solutions is managing security vulnerabilities and license compliance issues in open source software, it’s not the sole focus. Som SCA solutions on the market address both open source components and a wide range of other frameworks. This includes containers, serverless, and infrastructure as code (IaC). Also look for solutions that offer complete coverage of all programming languages.

Remediation Advice for Vulnerabilities, Licence Risks, and Stale Code

Given the number of alerts organizations face on a daily basis, it is no longer tenable to manually review every vulnerability or license compliance issue. Forrester recommends that SCA customers look for solutions that provide developers with advice on how to remediate vulnerabilities and licence risks and how to automatically update stale code. Some SCA solutions keep your open source components up to date as out of date components significantly increase your overall risk.

Protecting the Software Supply Chain

Given recent high profile software supply chain attacks such as the SolarWinds breach, it is not surprising that Forrester is shining a spotlight on SCA solutions that offer software supply chain protection. President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity also mandates that any vendors selling to the federal government provide a software bill of materials (SBOM) in SPDX or CycloneDx format.


The Forrester Wave™ Software Composition Analysis, Q3 2021

WhiteSource Is a Leader

Learn More About Leaders in Software Composition Analysis

WhiteSource is proud to be ranked a leader in the Forrester Wave™ Software Composition Analysis, 2021. We received the top scores in the remediation and breadth of coverage criteria, and among the highest scores in the vulnerability detection ciretion. Want to learn more about the SCA market and how WhiteSource was ranked as a leader? Download the full report to read all of Forrester’s insights.

Meet The Author

Julie Peterson

Julie Peterson writes about everything application and open source security for WhiteSource Software.

Subscribe to Our Blog