Software composition analysis (SCA) stepped out from behind the long shadow of static application security testing (SAST)/dynamic application security testing to prove its worth years ago. And thanks to ambitious bad actors, the complex software supply chain, and generative AI (genAI) coding assistants accelerating overall code volume, SCA solutions are essential to clean up the supply chain and bolster application security.
SCA is also an application security (AppSec) darling for its ability to generate a software bill of materials (SBOM). With the EU’s Cyber Resilience Act finalized, the proposed US Department of Defense Software Fast Track Initiative requiring SBOMs, and governments such as Australia releasing guidelines for software development that include SBOMs, more software suppliers around the world will need to provide SBOMs to win and maintain business. Advanced SCA tools go beyond just generating an SBOM; they continuously monitor for newly disclosed vulnerabilities for proactive alerts and will ingest third-party SBOMs to identify the risk of incorporating a third-party component.
Opportunistic attacks that take advantage of newly introduced vulnerabilities and unpatched software require patience and timing. But attackers can be proactive by directly poisoning open-source and third-party components. These types of attacks, such as dependency confusion and typo squatting, were already on the rise. But now, “slopsquatting” happens when AI hallucinates package names that developers must add. Additionally, bad actors willing to play the long game, typically affiliated with nation states, will bully their way into maintaining obscure but widely used open-source software dependencies such as XZ Utils to bury malicious code and target downstream recipients. SCA solutions provide insight into open-source component health during selection and actively block malicious packages from being downloaded. Clearly, SCA is the AppSec hero we need.
Enterprises have been eager to embed and utilize AI in the customer-facing applications that they build. In Forrester’s 2024 survey of business and technology professionals, 33% reported using genAI in production applications. This means a whole new world of application dependencies consisting of AI models, third-party APIs, and open-source dependencies. Python is a popular language for AI applications, as is the PyPI package manager for open-source dependencies. Bad actors did not waste any time in uploading legitimate-looking but malicious packages that were downloaded hundreds of times by developers building AI applications. Poisoned AI models could be pulled down from Hugging Face and other public repositories. At the time of The Forrester Wave™: Software Composition Analysis Software, Q4 2024 evaluation, only a few SCA vendors were scanning AI models or creating AI bills of materials, but this functionality is needed broadly and quickly.
When thinking about purchasing or upgrading your SCA software, consider key insights we gathered from talking with SCA vendor customers to get the tool you not only deserve but also need:
- Evaluate more than one vendor. This may seem obvious, but SCA software differs in functionality and the quality of output. Some software is primarily focused on open-source components, while others go beyond and assess third-party components and even inner-source components (those shared components written by your organization). The quality of the results also differs based on language and ability to detect vulnerabilities in transitive dependencies. Most reference customers evaluated three vendors’ software as part of the purchasing process (see figure below).
- Don’t settle. You’re going to be in it for the long haul. Customer references have been with their vendor on average for over 3.5 years. And they are happy! Twenty-two of 28 references rate their vendor at a nine or 10. If you have an SCA solution and you are not satisfied, it’s worth your time to revisit this at the next renewal period.
- Keep an eye out for the extras. SCA software vendors have expanded their offering to cover more of the software supply chain, such as offering malicious package detection and package firewall protection, infrastructure as code and container image scanning, and secrets detection. Depending on the vendor and its pricing and packaging model, these capabilities could be add-ons to the base price. Static reachability (the ability to determine whether the vulnerable function is called by the first-party code) should be table stakes for SCA solutions, but some vendors require you to also purchase their static SAST solution to get this level of insight.
Be your company’s hero and select an SCA software solution that helps secure your software supply chain by utilizing Forrester’s Buyer’s Guide: Software Composition Analysis Software, 2025, and The Forrester Wave™: Software Composition Analysis Software, Q4 2024. For more insights, schedule a guidance session or inquiry with me. Protecting your brand, your customers’ data, and your revenue is worth the effort.