Software composition analysis (SCA) has lived for many years in the shadow of static application security testing (SAST) and dynamic application security testing (DAST) tools that have commanded bigger budgets, stakeholder attention, and vendor competition. This changed in May of 2021 when President Biden called on the public and private sector to secure the US software supply chain by asking suppliers to demonstrate secure development practices using a software bill of materials (SBOM). An SBOM provides visibility into the software components of products being sold to the government and the potential risks associated.
But what tool could generate an SBOM? SAST tools? Hmm, no. SAST is great at first-party code but lacks awareness into third-party components. DAST? No. While DAST is great at finding vulnerabilities by exercising the application, it does not have access to the internal workings to identify all the components. No, it wasn’t mature tools like DAST or SAST, but the less well-known SCA tool that answered the president’s call. SCA tools expanded their feature sets to add the ability to generate and export an SBOM in one or more of the NTIA-approved formats (i.e., SPDX, CycloneDX, or SWID tags). These enhanced SCA tools allow software suppliers to provide assurance to the government and private sector customers.
This isn’t the only reason SCA has become a must-have in all application security programs. In December 2021, the Log4j vulnerability was disclosed. Organizations that were utilizing SCA were able to identify vulnerable applications, patch systems, and communicate assurance to customers quickly. Organizations that were not using SCA struggled to patch systems in a timely manner and spent valuable time in 2022 trying to eradicate the vulnerability; many applications remain unpatched today.
Demand for SCA tools has increased significantly since we published The Forrester Wave™: Software Composition Analysis, Q3 2021. SCA is now a well-established technology market rivaling that of DAST and SAST. Our newly published report, The Software Composition Analysis Landscape, Q1 2023, identifies other market trends including:
- Open source component scanning is table stakes for any SCA tool. However, third-party and closed source component scanning is not. If you are using an SCA tool that isn’t able to enumerate third-party and closed source libraries, be aware that you may need to do extra due diligence on those libraries. Another outlier in SCA capabilities is license management. Most SCA tools will detect license information for open source components. However, only 57% of the vendors surveyed can provide license remediation guidance. Therefore, make sure your development and security teams have a close working relationship with legal and compliance departments so that any license violations or conflicts can be raised and resolved in a timely manner.
- SCA tools now provide insight on the health and integrity of open source packages. This information may seem less relevant than awareness of the known vulnerabilities lurking in the libraries you download, but it’s just as important. You might want to think twice about using a library that hasn’t been updated in years or doesn’t have a reputable maintainer, as this could mean that the project has been abandoned, or worse — open to abuse by a malicious actor. The good news is that 50% of SCA vendors are providing health and operational risk information today and other vendors plan to add this use case. What’s interesting is how each vendor is taking a slightly different approach to evaluating and scoring the health of an open source package. Among the factors that SCA tools consider when evaluating the health of package are project age and activity, number of contributors, contributor reputation, project popularity, security practices, and community engagement. This is all important information to review. Just remember when looking to utilize, download, assemble, package, or distribute open source software that your organization is ultimately responsible for any risk this brings to you or your customers.
- The SCA vendor landscape has grown in breadth and depth. SCA specialist vendors have either been acquired or have added other security tools to their portfolios to become security testing platforms. The enhanced portfolios create a one-stop shop, making it easier for customers to purchase all tools from the same vender. There is also a synergy with SAST, interactive application security testing (IAST), and SCA tools which helps to determine the reachability of identified vulnerabilities, assisting security and development teams in prioritizing which issues need to be remediated first. Software supply chain startups offering SBOM and dependency management capabilities are putting pressure on SCA tools to go beyond vulnerability and license risk identification. This healthy competition will benefit customers, as vendors will strengthen their offerings over the next year.
Interested in learning more about the SCA market and trends? Check out The Software Composition Analysis Landscape, Q1 2023 or set up an inquiry with me. Be on the lookout for The Forrester Wave™: Software Composition Analysis, coming later this year, which will dive into the capabilities of SCA vendors and what customers look for when purchasing an SCA tool.
Janet Worthington, Senior Analyst
(written with Danielle Chittem, Research Associate)