Resources Blog Forrester recognizes Sonatype as a leader in software ...

Forrester recognizes Sonatype as a leader in software composition analysis (SCA)

This week, independent analyst firm Forrester released it's The Forrester Wave™: Software Composition Analysis (SCA), Q3 2021, following an in-depth evaluation of 10 SCA solutions. We're extremely happy to announce that the Sonatype Platform was recognized as a leader with the highest score in the market presence category amongst all companies evaluated.

This is an achievement we're quite proud of. We believe it highlights the incredible work our team has done in building a solution that automates all parts of software supply chain security with an emphasis on open source security. More importantly, to us, it showcases how vital it is for organizations to have total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code (IaC), and containerized code.

You can get the full report or continue reading for some of our key takeaways and what we’ve been working on at Sonatype.

Stellar policy management, underpinned by precision data

The Forrester report notes:

"Policy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards (particularly in the IaC pack) and a policy engine that allows users to create and assign policies to certain types of applications."

Core to who we are is giving organizations control of their code and the code that makes it into production applications. Across the Sonatype Platform, customers can create custom security, license, and architectural policies based on application type or organization and contextually enforce those policies across every stage of the software development life cycle (SDLC).

But, our policy management is only as good as our data. Precision matters. We pride ourselves on having the most expansive, most in-depth and most actionable database of open source components and vulnerabilities. We examine fingerprints – not just file names and package manifests – to precisely identify risk with Advanced Binary Fingerprints (ABF). It's this precision that lets us promise low false positives and negatives, so when our customers set a policy, they know they can trust it.

Helping our customers is in our DNA 

Also noted in the Forrester report:

"Sonatype’s customer success team is a major part of its strategy, and customer references appreciate the "very attentive" customer service, with one calling it out as “something that deserves recognition."

If we have a secret weapon to our success, it is absolutely our incredible customer success team. Over the years, we've made a conscious effort to build up this program - and have created a support model that provides resources for all sizes of customers, and meets them where they are.

Our customers rely on us for both product-led information as well as formal training and guidance to help educate on the development process. Further, we've created a customer portal that acts as a central hub for learners. In addition to documentation, best practice guides, and user community, it provides access to e-learning and training resources, including videos. It's available for anyone interested in learning Sonatype products as well as those who are focused on eliminating vulnerable components from their applications and reducing license risk.

If you haven't already, head over to and take a look around at all the valuable resources. We think you'll like what you see.

Expanded portfolio and full-spectrum software supply chain automation 

Last, but certainly not least, in March, we announced our “new” Sonatype platform that helps make the lives of developers and security teams easier. The Forrester report touches on these expansions as an area that makes Sonatype strong.  

As security concerns around supply chains were ushered to center stage this year, our customers turned to us as trusted advisors asking for broader, deeper, and more intelligent solutions. We answered the call swiftly, and rolled out solutions offering customers full-spectrum control of the cloud-native software development lifecycle, including:

  • Third-party open source code

  • First-party source code

  • IaC

  • Containerized code

  • InnerSource

We believe Forrester recognizes that while a big part of SCA continues to be open source security, it’s become so much more than that, just as we do.

What's next for Sonatype? 

The industry continues to evolve and so is Sonatype. We'll continue to drive key automation and precise data, as well as help customers handle their development cycles. All while focusing on our core of helping organizations build better software faster and control of their software supply and next-gen dependency management.

Download Forrester's full report here.

Picture of Brent Kostak

Written by Brent Kostak

Brent is the Director of Product Marketing connecting developers and DevOps communities to Sonatype Nexus tools and technologies.