Veracode Ranked as a Strong Performer in Forrester Wave Software Composition Analysis Report
August 2021 by Marc Jacob
Veracode has been recognized in a report Forrester Research recently released, The Forrester Wave™: Software Composition Analysis, Q3 2021. The report helps security professionals select a software composition analysis (SCA) vendor that best fits their needs. The report, which evaluates 10 SCA vendors against 37 criteria, ranks Veracode as a strong performer.
The Forrester Wave™ states, “Veracode is a strong choice for customers that are most interested in remediating vulnerabilities in open source components.” Noted in the report is our roadmap, which “...focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC security capabilities.” The report also highlighted, “Veracode has concentrated its SCA solution on finding and remediating open source vulnerabilities, with dependency graphs and guidance on a fix’s likelihood to break the code — one customer’s reference called the dependency graph ‘amazing’.”
Why is SCA such a critical element of software development? As Forrester explains, “Open source use has exploded, with the average percentage of open source in audited code bases increasing from 36% in 2015 to 75% in 2020.” But we know from Veracode’s recent State of Software Security (SOSS): Open Source Edition report that about 79 percent of developers never update third-party libraries after including them in their codebase, which leads to unnecessary breaches.
With tools like Veracode Software Composition Analysis in hand, developers have the power to assess and manage the risk of their open source components by scanning open source dependencies for known flaws and leaning on data-driven recommendations for version updating. In fact, our SOSS research unveiled that 92 percent of third-party flaws can be remediated with an update and 69 percent of the updates are minor.