The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Forrester recognizes Black Duck as a Leader in software composition analysis

Mike McGuire

Nov 13, 2024 / 3 min read

This week, Black Duck was named a Leader in “The Forrester Wave™: Software Composition Analysis, Q4, 2024,” by Forrester, based on its evaluation of Black Duck® SCA, our software composition analysis (SCA) solution.

Forrester evaluated 10 of the most significant SCA providers against 25 criteria. We are proud to be recognized as a Leader, and to receive the highest-possible scores in the following criteria:

  • Component identification and analysis
  • License detection, analysis, and guidance
  • Risk intelligence
  • SBOM generation, export, and sharing
  • SBOM ingestion and analysis
  • Policy management
  • Language support
  • Innovation
  • Supporting services and offerings

Forrester Wave™ Leader

Black Duck is a Leader in the 2024 Forrester Wave for Software Composition Analysis

Forrester Wave Leader Software Composition Analysis

We believe this recognition from Forrester reflects our commitment to helping customers secure their software supply chains by managing the security, quality, and license compliance risks that come from the use of open source and third-party code in their applications and containers.

“Black Duck has a history of innovation, with the largest group in this evaluation and one of the largest open-source software knowledge bases. The Black Duck professional edition is the choice for manufacturing and regulated industries, where tracking components and licenses is a must.” – The Forrester Wave: Software Composition Analysis, Q4, 2024

Maintaining an SBOM is the cornerstone of a successful supply chain program

Forrester noted that Black Duck’s “SBOM management, generation, export, ingestion, and analysis capabilities are among the best in this evaluation.”

Our multifactor scanning, coupled with support for over 100 languages, delivers dependency analysis, binary analysis, codeprint analysis, code snippet detection, and custom component detection. By discovering both declared and undeclared dependencies in your applications, we provide the most complete and dynamic inventory of your applications’ contents and the associated vulnerabilities and licenses. All of this contributes to a complete Software Bill of Materials (SBOM), which is crucial for knowing what risks you’re exposed to.

And although completeness is crucial when evaluating risk, so is accuracy. Part of providing users with trust in their applications is assuring them that the issues identified are the ones that pose actual risk.

Identifying vulnerabilities is just one step in securing an application. Once you find vulnerabilities, they then have to be addressed. To this end, Black Duck offers Black Duck Security Advisories (BDSAs), which provide all the information you need to understand, prioritize, and remediate vulnerabilities. BDSAs include severity scoring, reachability, vulnerability descriptions, details on affected versions, and critical guidance on upgrades, patches, and workarounds. These powerful details are provided by the Black Duck Cybersecurity Research Center (CyRC). The CyRC leverages the Black Duck open source KnowledgeBase™, the industry's most comprehensive database of open source project, license, and security information, covering more than 8.7 million open source projects from nearly 60,000 forges and repositories.

Flexible policy management

Forrester wrote in its report about Black Duck: “Policy management is a strength, with more than 40 criteria for operational health, license risk, and security risk.”

Our flexible policy management helps define and capture an organization’s unique risk tolerance, which can then be automatically enforced by Black Duck in conjunction with tools used throughout the SDLC, such as IDEs, Jenkins, Slack, Artifactory, and so on. This capability helps reduce the noise produced by AppSec tools by focusing them on what matters most to the organization.

With Black Duck, you can configure your open source security and use policies based on criteria including license type, vulnerability severity, component version, and more. You can then enforce these policies with automatic workflow triggers, automated notifications, and seamless integrations with applications like Jira to help accelerate your remediation efforts.

Complete picture of license risk

Black Duck provides a complete picture of license risk and obligations by offering deep license data and copyright identification. Accelerating this capability is our code snippet analysis, which identifies partial bits of open source code that may have been pasted into projects and that still carry license obligations. After identifying the licenses in your applications, Black Duck further categorizes these findings, ranking them as declared, deep, or discovered. This helps you understand your level of risk and which obligations you need to address first. In addition to open source licenses, Black Duck also offers the ability to map and identify closed source and third-party licenses.

The ”Sec” in DevSecOps

SCA is one of several steps necessary to securing applications, and it plays an important role in our vision of a holistic AppSec solution. With Code Sight™, Black Duck uncovers issues in dependencies before they are merged into release branches. Scans incorporated into continuous integration and continuous delivery and deployment tools identify issues that dependency analysis cannot, both before and after deployment. Policy-as-code can define when, and at what depth, SCA scans should occur—depending on variables such as code change, risk calculation, and dev phase—to run the right scan at the right time.

Bringing it all together, Software Risk Manager™, application security posture management platform, aggregates and correlates the results from SCA and other AppSec tools to reduce noise and provide the most accurate picture of risk in a manner that’s consumable to all stakeholders across the organization. This is how Black Duck defines the “Sec” in DevSecOps.

Continue Reading

Explore Topics