Gartner report: 2020 Market Guide for Software Composition Analysis

Modern software applications are more often “assembled” than they are written. Enterprise development teams increasingly stitch together open source packages with proprietary logic to create a single application. Indeed, more than 90% of organizations employ open source software. The benefits are clear—mainly reduced cost and time to market. But open source also brings a variety of risks, including security, license compliance, and long-term project viability.

Per our review, this report from Gartner examines the growing use of open source, the various challenges that poses, and how software composition analysis (SCA) tools are responding. It also provides a snapshot of the SCA market, including representative vendors such as Synopsys, and recommendations for future direction and prioritization.

Download the report


Multiple risk factors and explosive growth in open source software usage make software composition analysis an essential tool for application security."

Gartner

|

Market Guide for Software Composition Analysis, Aug. 18, 2020

Shandra Gemmiti
Product Marketing,
Black Duck Software Composition Analysis

Synopsys point of view

The value of SCA in tilting the benefits-to-risk ratio in favor of developers and application security teams has long been established. And because open source software is now used in nearly every organization, SCA becomes even more critical. Likewise, as DevOps becomes increasingly prevalent, the need to position SCA in the existing workflow of developers, integrated and automated through the CI/CD, is just as important.

As the report notes, “Scans by SCA tools need to be the default behavior, not the exception.”

We believe, the market recommendations posed by Gartner stress that organizations must establish policies based on risk tolerance across three key areas: security, legal, and supply chain viability and integrity. Synopsys, with its Black Duck SCA product, enables teams to view risk across all three lenses and offers advanced capabilities for vulnerability prioritization, deep license and copyright inspection, and important data exposing the age and community activity of projects.

Other takeaways of the Gartner report include:

  • SCA will continue to grow in importance
  • Viability checks will expand to include software supply chain issues
  • Tooling is required to keep up with the pace of DevOps
  • The need for a dynamic software BOM is increasingly important

Gartner, Market Guide for Software Composition Analysis, Dale Gardner, 18 August 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.