Open Source Security Provider Black Duck is the “Leader” in Independent Research Firm’s Assessment of Software Composition Analysis Providers

Research Report: “developers use open source components as their foundation, creating applications using only 10% to 20% new code”

BURLINGTON, MA – Feb. 23, 2017 – Black Duck, the global leader in securing and managing open source software, was named the leader in The Forrester Wave™: Software Composition Analysis, Q1 2017, which was released today.

In Forrester’s comprehensive, 38-criteria evaluation of “the six (SCA) providers that matter most and how they stack up,” Black Duck was the only company placed in the Wave’s “leader” classification.

To assess the state of the SCA market, Forrester examined past research, user need assessments, and vendor and expert interviews, and developed the evaluation criteria, which it grouped into three categories: current offering, strategy and market presence.

To address the market demand for more and better applications and to accelerate application development, developers “use open source components as their foundation, creating applications using only 10% to 20% new code,”¹ the Forrester report stated.

“Unfortunately, many of these (open source) components come with liabilities in their license agreements, and one out of every 16 open source download requests is for a component with a known vulnerability. To reduce these risks, security pros are turning to SCA tools,”² the Forrester report stated.

Black Duck CEO Lou Shipley said “being named the leader in Forrester’s software composition analysis evaluation is encouraging and is certainly how we think of ourselves. However, for those of us in the rapidly expanding open source ecosystem, probably the most significant element of this SCA Wave is Forrester’s point that ’developers use open source components as their foundation, creating applications using only 10% to 20% new code.’

Shipley said “the increasing global reliance on open source and its preeminence in application development increase the need for enterprises to deploy effective open source security vulnerability management tools. It is clear to us that the Forrester Wave report acknowledges the opportunity to reduce application security risk by securing and managing open source more effectively using SCA tools such as Black Duck’s,” Shipley said. 

To reduce application risk, according to the Forrester SCA Wave analysis, organizations are turning to SCA tools for the benefits of:

  • Gathering more information that helps identify and remediate vulnerabilities quickly
  • Automating scans to highlight license risk exposure
  • Flexible policy enforcement that increases alignment with business needs
  • Integrating products to support existing development processes

In its vendor profile, Forrester noted that Black Duck’s market-leading product, “boasts over 80 supported source code language formats, and it uses this strength to scan a broad range of developer preferences for both license risk management and vulnerability identification. Additionally, Black Duck provides an application bill of materials (BOM) for as long as users choose, and it monitors for any new open source vulnerabilities using vulnerability data that gets updated hourly. Users are notified of newly identified vulnerabilities in their BOM.

“Black Duck Software has very strong risk reporting and strong proactive vulnerability management capabilities, but its biggest differentiation comes from sound support for the fundamentals of license risk management, vulnerability identification, and policy management.”

About Black Duck Software

Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, Vancouver, London, Belfast, Northern Ireland, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit

Media Contacts:

Black Duck
Brian Carter, Director of Strategic Communications

PAN Communications
Michael O’Connell


¹ 2015 State of the Software Supply Chain Report: Hidden Speed Bumps on the Road to ‘Continuous,'" Sonatype

² 2016 State of the Software Supply Chain," Sonatype