Sonatype, Snyk, Synopsys Top SW Comp Analysis Forrester WaveMend.io Falls From Leaderboard as Open-Source Dependencies Get Their Day in the Sun
A surging Sonatype and Snyk joined stalwart Synopsys atop Forrester's software composition analysis rankings, while Mend.io tumbled from the leaders category.
Software composition analysis historically didn't get as much attention as static or dynamic application security testing, but the Log4j vulnerability and White House executive order requiring a software bill of materials have made organizations aware of the importance of open-source dependencies and their software supply chain, said Forrester Senior Analyst Janet Worthington.
"Software composition analysis itself has stepped out of the shadows from behind the rest of application security tools," Worthington told Information Security Media Group. "SCA tools are now coming into the forefront."
SCA vendors have tapped into generative artificial intelligence to provide remediation advice that gives customers options beyond going to the latest version of the open-source code library, Worthington said. Suppliers have focused on not only helping organizations create a software bill of materials for their own open-source dependencies but also on creating the ability to ingest SBOMs from third-party suppliers.
Forrester sees Snyk's strategy as the strongest by a considerable margin. Checkmarx and Sonatype tie for a distant second, Veracode takes fourth and Mend.io is fifth. That's a dramatic change from August 2021, when Synopsys got gold, Veracode earned silver, Revenera took bronze, WhiteSource - now Mend.io - grabbed fourth, JFrog took fifth and Snyk sat in sixth place, according to Forrester.
Worthington said SCA strategy leaders help clients go beyond securing the application itself and assist with everything from infrastructure files to the software supply chain and secure development practices.
"Software composition analysis itself has stepped out of the shadows from behind the rest of the application security tools."
– Janet Worthington, senior analyst, Forrester
From a current offering standpoint, Sonatype edged out Synopsys for the gold. Mend.io snatched bronze, Snyk captured fourth place and Checkmarx earned fifth place. Forrester also viewed Sonatype's current offering as the strongest in August 2021, but everything behind the top slot was different, with WhiteSource - now Mend.io - capturing silver, Snyk taking bronze and Synopsys getting fourth place.
Worthington said that over the past two years all the pure-play software composition analysis vendors have either built or bought static application security testing capabilities to give customers a more holistic understanding of both their proprietary and open-source code. Also, static testing firms, developer pipeline tools and container security players have built or bought their way into the SCA arena, she said.
"Each time you have a different entrant come in, it makes the rest of the vendors step up their game," Worthington said. "Having folks from production coming in is going to help up the game of all the other SCA vendors to provide more context from production back into early on in the software development life cycle."
Outside of the leaders, here's how Forrester sees the software composition analysis market:
- Strong Performers: Checkmarx, Mend.io, Veracode, Revenera, JFrog
- Contender: Palo Alto Networks
- Challengers: GitHub, Aqua Security, GitLab
How the SCA Leaders Climbed Their Way to the Top
|Snyk||Enso Security||Not Disclosed||June 2023|
|Snyk||TopCoat Data||Not Disclosed||March 2022|
|Snyk||FossID||Not Disclosed||May 2021|
|Sonatype||MuseDev||Not Disclosed||March 2021|
|Sonatype||Vor Security||Not Disclosed||June 2017|
|Synopsys||Black Duck Software||$547 million||December 2017|
|Synopsys||Codenomicon||Not Disclosed||August 2015|
Sonatype Focuses on Data to Understand Open-Source Threats
Sonatype focuses on detecting and intercepting malicious activity in the open-source ecosystem, and it stood up its own research function to advise customers on the security risks associated with different attributes and versions of open source, said CEO Wayne Jackson. The company has tracked malicious actors moving away from taking advantage of public disclosures to actually crafting exploitable code.
The company has discovered 120,000 instances of open-source malware over the past year and stopped 1 million malware attacks as well as 1,000 pieces of open-source software with vulnerability disclosures tied to a specific version, Jackson said. Sonatype also enjoyed success in preventing pieces of malware that had already made their way into a customer's environment from actually inflicting any damage, he said (see: The Vulnerable State of the Software Supply Chain).
"Public data sources weren't really very curated and were missing lots of proprietary disclosures. Especially at enterprise scale, all of the things that they were missing or getting wrong really, really mattered when you multiplied by tens of thousands of developers," Jackson told ISMG. "We've had the best data for a long, long time, and it's been one of our foundational differentiators."
Forrester criticized Sonatype for the complexity of its ecosystem, in which the pure SCA offering, repository firewalls and legacy pack add-ons are all required to unlock complete value. Jackson said the company wants its platform to be easily consumable by different constituencies within the organization as well as compatible with competing technologies customers might have in their infrastructure.
"Different parts of a large organization want to consume what we do," Jackson said. "It's all about making the integrations of all those different parts of our platform as seamless as possible and making the user experience as people move through our platform as consistent as possible."
Snyk Combines Open-Source, Container Security to Spot Problems
Snyk has taken an API-first approach to the software bill of materials to enable the automatic generation of a new SBOM anytime there's a change given the complexity linked to manually inputting changes at scale, said Chief Product Officer Manoj Nair. He said companies such as Amazon Web Services use Snyk's open-source security intelligence in their products thanks to its visibility into what's actually vulnerable.
Bringing open-source and container security together before a new piece of software is deployed enables customers to proactively fix issues, consume the right third-party software and prioritize the most critical vulnerabilities, Nair said. He also wants to get developers more embedded into Snyk's open-source and software composition analysis products to help them maximize their ROI (see: Snyk to Acquire App Security Posture Management Startup Enso).
"We are the only dev-first company in that leadership lane," Nair told ISMG. "It's about our focus on developers. It's about being embedded into the dev workflows compared with all these other tools."
Forrester criticized Snyk for having limited license management functionality and weaker detection capabilities than its peers. Nair said Snyk has boosted its ability to apply data from the company's security intelligence database into actual workflows since Forrester completed its evaluation and has focused its license management capabilities on forward-looking use cases rather than legacy compliance ones.
"If customers are interested in some of the more legacy compliance-oriented use cases and the capabilities integrated into our product aren't enough, then we bring FossID on as a partner," Nair said.
Synopsys Simplifies Interface, Adds Automation for Developers
Open source has in recent years evolved from being a discrete governance group and activity in end-user organizations to overtaking the development team as part of the DevSecOps model, creating the need for simpler interfaces, said Senior Director of Market Strategy Patrick Carey. As more of the SCA load is placed on developers, Carey said, the experience must become more automated and streamlined.
Over the past 12 to 18 months, Synopsys has built a plug-in that gives developers access to SCA as they're writing code by tapping into the company's long-standing Black Duck engine, Carey said. As the development infrastructure increasingly moves to the cloud, Carey said, organizations need both SCA and static code analysis on a cloud-based platform to detect and fix vulnerabilities as early as possible (see: Synopsys Extends Lead in Gartner MQ for App Security Testing).
"We sell to the largest development teams, the largest enterprises in the world, so our customer list is heavily weighted in the Fortune 500 and even the Fortune 100. We always strive to be the solution that teams use when they're doing app development and SCA at massive scale," Carey told ISMG. "When 'good enough' isn't good enough, then the Black Duck solution has stood out."
Forrester criticized Synopsys for needing more differentiation around vulnerability detection and not targeting its professional edition at DevSecOps use cases. Carey said customers haven't had any issues deploying Synopsys' professional edition on agile DevOps pipelines and intends to build out its desktop, cloud and on-premises offerings to align with what customers in the market need most.
"We're quite confident in our trajectory and our road map," Carey said. "We're building out a robust set of supply chain and SBOM management capabilities."