《Gartner：軟件成分分析市場指南（英文版）（14頁）.pdf》由會員分享，可在線閱讀，更多相關《Gartner：軟件成分分析市場指南（英文版）（14頁）.pdf（14頁珍藏版）》請在三個皮匠報告上搜索。

1、1/11/2021Gartner Reprinthttps:/ for DistributionMarket Guide for Software Composition AnalysisPublished 18 August 2020-ID G00721255-23 min readBy Analysts Dale GardnerMultiple risk factors and explosive growth in open-source software usage make softwarecomposition analysis an essential tool for appl

2、ication security.Security and risk managementleaders should use this Market Guide to understand the evolving competitive landscape,andhow the market will develop.OverviewKey FindingsRecommendationsTo manage and mitigate the risk of OSS,security and risk management leaders responsible for thesecurity

3、 of applications and data must:Open-source software is used in nearly all organizations.This introduces risks from readilyexploitable vulnerabilities;an expanded attack surface through which malware and malicious codecan gain access,compromising proprietary code and infrastructure;and legal and inte

4、llectualproperty exposures.Without software composition analysis,the benefits of OSS in application development can easilybe overwhelmed by the risks.The viability and security of open-source packages are cited as top concerns by most of therespondents to a Gartner survey.These concerns have led to

5、a growing market,addressed by various types of vendors,for SCAtools that identify and provide guidance on the remediation or mitigation of risks associated withthe use of OSS.Interest in SCA tools is growing rapidly.Although only about 40%of organizations are estimated touse SCA tools,end-user inqui

6、ries on the topic to Gartner analysts increased nearly 40%from 2019to 2020.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/

7、DefinitionThis document was revised on 10 September 2020.The document you are viewing is the correctedversion.For more information,see the Corrections page on .Software composition analysis(SCA)products analyze applications,generally during thedevelopment process,to detect embedded open-source softw

8、are(OSS)and,sometimes,other third-party components.SCA tools typically identify known vulnerabilities,such as out-of-date libraries thathave available security patches.They also determine the license used to distribute a particularsoftware package(to support the assessment of legal risks).Market Des

9、criptionMore than 90%of organizations employ OSS,based on Gartner research.1 A rapidly growing usecase is incorporating OSS in enterprise applications,to provide standardized functionality commonto many applications.Modern applications are more often assembled than they are written,withdevelopers co

10、mbining multiple OSS packages,along with proprietary logic in a single application.The approach yields multiple benefits,including reduced costs and decreased time to market,theavoidance of vendor lock-in,and conformance with standards.1 However,OSS brings a variety ofrisks,including concerns over t

11、he long-term viability of projects,security vulnerabilities and licensecompliance,and the potential loss of control over intellectual property(see Figure 1).1Identify and mitigate risks associated with OSS by including SCA tools as an element of anapplication security testing tool harness and respon

12、d to findings.Harden the software supply chain to prevent the introduction of vulnerable,malicious orinappropriately licensed software.This can best be accomplished through the creation of aninternal repository containing vetted code or artifacts approved for use by developers.In any case,automated

13、examination of externally and internally sourced code(and related artifacts)should bemandatory.Simplify decision making by working with stakeholders(application development and testing,legaland compliance,and risk management)to establish policies articulating acceptable levels of risk,which can then

14、 be automatically enforced throughout the development process.Position SCA in the existing workflow for developers and test teams so that it happensperiodically,and as automatically as possible.Scans by SCA tools need to be the default behavior,not the exception.Figure 1:The Most Significant Challen

15、ges With OSSWe use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ primary concern of developers and application security teams is

16、 the presence of vulnerabilitiesin direct or transitive dependencies that make their way into proprietary code developed by anorganization.As with most software,these flaws are widespread and pose significant risk.On theirinitial scans,more than 70%of applications contain flaws resulting from the in

17、clusion of opensource,according to research conducted by testing vendor Veracode.2 Despite these issues,examination of open-source code for vulnerabilities remains low,based on Gartner research.Thisfact is reinforced in a survey,conducted by vendor Snyk,which revealed only 28%of respondentsindicated

18、 they have strong controls and confidence in all dependencies(direct and indirect).Another33%felt they had control over direct dependencies,but not indirect(or transitive)dependencies.Theremainder of respondents indicate they lack controls or dont know.3Software supply chain risk has gained increase

19、d attention.In contrast with vulnerabilities whichare accidental a growing number of incidents have been observed in which malicious code hasWe use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,

20、you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ been introduced by attackers looking to exploit the trust that exists in the open-sourcecommunity.Although open source is one of several paths for attacking the supply chain,the ability todetect malicious code such as back doors or ot

21、her malware in dependencies is a nascentrequirement for SCA tools.A variety of approaches that combine automated checks and scans,along with more traditionalmanual research,are being employed by vendors to detect such attacks.Factors examined includethe“health and welfare”of a package.They are relat

22、ed to concerns regarding the viability of a givenpackage,such as the number of committers,the frequency of updates,responses to vulnerabilities,and other coding defects or changes in control.Other approaches examine executables forunexpected changes,alterations to package contents(e.g.,the introduct

23、ion of an executable in apackage based on a scripting language),or a change in the behavior of an application(such asopening a network connection),and other anomalies.The requirement for assessing software supply chain risk will first grow in areas where the risks ofmalicious software are understood

24、.These include defense and government,diversified financialservices,and connected and Internet of Things(IoT)devices in healthcare,transportation,utilitiesand process manufacturing verticals.These concerns will spur the adoption of“live”software bills ofmaterials(BOMs),updated automatically as new v

25、ersions of software are created.These capabilitiesare expected to rapidly become“table stakes”requirements for SCA tools.This development willfavor vendors with advanced code analysis capabilities and the means to perform the requisiteresearch to identify,triage and report on indicators of malicious

26、 activity.Among commercial offerings,features are emerging to assist with prioritization,remediation andmitigation.Integration between an SCA tool and a static application security testing(SAST)orinteractive application security testing(IAST)capability(either a direct extension of the SCA productor

27、a stand-alone tool)enables the system to identify OSS contained in an application not beingexecuted.This is possible because SAST and IAST tools can reveal control flow through theapplication.Affected code may be eliminated,or the vulnerabilities discovered in a package(or amethod in the OSS code)ma

28、y be deprioritized for remediation,because the flawed code isntexecuted.Another feature is integration with repositories(such as Git,Sonatype Nexus and JFrog Artifactory).This integration serves multiple purposes.For organizations looking to exert a higher degree ofcontrol over acceptable,open-sourc

29、e packages,repositories can be used as a store for whitelistedsoftware.Another way this integration is used is to serve as a checkpoint when code,or otherartifacts,are added to the repository.On check-in,tests can be performed on the new entry,andreports of any discovered issues can be generated.Ano

30、ther feature is the generation of pull requests that simplify upgrades from problematic packages the developer need only review the proposed update and then approve it to bring the application upWe use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Pol

31、icy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ date.In some cases,these pull requests will also provide an assessment of the likelihood that anOSS upgrade will break or be incompatible with the application in question.In respon

32、se to these concerns,security and development teams have turned to SCA tools to identify,then mitigate or remediate issues.The market consists primarily of tools,although some ad hocservices are available.Tools fall into one of four categories:In addition to open-source or commercial tools,SCA can b

33、e acquired as a service in the SaaSsense,or on an ad hoc scan basis.The latter approach is not an optimal approach for developmentOpen Source Many open-source tools perform SCA tasks.Most are designed to support aspecific programming language or application framework.Thus,they are limited in scope,a

34、nd maylack the functionality available in commercial solutions.Although some such as Dependency-Check from OWASP provide support for multiple languages(e.g.,.NET assemblies,JAR files andJavaScript)or file formats(such as archives,CMake and Node.js).Most open-source tools focusonly on identifying vul

35、nerabilities or outdated packages,and may rely on limited sources ofvulnerability data,such as exclusive reliance on the National Vulnerability Database(NVD).Suchtools dont check for license type,or for other project attributes(e.g.,the number of maintainers,frequency of updates and speed at resolvi

36、ng vulnerabilities).Despite their limitations,especially asorganizations revisit budgets in the wake of COVID-19 business disruptions,open-source toolshave become a primary choice for more organizations.Stand-Alone Products These commercial offerings deliver a broader range of importantfunctionality

37、 license checks,remediation guidance,OSS governance and policy enforcement,etc.Examples include Snyk and WhiteSource(both also offer container scanning products thatsearch out issues in container images),as well as Sonatype and Revenera(formerly Flexera),which offer associated capabilities,such as a

38、 repository,or governance capabilities(to controlOSS use).AST Suite Component As demand for SCA tools has grown,an increasing number of applicationsecurity testing(AST)platforms or suite vendors have added SCA capabilities to their portfolios.Examples include Checkmarx,Contrast Security,Veracode and

39、 Synopsys.In many cases,these areoffered as an add-on component,requiring separate licensing to SAST or IAST offerings.SAST andIAST testing tools provide the necessary code-scanning capabilities,while the SCA componentidentifies and reports on relevant OSS warnings.The trend is for these SCA tools t

40、o be offered asstand-alone products in the portfolio.Application Development Platforms An emerging source of application security tooling,application development tooling vendors have begun to include security capabilities as features intheir offerings.Although there are few vendors(see the Market Di

41、rection section below),this trendis expected to continue and to become disruptive to the established AST market.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of coo

42、kies.1/11/2021Gartner Reprinthttps:/ can be useful during merger and acquisition(M&A)activities to assess potential legal orsecurity risks.Market DirectionThe SCA market has been marked by periodic changes in focus since it was first established morethan 15 years ago.Initially,legal teams conducting

43、 merger and acquisition due diligence were theprimary purchasers of tools.As might be expected,their focus was on the type of license associatedwith packages in a firms portfolio.Restrictive open-source licenses may limit commercial use,orimpose other unattractive or unfavorable terms.Over time,appl

44、ication security teams have becomeconcerned with vulnerabilities in open-source code,and vulnerability detection has become a criticalcapability.Initial product offerings were stand-alone solutions,offered by vendors focused exclusively on themarket.Many of these firms were subsequently acquired by

45、AST suite vendors as they expandedtheir portfolios.During the past few years,a new round of stand-alone vendors has emerged(e.g.,Snyk and WhiteSource),with products optimized for use by developers,in contrast to the applicationsecurity team(although both remain buyers).Thus,todays market consists of

46、 a mix of vendors,withstand-alone,pure-play products competing against components of a broader AST offering.Partnerships and OEM relationships remain an important path to market,especially for stand-alonevendors that license scanning technology,vulnerability and license information to vendors lackin

47、gtheir own SCA capabilities.For example,Rapid7 formed a partnership with Snyk,as Rapid7 seeks toexpand its footprint in the AST space beyond its traditional dynamic AST(DAST)and vulnerabilityassessment roots.HCL Software has an agreement with WhiteSource to gain access to open-sourcevulnerability an

48、d license data.Open-source scanning projects can be considered stand-alone tools in the context of the market,although they have traditionally tended not to compete directly with commercial offerings.Aspreviously noted,that is changing,at least to a degree.Open-source tools are increasingly used inc

49、ases where an organization has difficulty justifying the cost of acquisition of a commercial tool.They are also used when an organization feels the additional functionality offered by commercialtools isnt required for their needs.Application security teams are the most common buyers of SCA products,

50、and legal teams involvedin due diligence continue to be buyers(primarily of ad hoc services).Although these teams show anincreasing preference for combined AST portfolio offerings,stand-alone vendors(e.g.,Revenera,Sonatype,Snyk and WhiteSource)have continued to be successful in the market,bucking th

51、e generaltrend toward platforms.At the same time,as is the case with other types of AST tools,developmentteams are emerging as distinct buying centers,with tool budgets.This trend is at least coincidentallylinked to the adoption of DevOps,where development teams increasingly take on a broader scope

52、ofresponsibility,including security testing.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ part of this broader shift in t

53、he market toward developers as buyers of tools,Gartner observesapplication development tooling vendors increasingly incorporating security testing tools includingSCA in their own tool chains.For example,GitLab includes a mix of proprietary and open-sourceAST tools in its product(including the SCA pr

54、oduct Gemnasium,acquired by GitLab in 2018).Microsoft acquired GitHub to complement its Azure DevOps offering,and GitHub,in turn,acquiredSemmle(a vulnerability scanning tool),NPM(the Node.js package manager and notionally a securitytool),and Dependabot(a dependency checking or SCA tool).Other vendor

55、s have made agreementsto include SCA capabilities in their application development platforms,such as Red Hat,which strucka deal with Snyk to incorporate the latters vulnerability database in its OpenShift product.Looking forward,we can predict that:SCA will continue to grow in importance as an eleme

56、nt in organizations AST toolsets,given thewidespread use of OSS,and will expand in scope to include assessments of other types of riskposed by OSS.This will include evaluations of the viability,stability and provenance of packages.(The viability of open-source projects was the No.1 concern of respon

57、dents to the Gartnersurvey.1)Tools will begin to provide warnings for packages that are maintained by a small group,where updates or responses to reported vulnerabilities lag,or where control of a package changesfrom one group to another.These assessments will encompass the package itself and anytra

58、nsitive dependencies.These viability checks will expand to encompass software supply chain issues.As discussedpreviously,these capabilities will include a combination of automated checks and research intochanges occurring with a given package.Most SCA tools focus exclusively on OSS,but some buyers e

59、xpress concerns regardingcommercial off-the-shelf(COTS)packages.This will prompt vendors to add support forcommercial libraries.In the midterm to long term,the emergence of new AST vendors specifically,current applicationdevelopment tool vendors such as GitHub,GitLab and OpenShift,including reposito

60、ry vendors(e.g.,Sonatype,Git and JFrog)in combination with the gradual shift of buying centers todevelopment teams will be disruptive to AST platform vendors.These vendors are likely to hold onto traditional markets and buyers(a market segment that will contract gradually).However,theywill increasin

61、gly be forced to compete and differentiate directly with application developmenttooling vendors.These tooling vendors will be likely to expand their offerings by acquiring an ASTsuite to better address AST requirements of buyers.Other SCA vendors will also face increasingcompetition.However,as obser

62、ved,some will leverage this market shift to their advantage byestablishing partnerships and OEM relationships and investing further in research around OSSpackages.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this sit

63、e,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ AnalysisThe SCA market is made up of buyers of products and services offering the following functions:Although AST and SCA vendors have avoided significant price competition,this will change in theshort term.To t

64、his point,vendors have competed on the basis of a broader feature set and morerobust research and OSS intelligence.Additional competition resulting from a crowded ASTmarket,stand-alone SCA vendors,new competition from development tooling vendors,and readilyavailable,low-cost substitutions,such as op

65、en-source projects will bring pricing pressure to themarket.(In the short term,this trend will be exacerbated by economic effects resulting from theongoing COVID-19 pandemic.)Recognition and Identification of OSS Techniques vary,but focus on identifying specificpackages based on standard programming

66、 techniques used to add open source(and othersoftware)to a program.These would be“include”directives,or other instructions,depending onthe specific programming language.Other approaches include scans of code itself and/or librariesto identify specific package elements.More rarely,tools will examine

67、code in search of“snippets,”portions of code which have been extracted from a larger package.In addition to specificpackages discovered(direct dependencies),tools should also identify indirect or transitivedependencies,which result from one package incorporating another package,often recursively.Sof

68、tware License Identification and Risk Assessment Like commercial software,open sourceis almost always distributed according to the terms of a license agreement articulating the waysthe software may be used.Dozens of licenses exist,and terms vary considerably.Some areconsidered permissive;there are f

69、ew restrictions on how the software may be used and few or noresponsibilities imposed on the user.In contrast,more restrictive licenses could pose substantiallegal risk and the loss of intellectual property through the operation of the terms of the license.Although tools will attempt to indicate pro

70、blematic licenses,decisions to use a package under theterms of a specific license should be undertaken with the guidance of legal counsel.Software Vulnerabilities Like any software,open source contains vulnerabilities that can beexploited by attackers,wreaking havoc.A critical function of SCA soluti

71、ons is to identify packagesthat contain vulnerabilities.This function has emerged as a differentiator for tools,with vendorsrelying on a broad number of public and private databases supplemented by internal researchteams in some cases to assert greater accuracy and confidence in findings.As noted ea

72、rlier,aspart of the process,tools will make recommendations as to an appropriate upgrade path toremediate the unsecure package.Some vendors,such as Snyk,will offer patches(for example,where a vulnerability has not been fixed by the maintainer),although this is far from universal.Governance and Contr

73、ol Given their(low)risk appetite,organizations may wish to exert agreater degree of control over the use of open source in applications.In these cases,a typicalresponse is to create a repository of“approved”open-source packages.Developers are free toWe use cookies to deliver the best possible experi

74、ence on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ VendorsMarket IntroductionNumerous different types of vendors provide SCA tools and services(see Table 1).Table 1:SCA Tools a

75、nd Service Providersincorporate any software contained in the repository other packages must go through a reviewand approval process.This approach presumes the availability of resources to review suggestededitions and maintain the currency of the“approved”packages in the repository.A few vendors,suc

76、h as Sonatype with its Nexus Firewall product,help enforce these policies by attempting tolimit the ability of developers to download unapproved packages.Other approaches take a lessformal stance,and warn developers via a browser plug-in of problematic software whilevisiting common web-based reposit

77、ories(e.g.,GitHub and Stack Exchange).Regardless of theexistence of such“approved”repositories,organizations should scan software during the buildprocess to ensure unapproved software has not made its way past the barriers.Reporting and Analysis As discussed earlier,the creation and sharing of softw

78、are BOMs areanticipated to become more important in identifying and preventing software supply chain risks.Although not broadly available(and lacking a standardized specification for sharing),the ability tocreate a formal software BOM is rare.At a minimum,tools should report on both direct andtransi

79、tive dependencies in code in use,and where the code is being used.This positions theorganization to be able to support a software BOM when standardization arrives.In the interim,such inventories help rapidly identify the potential impact of newly reported vulnerabilities orissues.If a problem is rep

80、orted,security teams can quickly and easily identify whether,and where,the given package is used,and plan remediation efforts accordingly.CheckmarxCheckmarx Software Composition Analysis(CxSCA)Contrast SecurityContrast OSSFOSSAFOSSAGitHubDependabotGitLabDependency ScanningVendorProduct,Service or So

81、lution NameWe use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ 2020)The vendors listed in this Market Guide do not imply an exh

82、austive list.This section is intended toprovide more understanding of the market and its offerings.Market RecommendationsJFrogJFrog XrayMoreSec TechnologyMoreSec SAST/SCAReveneraFlexNet Code InsightReversingLabsTitanium PlatformSnykSnyk Open Source SecuritySonatypeNexus Lifecycle,Nexus Firewall,Nexu

83、s Lifecycle Foundation,Nexus AuditorSynopsysBlack Duck Software Composition AnalysisTideliftTidelift SubscriptionVeracodeVeracode Software Composition AnalysisWhiteHat SecurityWhiteHat Software Composition Analysis(SCA)WhiteSourceWhiteSource for DevelopersVendorProduct,Service or Solution NameAs wit

84、h any application security initiative,begin by establishing policies based on risk toleranceacross the domains of security,legal liability and intellectual property rights,and supply chainviability and integrity.The relevance of each will vary,at least to some extent,among differentapplications in a

85、n organizations portfolio,but even a general policy for all applications is betterthan none.This policy can be used to describe the risk-based metrics and conditions that areWe use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to u

86、se this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ or unacceptable to an organization,and help define necessary productcapabilities.Security policies should indicate the severity and/or the types of vulnerabilities that constitute anacceptable risk.The

87、y can be added to an applications technical debt for eventual resolution.Others will require immediate remediation or mitigation.These policies are sensitive to the riskprofile of a given application,as what might be acceptable for one application could represent asignificant compliance or security

88、risk for another.Policies should include guidance on addressingvulnerabilities in cases where no fix is available,or where an otherwise essential fix must bedelayed.(For example,upgrading a package may resolve a security issue,but due to changes infunction may break the application that uses the pac

89、kage,requiring other changes to theapplication.In some cases,a patch or fix may simply not be available.)Some type of tooling will generally be required to satisfy the pace and scope of evaluation requiredto support DevOps or other fast-moving development approaches.Evaluation criteria shouldencompa

90、ss such factors as:Technology coverage the languages,frameworks,and open-source ecosystems to beevaluatedThe depth and breadth of data provided by the tools vulnerabilities,and the number andquality of sources for that data,including identification of license types and relative risksIncreasingly,inf

91、ormation about the status and provenance of individual packages,along withthe ability to prioritize that dataThe operational“fit”for the primary end users of the product for example,developers willprefer vastly different interfaces and feature sets than legal teamsThe ability to aid in the identific

92、ation of potential remediation or mitigation stepsIntegration into the software development life cycle(SDLC)and other relevant systemsReporting and administrationThe ability to generate and maintain a dynamic software BOM is increasingly important for bothinternal and external use.Gartner has previo

93、usly recommended that organizations create suchdocumentation,with special attention being paid to the provenance,or history,and the individualelements that comprise a package and the sources of those transitive dependencies.Organizations will increasingly maintain(and demand)such documentation as a

94、condition oflicense or purchase of software,as well as for internal tracking purposes.This documentationenables organizations to better understand what software is in place,enabling more-informedevaluation of software for potential risks,and rapid identification of vulnerable code whenWe use cookies

95、 to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ Gartner Research Circle Examining the Maturity of Open Source ManagementGartners survey e

96、xamining the maturity of open-source management was conducted online from 25June through 18 July 2019 among 75 Gartner Research Circle members a Gartner-managed panel.To qualify for the survey,the participants organization had to be using or planning to use OSS in its ITportfolio.Participants were s

97、creened for their knowledge of OSS and its plans in the organizations ITportfolio.Participants represented different regions across the world,with the majority from NorthAmerica(43%);Europe,the Middle East and Africa(37%);and the Asia/Pacific(APAC)region(12%).Participating organizations represented

98、a diverse mix of industries and company sizes.The survey was developed collaboratively by a team of Gartner analysts and was reviewed,testedand administered by Gartners Research Data and Analytics team.Note:The results of this study represent the respondent base,not the market as a whole.2 The State

99、 of Software Security Open Source Edition,Veracode,2020Findings are based on analysis of the results of scans performed by the company on more than85,000 applications,containing 351,000 unique external libraries.3 The State of Open Source Security Report,Snyk,2020problems inevitably arise.Various pr

100、oposed formats facilitate sharing.Organizations shouldmonitor the progress of formal definitions and formats relevant to their industry,while ensuringthat tools support at least the basic inventory and tracking capabilities needed to generate thedocumentation.At least in the short term to midterm(on

101、e to two years),buyers should look to an expansive viewof overall costs,when evaluating options.As appropriate and credible,they should negotiate withcommercial vendors on price,making it clear there are acceptable,lower-cost options.Gartnerclients routinely express concerns over the costs associate

102、d with security tooling,and SCA is noexception.Economic forces associated with the COVID-19 pandemic are likely to increase suchpressures,leading many organizations to seek the most cost-effective solution.The readyavailability of open-source tools for SCA will prompt many evaluators to include such

103、 tools in theirassessments.There is,of course,a balancing act to be made.Open source enjoys low-/no-costacquisition,but can increase costs in unanticipated ways,such as by the need to gather andrationalize results from multiple tools to gain a comprehensive view of a single application orportfolio.C

104、ommercial tools typically perform such tasks as part of their base functionality;however,depending on the vendor,they can rapidly break budgets.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this b

105、ox,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ are based on a survey of over 500 individuals in the industry,with approximately 66%representing software development,16%in security,13%in infrastructure/operations,and 5%representing other.OtherAdditional sources of data used in t

106、he preparation of this guide include vendor briefings and publiclyavailable material,extensive client inquiry,and consultation with other members of Gartnersapplication security and open-source research communities.Note 1Representative Vendor SelectionRepresentative SCA vendors include a mix of comm

107、ercial vendors offering tools as a component of abroader AST portfolio,stand-alone SCA vendors,and those providing SCA capabilities as part ofapplication development tooling.Vendors offering SCA tools that primarily rely on a technologypartnership or OEM relationship are excluded,as are open-source

108、tools.Note 2Gartners Initial Market CoverageThis Market Guide provides Gartners initial coverage of the market and focuses on the marketdefinition,rationale for the market and market dynamics.2021 Gartner,Inc.and/or its affiliates.All rights reserved.Gartner is a registered trademark of Gartner,Inc.

109、and itsaffiliates.This publication may not be reproduced or distributed in any form without Gartners prior writtenpermission.It consists of the opinions of Gartners research organization,which should not be construed asstatements of fact.While the information contained in this publication has been o

110、btained from sources believed tobe reliable,Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information.Although Gartner research may address legal and financial issues,Gartner does not provide legal or investmentadvice and its research should not be construed or

111、 used as such.Your access and use of this publication aregoverned by Gartners Usage Policy.Gartner prides itself on its reputation for independence and objectivity.Itsresearch is produced independently by its research organization without input or influence from any third party.Forfurther informatio

112、n,see Guiding Principles on Independence and Objectivity.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.1/11/2021Gartner Reprinthttps:/ PoliciesSite Index

113、IT GlossaryGartner Blog NetworkContactSendFeedback 2021 Gartner,Inc.and/or its Affiliates.All Rights Reserved.We use cookies to deliver the best possible experience on our website.To learn more,visit our Privacy Policy.Bycontinuing to use this site,or closing this box,you consent to our use of cookies.