Software Composition Analysis (SCA) matters, and Synopsys gains some accolades

man standing on top of rock formation

What To Know

  • The Forrester Wave™ Software Composition Analysis Q3 2021 identified the 10 most significant vendors in the SCA category against 37 criteria, and Synopsys’ Black Duck SCA received the highest score in the strategy category and second in the market presence category.
  • According to the report, “Synopsys’ vulnerability detection capabilities are among the strongest in this Forrester Wave, and they are one of the few vendors in this Forrester Wave that conducts snippet analysis to identify potential license and copyright violations, a technique that several of their top competitors have dropped.

Editor’s brief: If you are into DevOps and DevSecOps, you know that having software written is only one part of the equation today, having cybersecurity and compliance baked in are equally if not even more important today. The Forrester Wave™ Software Composition Analysis Q3 2021 identified the 10 most significant vendors in the SCA category against 37 criteria, and Synopsys’ Black Duck SCA received the highest score in the strategy category and second in the market presence category. Read more below.

SINGAPORE – Synopsys, Inc. (Nasdaq: SNPS) today announced it has been recognised as a leader in The Forrester Wave™: Software Composition Analysis, Q3 2021. The report identifies the 10 most significant vendors in the software composition analysis (SCA) market and evaluates them against 37 criteria grouped into three high-level categories: current offering, strategy, and market presence. Synopsys’ Black Duck SCA solution received the highest score among all 10 vendors in the strategy category and ranked second in the market presence category.

The report states: “Unfortunately, as firms increasingly rely on external components, they expose themselves and their customers to greater risk when those components include critical vulnerabilities or don’t conform to company policies.” The report goes on to suggest that SCA customers should look for providers that “address risks in a wide range of nonproprietary components… advise developers on how to remediate vulnerabilities, license risks, and stale code…[and] analyse and bolster the software supply chain.”

Within the current offering category, Synopsys received among the top scores in the vulnerability identification criterion and the second highest score in the policy management criterion. According to the report, “Synopsys’ vulnerability detection capabilities are among the strongest in this Forrester Wave, and they are one of the few vendors in this Forrester Wave that conducts snippet analysis to identify potential license and copyright violations, a technique that several of their top competitors have dropped. Customer references appreciated the accuracy: ‘If Black Duck is reporting something as a problem, it’s a problem.’ References also rated Synopsys highly for vulnerability remediation guidance and prioritisation.”

Within the strategy category, Synopsys received the highest scores possible in three of the six criteria: product vision, market approach, and corporate culture. The Forrester report notes that “Synopsys stands out for analysis depth and AST vision. Synopsys envisions embedding the full range of application security testing (AST) tools into developer workflows and tools so that development teams can uniformly prioritise and remediate flaws across proprietary, open source, and third-party components. The company’s SCA roadmap centers on developer enablement and the concept of intelligent progressive analysis: conducting different levels of analysis at different stages of the SDLC, depending on the need.”

“We’re proud to be recognised by Forrester as a leader in this SCA evaluation,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “Software composition and supply chain risk are now top of mind issues for development and security teams, and Synopsys continues to lead the way with a powerful combination of accuracy, performance and scale. Our vision of frictionless identification of all types of software risk throughout the SDLC delivers a seamless experience for developers and a proactive, prioritised view of risk for security teams.”

###