It should be no surprise that the world runs on open source software. According to the latest Forrester Wave Software Composition Analysis Q4 2024 report an “astonishing 77% of codebases are comprised of open-source software.” Since a “considerable amount of an application’s risk is due to third-party sources,” software composition analysis (SCA) tools remain the lifeblood for securing modern applications and bringing greater transparency to the software supply chain. 

However, not every vendor approaches solving this challenge the same way. The Forrester Wave Software Composition Analysis Q4 2024, which evaluates 10 SCA vendors against 25 criteria, helps developers, engineers, and application security professionals better understand the leading solutions on the market so they can identify a tool that best fits their priorities. 

According to the report, SCA customers should look for software that “assists developers in remediating vulnerabilities and keeping libraries current, provides visibility into software supply chain risk, and prevents software supply chain attacks.” 

We’re honored to be recognized as a Strong Performer in the Forrester Software Composition Analysis (SCA) Q4 2024 report. Our top scores in over seven key criteria underscore our mission to help teams move from reactive to proactive application security. 

Our approach to software composition analysis

At Mend.io, we’ve always believed that gaining visibility into your open source components and securing the risk that comes with them shouldn’t be a laborious, expensive hindrance to development. 

We designed Mend SCA to go beyond simple detection and shallow coverage. It provides rich prioritization context and guidance, automated remediation, and elastic scalability empowering our customers to proactively secure their open source components and software supply chain. 

We’re thrilled to see our top-scoring criteria reflect our ethos and approach to empowering security teams to shift from reactive to proactive security. We received the highest scores across the following criteria:

• Prioritization and reachability
• Remediation and automation
• Malicious package detection
• Language support
• AI component analysis
• Pricing flexibility and transparency

Let’s explore how our approach aligns with our top scores.

Go beyond simple detection and coverage

Mend SCA received the top scores in:

• Language support
• Malicious package detection
• AI component analysis

With a profusion of vulnerabilities to manage and a shrinking amount of resources, AppSec teams need their SCA tools to go beyond simply identifying vulnerabilities. Mend SCA makes this possible with extensive coverage across 200+ programming languages (for both security vulnerability and compliance/licensing analysis), 30+ package managers, and coverage for containers (Docker containers, Kubernetes, several registries), and Linux OS. 

When Mend SCA scans your code, it not only inventories and analyzes your direct and transitive dependencies for vulnerabilities but also surfaces essential risk context, including reachability, exploitability, malicious package insights, and license and compliance issues. This gives you the insight you need to understand the risk likelihood and impact and prioritize and remediate risks appropriately.

“Mend.io pioneered reachability”

Prioritize with context and automate remediation

Mend SCA received the top scores in:

• Prioritization and reachability 
• Remediation and automation

Developers, engineers, and AppSec teams must cut through the noise and understand, “What is a critical risk to me? What do I need to address right now? What is the best path to fix?”

Fusing risk-specific context (like application architecture, fix availability, open source health information such as library age, and CVSS 3 and CVSS 4 severity scores) with likelihood factors (like our best-in-class reachability analysis, malicious package detection, public exploit availability and maturity, EPSS scoring, production information such as whether an image is deployed to production), and impact factors (like customer defined labels or policies, compliance standards, SLAs), Mend SCA prioritizes your most critical risks and provides the best path to remediate. 

Unique to Mend SCA, each SCA finding includes the sink-to-source trace in code, package health data (like package age, adoption rate, data gathered on failure rates of builds between versions, and merge confidence ratings), risk reduction impact statistics, and the optimal upgrade path for your vulnerable package – the newest, most stable, least vulnerable library version that provides the most significant risk reduction.   

Automated workflows and auto-remediation options for newly discovered vulnerabilities make it easier than ever for our customers to remediate at scale, all without breaking the build.

“Autoremediation for newly discovered vulnerabilities is a strength.”

Scale without breaking the bank

Mend SCA received the top scores:

• Pricing, flexibility, and transparency
• Support services and offerings

The application security risk landscape is expanding and transforming at an insane rate. Add AI, ML, and LLMs into the mix, and it feels like we’ve unleashed Pandora’s box. While risk may expand exponentially… unfortunately, most budgets do not.

To remain secure and compliant, you need to be able to optimize and scale your AppSec programs with ease, including expanding and deepening security coverage. The Mend AppSec platform offers customers everything needed to build proactive application security through one solution at one price, meeting your evolving needs and budget constraints.

“Mend.io’s new pricing strategy is a strength: It offers one price for all products and services, including SCA, dependency updates, SAST, container security, and AI security, and it reflects the vision that customers need a holistic view of the application stack.”

Great things are on the horizon

The Forrester Wave states, “Mend.io is a great fit for enterprises that need an all-in-one solution for security, license, operational risk, and supporting services.” 

But we’re not done! As noted in the report, we’re in the midst of reshaping and transforming the Mend AppSec Platform so our customers have a unified, holistic view of their AppSec risk. 

A holistic approach allows findings to be correlated across the entire application attack surface. It enhances workflows and policies, integrates insights from additional tools, and ultimately enables our customers to proactively and significantly improve their AppSec posture.

Read the full Forrester Wave: Software Composition Analysis, Q4 2024 report to learn more about what to look for in a software composition analysis vendor and for additional information on Mend.io’s Strong Performer ranking.

*** This is a Security Bloggers Network syndicated blog from Mend authored by Lisa Haas. Read the original post at: https://www.mend.io/blog/mend-io-is-a-strong-performer-in-the-forrester-wave-software-composition-analysis-q4-2024/