We at FOSSA are thrilled to share that we’ve been recognized among the most significant software composition analysis (SCA) solutions in The Forrester Wave™: Software Composition Analysis, Q3 2021. The Forrester Wave for SCA evaluates the “top vendors” in the software composition analysis market.

The Wave evaluates these SCA vendors across 37 criteria, grouped into three high-level categories: current offering, strategy, and market presence. Notably, FOSSA tied for the highest score (with a score of 5.0) in the license risk management criterion (within the current offering category), and was one of only two vendors to earn the highest possible score (5.0) in the software bill of materials criterion (within the current offering category).

FOSSA was also among the vendors to earn the highest score possible in the “product vision” and “growth” criteria (within the strategy category).

“FOSSA shines in license and audit scenarios,” the report reads. “Its SBOM support was among the most mature of vendors in this Forrester Wave…”

An Overview of the SCA Market

Open source software has exploded in popularity in recent years — Forrester reports that the average percentage of open source in audited codebases increased from 36% in 2015 to 75% in 2020.

Engineering organizations have embraced OSS for its many benefits:

  • OSS is free to use
  • Many OSS projects are backed by supportive communities of developers
  • OSS can help accelerate product development and go-to-market initiatives

However, the growth of OSS has created new challenges for security and legal teams tasked with ensuring products remain free of open source vulnerabilities — and compliant with OSS licensing requirements.

  • Security vulnerabilities can creep into otherwise clean code, making software susceptible to malicious attacks
  • Non-compliance with OSS licensing requirements can lead to intellectual, reputational, and financial risk
  • An incomplete inventory of dependencies can inform an inaccurate software bill of materials

“Unfortunately, as firms increasingly rely on external components, they expose themselves and their customers to greater risk when those components include critical vulnerabilities or don’t conform to company policies,” writes Forrester.

For these reasons, Forrester suggests organizations focus on three key capabilities when they evaluate SCA tools:

  1. Address risks in a wide range of nonproprietary components
  2. Advise developers on how to remediate vulnerabilities, license risks, and stale code
  3. Analyze and bolster the software supply chain

More on FOSSA Software Composition Analysis

FOSSA is the most reliable automated policy engine for organizations to maintain license compliance, remediate security vulnerabilities, and improve code quality across the entire software supply chain — key features of a top-tier SCA solution.

As a developer-native open source management platform, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. FOSSA delivers a continuous, complete, and accurate picture of your open source risk so your developers can accelerate their pace of innovation.