Anchore Continues Expansion into Software Supply Chain Security Market
New customer adoption and open source community involvement fuel expansion
Anchore announced strong results in the software supply chain security market over the last year. With concerns about the security of the software supply chain driving demand for automated tooling and a rise in SBOM adoption across the industry, Anchore has delivered new product capabilities, seen exploding adoption of its open source tools, and continued to proactively prepare its customers and organizations for inevitable future breaches and hacks.
Software Supply Chain Security Focus
2021 started with the fallout of the SolarWinds SUNBURST attack and ended with multiple exploits against the Log4j zero-day vulnerability, highlighting the critical importance of securing the software supply chain. According to the Anchore 2022 Software Supply Chain Security Report, 62 percent of organizations were affected by a software supply chain security attack last year. Software suppliers face increased risk with 73 percent impacted by an attack.
The report also highlights that organizations are responding to these risks with 54 percent placing a heavy focus on securing the software they build and use. While the U.S. Executive Order on Improving the Nation’s Cybersecurity highlights the software bill of material (SBOM) as a critical foundation for supply chain security, 76 percent of organizations plan to increase use of SBOMs next year. The importance of SBOMs, combined with the need for automated tooling and continuous security checks in the development process, is driving significant growth in Anchore’s software supply chain management solutions.
“Recent security breaches have catapulted the topic of software security to the forefront of business conversations everywhere. Software supply chain security does not just impact the software industry, today every organization needs to bolster their security practices to reduce risk in their cloud-native applications,” said Said Ziouani, CEO of Anchore. “Last month’s Log4j zero-day vulnerability underscores the need for organizations to use SBOMs and automated tooling to reduce the risk of successful attacks and speed remediation of the next zero-day vulnerability.”
In 2021 Anchore saw 2.5 times growth in ARR from the prior year, as organizations looked to proactively secure their software supply chains against growing exploits. Anchore customers include the largest global enterprises as well as government agencies. In 2021 Anchore welcomed leading Fortune 100 organizations to the customer roster, joining dozens of Global 500 organizations and major software companies that use Anchore technology to secure their software supply chains. New customer NVIDIA uses Anchore to secure containers for AI, machine learning and high-performance computing on the NVIDIA NGC.
Anchore more than tripled its government customers in 2021, adding the U.S. Space Force’s Kobayashi Maru program along with numerous programs across the U.S. Air Force, U.S. Department of Defense, U.S. General Services Administration, U.S. Navy, U.S. Marine Corps and the Defense Information Systems Agency (DISA). Anchore also expanded its relationship with the U.S. Air Force Platform One program with a $4.6M contract to harden its software supply chain with a focus on container scanning technology and services.
Over the past twelve months the company advanced its software supply chain management capabilities, with multiple releases to the Anchore Enterprise platform. New capabilities include:
- Broadened coverage of the software supply chain by making the security status of running images visible to developers and security teams reducing the risk of insecure code being included in production applications.
- Expanded remediation capabilities with remediation recommendations and automated workflows.
- A new FedRAMP policy pack that enables software vendors and cloud service providers to identify and resolve compliance issues for containerized applications and shorten the timeline to achieve a FedRAMP authority to operate (ATO) certification.
- Ability to automate STIG checks for cloud-native applications and provide a unified view of both vulnerabilities and STIG compliance vulnerabilities that are required by the U.S. Department of Defence applications.
- A new policy pack that alerts on vulnerabilities found in the CISA catalog of Known Exploited Vulnerabilities.
Rapid Adoption of Open Source Tools
Anchore saw accelerating adoption of its two open source software supply chain security tools that easily integrate into development processes and toolchains. Syft, a tool that performs deep inspection of container images and filesystems to generate an SBOM, now has over 400,000 downloads, representing a 150% increase in the last 5 months. Grype, a vulnerability scanner, now has over 500,000 downloads, an 80% increase in the same time period. Together, Syft and Grype have garnered over 4,500 stars on GitHub, a tenfold increase since the beginning of 2021.
Updates to Syft and Grype in 2021 include the ability to generate accurate SBOMs and vulnerability reports via plugins to popular CI/CD systems including GitHub, GitLab, and Jenkins. Syft has also added support for the Software Package Data Exchange (SPDX) standard which makes it easy to share data across systems and organizations. SPDX is an internationally recognized ISO standard for SBOMs that is sponsored by the Linux Foundation.
“The ability to produce accurate SBOM and vulnerability results from a wide variety of software artifacts has led to growing adoption of Syft and Grype by both the open source community and end users, particularly as more and more project maintainers are looking to include security tooling directly into their development environments,” said Daniel Nurmi, CTO and co-founder of Anchore. “During the initial and on-going response to the Log4j zero-day vulnerability, practitioners were able to quickly and easily identify the presence of Log4j across their software environments using Anchore’s Syft and Grype tools, even when the library was nested several levels deep inside Java archives, which has led to a large jump in downloads and usage.”
“As enterprises look to accelerate their operational velocity, an increasing number of them are focusing on improving their developer experience. The challenge facing these organizations is how to offer a frictionless experience to their developers while simultaneously improving their overall security posture,” said Stephen O’Grady, Principal Analyst with RedMonk. “One approach that’s growing in popularity is to integrate API-driven security resources into their existing development toolchains. This is exactly the opportunity that Syft and Grype were constructed for.”