As we gear up to release the 2018 edition of the State of the Software Supply Chain Report, I've been reflecting on the growing market for Software Composition Analysis (SCA) and automated open source governance solutions -- and one thing has become abundantly clear -- the game is changing fast.
It wasn’t long ago that Sonatype, Black Duck, WhiteSource, and others participated in an exercise led by a respected analyst at Forrester to identify leading providers of SCA solutions and help security professionals make vendor selections to serve their organization's needs.
The year was 2016, and given the nascent state of the SCA market, the analyst's criteria and weightings understandably emphasized the interests of traditional application security professionals — but failed to fully consider the interests of frontline software developers responsible for sorting through false positives while trying to innovate in a continuous fashion within a DevSecOps style pipeline.
As a result, capabilities like whitelisting, blacklisting, and breadth of coverage were heavily weighted in the analysis. Conversely, the ability to precisely identify risk, mitigate false positives/negatives, accelerate remediation, and automatically enforce policies were minimized.
Just two years ago, SCA was more about helping traditional security professionals identify suspects across a broad spectrum of open source ecosystems. It didn't matter so much how many false alarms a particular solution might generate because AppSec leaders were mainly operating in a "waterfall-native" mode using "scan and scold" practices in an attempt to prevent developers from releasing vulnerable code into production.
So much has changed since then.
Specifically, the ever increasing pressure felt by enterprise development teams to increase the pace of innovation. The continued exponential growth in consumption of open source and third-party dependencies. The massive breach at Equifax resulting from a vulnerable version of Struts. The emergence of DevSecOps as a best practice for automating and scaling application security. Combined, these tectonic shifts in the market have led security professionals to become more aligned than ever with rank and file software developers.
Today, as enterprise development teams transition from "waterfall-native" to "DevOps-native" development, they can no longer tolerate developer friction associated with SCA solutions that are prone to excessive false positives/negatives. Instead, modern development organizations are demanding SCA solutions that:
- accurately and precisely identify open source risk with no false positives / negatives
- provide developer-friendly remediation to fix problems in real time
- automatically and contextually enforce security policies at DevOps speed and scale
At Sonatype -- unlike Forrester and our competitors -- we've always believed that precise and accurate intelligence is foundational to truly automating and scaling open source governance. Without it -- you're just spinning wheels -- creating false alarms and friction for developers which slows down innovation.
Today, more than 1,000 organizations have selected the Nexus Platform from Sonatype because they recognize the importance of precise open source intelligence in empowering developers to innovate faster with less risk.
Precise intelligence was our core differentiator two years ago -- and it's still our core differentiator today. Our competitors have finally seen the light -- and if you ask them, they now claim to minimize false positives / negatives. We invite you to put any of them to the test against the Nexus Platform -- and we guarantee you'll see the difference.
