Gartner Market Guide for Supply Chain Security: Why You Need a Comprehensive Solution

As Gartner’s first Market Guide for Supply Chain Security makes clear, software developers need automated tools to protect all elements of the software supply chain used in the development of their products against attacks, which includes open source, commercial software, third-party software, libraries, plug-ins, DevOps toolchains and generative AI models. But enterprise buyers, those consuming rather than producing software, can and should protect themselves as well, rather than relying solely on the assurances of software publishers.

As we have often said here at RL, the world may run on open source, but businesses run on commercial software. . In the wake of major software supply chain breaches such as SolarWinds, 3CX, and Codecov, it is clear that Gartner is calling for a consolidated, focused set of tools to help software vendors close critical gaps in their SDLC.

Download the report: 2025 Gartner® Market Guide for SSCSLearn more: See the webinar

SSCS Tooling is Fragmented: Mind the Gaps

Software engineering teams know that they need to make securing open source and commercial software dependencies a priority: 60% have already deployed or are deploying software supply chain security (SSCS) tools, the Gartner report states, and 85% will have some sort of SSCS tool in place by 2028. But the tools they’re choosing may not address all elements of the software development pipeline.

In its first report on the software supply chain security tools market, Gartner identifies three critical use cases for SSCS tools: They should improve visibility into the software development lifecycle (SDLC), protect software integrity, and enhance your organization’s security posture throughout its SDLC. Unfortunately, the tools market is fragmented, with only limited elements of SCSS being offered from application security posture management (ASPM), static and dynamic application security testing (SAST/DAST), software composition analysis (SCA) and DevOps platform vendors. That means there can be gaps in the development pipeline that attackers can exploit.

A SSCS tool should curate dependencies, provide a software bill of materials (SBOM), and perform software composition analysis, Gartner says. Specifically, it must be able to scan open source, proprietary, and third-party elements, including all artifacts to identify vulnerabilities and malware— all without having access to the source code. It must support binary analys.

RL Spectra Assure Stands Out

ReversingLabs Spectra Assure can address all three use cases. Spectra Assure was built from the ground up to address SSCS threats. While other software composition analysis (SCA) and static application security testing (SAST) tools require source code to analyze software components, Spectra Assure does not require source code. It uses complex binary analysis to identify all components as well as risk by scanning the entire application - the software binary itself.AppSec, DevSecOps, or Product Security teams can integrate it into their SDLCs or as a final build exam to identify malware, tampering, vulnerabilities,, secrets leaks, hardening issues, or licensing issues.

Figure1: SAFE Levels make it simple to gauge the risk that a specific software package presents to your business through a series of predefined, increasingly strict security policies.

Spectra Assure also produces the most complete software bill of materials (SBOM). In fact, it supports CycloneDx’s extended bill of materials (xBOM) that captures a broad range of components, that not only includes the SBOM, but including a BOM for SaaS, AI/machine learning components and cryptographic elements.

• Improves visibility by analyzing proprietary, open source, third-party commercial software, and all artifacts.
• Protects integrity by identifying malware, tampering, vulnerabilities, hardening issues, exposed secrets and licensing issues, as well as any suspicious behaviors the code might exhibit when executed.
• Enhances security posture by detecting and prioritizing risks throughout the SDLC, curating components that are safe, and providing a critical build examination prior to release — without holding back developer timelines.

The SolarWinds, 3CX, and Codecov incidents got past regular security checks in part because the attackers didn’t rely on abusing OSS or known vulnerabilities. With SolarWinds, the build and code signing process for its Orion software was compromised after attackers modified the source code to include a backdoor. The 3CX attack came through a code repository, enabling attackers to add malicious code to the build process for the company’s VoIP application, which was then released to its customers. The Codecov incident was caused by a modified package that compromised its Bash Uploader code in such a way that a signature-based malware scan or even most application security testing tools would never have detected it.

Figure 2. The extended bill of materials (xBOM) builds upon the traditional software bill of materials (SBOM) to provide a more comprehensive view by including a broader range of components.

• Improves visibility by analyzing proprietary, open source, third-party commercial software, and all artifacts.
• Protects integrity by identifying malware, tampering, vulnerabilities, hardening issues, exposed secrets and licensing issues, as well as any suspicious behaviors the code might exhibit when executed.
• Enhances security posture by detecting and prioritizing risks throughout the SDLC, curating components that are safe, and providing a critical build examination prior to release — without holding back developer timelines.

The SolarWinds, 3CX, and Codecov incidents got past regular security checks in part because the attackers didn’t rely on abusing OSS or known vulnerabilities. With SolarWinds, the build and code signing process for its Orion software was compromised after attackers modified the source code to include a backdoor. The 3CX attack came through a code repository, enabling attackers to add malicious code to the build process for the company’s VoIP application, which was then released to its customers. The Codecov incident was caused by a modified package that compromised its Bash Uploader code in such a way that a signature-based malware scan or even most application security testing tools would never have detected it.

Figure 3. These three attacks were not due to simple open-source issues or vulnerabilities. Spectra Assure lets software producers trust the components from across their development pipeline.

Spectra Assure could have addressed these issues before they became a problem because it can detect tampering, malicious content, or other unwanted characteristics that go against an organization’s policies. “You need a dedicated set of tools which understand code intent, track that intent and then triage that intent to see what kind of changes were added to the code,” says ReversingLabs co-founder and chief software architect Tomislav Peričin.

Why A Comprehensive Solution is Key

Spectra Assure lets you curate safe components, scan open source and proprietary software without access to the source code, and offers the most comprehensive xBOM in the industry, helping your organization identify critical risks so that you can ensure that your final, released software package is safe. With Spectra Assure, developers can be confident of their management practices with regard to open source and third-party dependencies. They can fully trust all components across their entire software development pipeline. And enterprise buyers can feel confident that the software from their vendors is safe because they can validate it for themselves.

For a more in-depth review of Gartner’s first-ever SCSS market guide, attend the ReversingLabs webinar, Insights from the 2025 Gartner® Market Guide for Software Supply Chain Security. Our experts can help you understand the report, point out where to focus your energies, and discuss what steps you should take now to mitigate SCSS threats.