SourceClear, a developer of software composition analysis (SCA) tools, was acquired by CA Technologies, cementing a growing split in the market for such products. CA, which did not reveal terms of the transaction, announced in a blog post the SourceClear product would be integrated into the Veracode application security testing (AST) product. SourceClear was started in 2012 by Mark Curphey, who also founded the Open Web Application Security Project, better known as OWASP. Veracode itself was acquired just over one year ago by CA, in a move to expand its security and application development product portfolios.
The acquisition marks the continuation of a trend in the SCA market, where standalone SCA vendors are competing more often with traditional application security testing providers.
For years, developers have used open source components within their applications, to speed the development process and eliminate the need to duplicate existing functionality. The market for SCA products began with companies like Black Duck Software (itself acquired by Synopsys in November 2017), and then later Sonatype, Flexera, and many other companies who created tools allowing organizations to better understand and evaluate their use of open source code. Initially, much of the focus was on the licenses associated with specific open source distributions (since they could introduce legal liabilities if used in an organization’s code).
That remains an important use case, but much of the market’s attention has now focused on the security of open source components, and the vulnerabilities they might introduce into code. That risk has been underscored by a variety of high profile security incidents which were traced back to weaknesses in open source software, such as the Equifax breach.
As application security has become more critical, vendors of software security testing tools (static, dynamic, and interactive) have begun incorporating SCA tools and technologies into their testing suites. This provides users with a consolidated view of both vulnerabilities introduced through mistakes and missteps in their own coding efforts, as well as those introduced through what’s come to be known as the software supply chain. Indeed Veracode (as did Synopsys before it acquired Black Duck) already supported SCA capabilities in its testing tools prior to the SourceClear acquisition. In both cases, the companies cited expanded capabilities the newly purchased solutions could provide.
It’s now reached the point where the bulk of well-known application security testing tools incorporate at least basic SCA capabilities. And buyers have an increasing array of options when looking to satisfy their needs for SCA tools.
On the one hand, they can simply elect to satisfy their needs with the tools included with (or packaged alongside) their preferred application security testing product. There’s a wide range of capabilities on offer, ranging from “good enough” to quite sophisticated. For many, especially those looking to acquire a comprehensive set of tools from a single vendor, this will become an increasingly attractive option — especially if their needs are simple and the SCA component is free or low cost.
On the other hand, those with more sophisticated or specialized requirements may elect to buy from one of the remaining specialized vendors in the SCA market. However, given the sophistication of some of the tools that have been acquired by the testing vendors, those vendors face their own challenges. As always, careful attention to buyer needs and compelling differentiation will be required to ensure success.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.