DevSecOps , Next-Generation Technologies & Secure Development , Secure Software Development Lifecycle (SSDLC) Management
Sonatype, Snyk, Black Duck Top Comp Analysis Forrester Wave
Commoditization of Core Features Has Led to Increased Competition, Forrester SaysSonatype, Snyk and Black Duck remained atop Forrester's software composition analysis rankings as the commoditization of core features has led to increased competition.
See Also: eBook I Seven Obstacles to Successful DevOps
Pressure in the market has increased due to both a saturation of core functionalities such as open-source vulnerability detection and license identification, as well as new entrants from the cloud security space, said Forrester Senior Analyst Janet Worthington. This pushed incumbents to differentiate via advanced features such as enriched remediation capabilities, broader integrations and a better developer experience.
"Everybody has collectively stepped up their game, because software supply chain security has become top of mind, not just in the U.S., with a lot of the regulations going on here, but also in Europe," Worthington told Information Security Media Group. "Folks are paying a lot more attention to it."
Prioritization of vulnerabilities is becoming more sophisticated, Worthington said, with a shift toward vendors assessing whether a vulnerable function within a library is actually being called in runtime. Tools incorporate production-level signals such as whether a vulnerable component is exposed to the internet or loaded into memory, while automation streamlines fixes for outdated or vulnerable libraries, she said (see: The Uphill Battle for Cybersecurity Accountability).
"We saw more vendors add this reachability and try to add signals, not just from when they're scanning the code base or scanning the binaries, but also pulling in information from production to help enrich that prioritization," Worthington said. "I'm talking about, 'Is the actual code exposed to the internet?' That type of information you can't see if you're just looking at the code base."
Open-source projects are a cornerstone of modern development, but Worthington said poorly maintained packages present risks, including unpatched vulnerabilities and potential hijacking by malicious actors. Vendors evaluate factors such as project activity, number of maintainers, update frequency and package reputation to assess operational risks, which aid the ability to choose reliable open-source components.
"If you pick a package that is not well-maintained, they will not be fixing it if there is a vulnerability, and it can also lead for that package to be potentially taken over by malicious actors," Worthington said.
Vendors have introduced features to detect and quarantine suspicious packages before they can infiltrate the software life cycle, she said. These systems analyze behavioral anomalies and metadata, flagging packages with hidden malicious code. This capability is critical given the growing complexity of software supply chains and the sophistication of attacks, as highlighted by recent issues like the XZ Utils backdoor.
"The rise in the number of attacks and the type of sophistication that we're seeing with the malicious packages have given companies the idea that, 'Wait a minute, we can't just look for vulnerabilities because there aren't known vulnerabilities for malicious packages," she said. "The whole point behind them is the bad code is hidden in there. There are more ways your software supply chain is increasing."
Cloud, Application Security Vendors Push Into SCA Market
With their expertise in production environments, cloud security vendors bring valuable insights to SCA, such as runtime behaviors and exposure risks. This synergy creates an end-to-end security approach from development to production. Application security posture management - ASPM - vendors aim to fill gaps by offering a comprehensive view of application risks, and she said their entry into the market drives incumbents to expand their capabilities.
"It's a natural complement for them to start adding software composition analysis, because they have an advantage over those SCA vendors who don't play in the production or cloud space," Worthington said. "I think it also gives them that DevSecOps messaging, where you're giving developers the chance to fix things before they go into production."
Worthington foresees a future in which SCA becomes a feature rather than a stand-alone product, with the capabilities integrating seamlessly into application security testing platforms, cloud security platforms and development tools. By embedding SCA within everyday development workflows, organizations can ensure better adoption and efficiency while addressing security earlier in the software life cycle.
"I think we're going to see SCA and software supply chain features being more baked into a lot of platforms," Worthington said. "I think we're going to see a lot of these capabilities that will either be added to an application security testing platform, a cloud security platform, even some to the ASPM and more development tools."
Sonatype edged out Snyk for the highest strategy score from Forrester, with Checkmarx, Black Duck, Veracode and Mend.io receiving the third, fourth, fifth and sixth highest scores, respectively. That's a dramatic change from June 2023, when Snyk got the highest score, Checkmarx and Sonatype tied for second, Veracode received the fourth highest score, and Mend.io got the fifth highest score.
Sonatype was also the top score recipient from a current offering standpoint, with Black Duck, Mend.io, Snyk, Checkmarx and Veracode getting the second, third, fourth, fifth and sixth highest scores. Forrester also viewed Sonatype's current offering as the strongest in June 2023, with Black Duck - then known as Synopsys - getting second, Mend.io getting third, Snyk taking fourth and Checkmarx getting the fifth highest score.
Outside of the leaders, here's how Forrester sees the software composition analysis market:
- Strong Performers: Checkmarx, Mend.io, Veracode;
- Contenders: JFrog, GitHub, Aqua Security, GitLab.
Sonatype Uses AI to Spot Malicious Components in Supply Chain
Sonatype uses proprietary AI/ML models to stay ahead of threats leveraging AI for malicious purposes, monitoring more than 60 signals to streamline the detection process, said Chief Product Development Officer Mitchell Johnson. He said software bills of material are increasingly relevant as a standard in the software supply chain, with Sonatype focused on making SBOM ingestion, analysis and sharing seamless via existing SCA tools.
The company's differentiation in SCA lies in unmatched data accuracy and automation capabilities, with investment in security research and AI/ML tooling driving reliable automation and minimizing false positives and negatives, according to Johnson. He said the accuracy of Sonatype's data enables the automation of dependency management and policy compliance at scale (see: State of Software Security: Has It Moved Past Unacceptable?).
"Self-driving is easy in theory, but if you don't have perfect accuracy of the underlying data that's driving that, self-driving would be very dangerous," Johnson told ISMG. "Automation is where the market wants to go. I want SCA and dependency management to happen automatically. I want the best component that's compliant with policy to be selected. And to do that, you need really accurate data."
Forrester criticized Sonatype for only having reachability available on Java and for functioning as a suite of individual products that each require setup. Johnson said Sonatype has made efforts to improve the integration of its product suite and extend reachability beyond Java, calling out investments in APIs and IDE integrations to meet developer needs.
"Customer feedback is always valid," Johnson said. "It drives everything we do. We are here to make software developers' lives easier and to make it easier and more productive for them to do what they do. So, because they've given us that feedback, we think it's very valid, and we are taking that feedback, and we have invested very heavily in expanding our APIs."
Snyk Takes a Developer-First Approach to Application Security
Snyk focuses on providing tools that integrate seamlessly into developer workflows to help developers address vulnerabilities proactively without being overwhelmed by unnecessary alerts, according to Chief Innovation Officer Manoj Nair. Snyk wants to reduce cognitive load for developers via automation and contextual application insights, and looks at reachability and exploitability to prioritize risks effectively.
Snyk has expanded its language coverage and integrated context-driven tools like Helios to enhance the company's risk prioritization capabilities by combining multiple data sources, according to Nair. He said Snyk's focus on integrating security directly into developer workflows is a key differentiator, helping developers address security concerns within native environments like GitHub without productivity loss (see: Snyk Acquires Probely to Strengthen API Security for AI Apps).
"Our philosophy is that this is not a tool for security teams to go and test applications after the fact," he told ISMG. "It needs to sit in the dev context and give them context, automation, learning, and they will address issues. That's the reason why we end up displacing a lot of these incumbents who've been there for a long time - security teams that are stretched really thin."
Forrester criticized Snyk for lacking robust license approval workflows, having a variable user experience between the backend and UI, private package fixes that are merely on par, and partnering to ingest and monitor SBOM components. While improving these areas remains a priority, Nair said some choices allow Snyk to focus on its core mission while tapping partnerships for broader enterprise workflows.
"We don't think that it should be a core focus of a stand-alone tool to replicate GRC and procurement workflows that belong in enterprise systems of records like ServiceNow that have strong workflows," Nair said. "These are strategic choices."
Black Duck Brings SCA, SBOM Management Together
Black Duck has worked to make SBOMs practical and reliable by improving import/export functions, ensuring compliance with regulatory frameworks, and deeply integrating SCA and SBOM management rather than treating them as separate entities, said Head of Software Supply Chain Risk Strategy Tim Mackey. The company has invested in usability, regulatory compliance and AI-driven capabilities.
AI tools enhance Black Duck's ability to handle increased data volume and improve the accuracy of vulnerability advisories, while extending snippet analysis to AI-driven development ensures policy and licensing compliance for AI-suggested code snippets, Mackey said. Black Duck's extensive regulatory capabilities and enterprise support distinguish it from rivals that focus on Java or developer tools (see: Black Duck's Blueprint for Growth as an Independent Company).
"We've been putting a lot of energy into making SBOMs usable," Mackey told ISMG. "So, being able to import SBOMs, being able to export them in templates, using templates to go say, 'This is satisfactory for an FDA use case or cyber resilience use case or other regulatory or contractual avenues.' So that's been one of the big areas."
Forrester criticized Black Duck for an undifferentiated road map, an out-of-date user interface, a poor user experience around reporting and analytics, and struggling to get customers new features in a timely manner. Mackey said Black Duck's user interface hasn't significantly evolved, defended focusing on API reporting, and said the quarterly release cadence helps ensure comprehensive feature delivery.
"The UI I experienced in 2016 doesn't look a hell lot different than the UI that I see today," Mackey said. "But the reality is, for our users, they generally don't spend a lot of time in our UI. What they're going to do is take the information that we have, get at it through APIs, build reports in Tableau, Power BI or whatever their favorite reporting tool might be, and report up to CISOs and CIOs."