For the last six months, Forrester Research has been gathering and analyzing comparative information on technology vendors — including Black Duck — that provide Software Composition Analysis, an increasingly important job in helping organizations secure their software applications.
Their comprehensive effort culminated in The Forrester Wave™: Software Composition Analysis, Q1 2017, which was released last week. In a "38-criteria evaluation of software composition analysis (SCA) providers, we identified the six most significant ones — Black Duck Software, Flexera Software, Sonatype, Synopsys, Veracode, and WhiteSource Software — and researched, analyzed, and scored them. This report shows how each provider measures up and helps security professionals make the right choice for their organization," Forrester wrote in its Wave report.
We're very encouraged that Forrester singled out Black Duck as the only company in the Wave's "leader" category of SCA vendors, pointing out that Black Duck has "very strong risk reporting and strong proactive vulnerability management capabilities, but its biggest differentiation comes from sound support for the fundamentals of license risk management, vulnerability identification, and policy management."
Black Duck's leadership status aside, the Forrester SCA Wave report is also very significant for its forceful recognition of the preeminence of open source software in application development today and the significant risk that results without effective open source security management.
Forrester wrote: "developers use open source components as their foundation, creating applications using only 10% to 20% new code. Unfortunately, many of these components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability. To reduce these risks, security pros are are turning to SCA tools."
Forrester's description of the application development landscape is consistent with what we see as we engage with customers and prospects worldwide. With open source components comprising 80-90% of application code, organizations are increasingly aware that they must address the application security risk they face from unmanaged open source vulnerabilities and do so without sacrificing the application development speed, agility and integration capabilities that provide a competitive advantage.
Famously, Marc Andreessen schooled Wall Street Journal readers in 2011 with his prescient commentary: "Why Software Is Eating The World."
Today, software applications are disrupting and transforming the way the world lives, works and plays in ways that even Andreessen could not foresee six years ago. And open source software is the driving force in that app-driven transformation and disruption.
Clearly, open source software has become the foundational element of today's innovative applications because of the economic and productivity value it delivers as well as the development innovation that it promotes. Once a technology niche, open source is the engine for highly successful hyper-growth companies like Uber, NetFlix, Amazon, Google and others.
It's also the case that software applications are the preferred target for costly, brand-altering cybersecurity attacks, with more than 80% of attacks directed at the application layer.
The predominance of open source and the targeting of applications by cyber attackers make it essential for organizations to maximize visibility into, and control of their open source by deploying a comprehensive application security tool kit that includes an open source vulnerability management component.
Without an open source vulnerability management strategy organizations are putting themselves at peril from their biggest application security risk.