Anchore announced strong results in the software supply chain security market over the last year. With concerns about the security of the software supply chain driving demand for automated tooling and a rise in SBOM adoption across the industry, Anchore has delivered new product capabilities, seen exploding adoption of its open source tools, and continued to proactively prepare its customers and organizations for inevitable future breaches and hacks.
Software Supply Chain Security Focus
2021 started with the fallout of the SolarWinds SUNBURST attack and ended with multiple exploits against the Log4j zero-day vulnerability, highlighting the critical importance of securing the software supply chain. According to the Anchore 2022 Software Supply Chain Security Report, 62 percent of organizations were affected by a software supply chain security attack last year. Software suppliers face increased risk with 73 percent impacted by an attack.
The report also highlights that organizations are responding to these risks with 54 percent placing a heavy focus on securing the software they build and use. While the U.S. Executive Order on Improving the Nation’s Cybersecurity highlights the software bill of material (SBOM) as a critical foundation for supply chain security, 76 percent of organizations plan to increase use of SBOMs next year. The importance of SBOMs, combined with the need for automated tooling and continuous security checks in the development process, is driving significant growth in Anchore’s software supply chain management solutions.
“Recent security breaches have catapulted the topic of software security to the forefront of business conversations everywhere. Software supply chain security does not just impact the software industry, today every organization needs to bolster their security practices to reduce risk in their cloud-native applications,” said Said Ziouani, CEO of Anchore. “Last month’s Log4j zero-day vulnerability underscores the need for organizations to use SBOMs and automated tooling to reduce the risk of successful attacks and speed remediation of the next zero-day vulnerability.”
Customer Growth
In 2021 Anchore saw 2.5 times growth in ARR from the prior year, as organizations looked to proactively secure their software supply chains against growing exploits. Anchore customers include the largest global enterprises as well as government agencies. In 2021 Anchore welcomed leading Fortune 100 organizations to the customer roster, joining dozens of Global 500 organizations and major software companies that use Anchore technology to secure their software supply chains. New customer NVIDIA uses Anchore to secure containers for AI, machine learning and high-performance computing on the NVIDIA NGC.
Anchore more than tripled its government customers in 2021, adding the U.S. Space Force’s Kobayashi Maru program along with numerous programs across the U.S. Air Force, U.S. Department of Defense, U.S. General Services Administration, U.S. Navy, U.S. Marine Corps and the Defense Information Systems Agency (DISA). Anchore also expanded its relationship with the U.S. Air Force Platform One program with a $4.6M contract to harden its software supply chain with a focus on container scanning technology and services.
Product Expansion
Over the past twelve months the company advanced its software supply chain management capabilities, with multiple releases to the Anchore Enterprise platform. New capabilities include:
Broadened coverage of the software supply chain by making the security status of running images visible to developers and security teams reducing the risk of insecure code being included in production applications.
Expanded remediation capabilities with remediation recommendations and automated workflows.
A new FedRAMP policy pack that enables software vendors and cloud service providers to identify and resolve compliance issues for containerized applications and shorten the timeline to achieve a FedRAMP authority to operate (ATO) certification.
Ability to automate STIG checks for cloud-native applications and provide a unified view of both vulnerabilities and STIG compliance vulnerabilities that are required by the U.S. Department of Defence applications.
A new policy pack that alerts on vulnerabilities found in the CISA catalog of Known Exploited Vulnerabilities.
Rapid Adoption of Open Source Tools
Anchore saw accelerating adoption of its two open source software supply chain security tools that easily integrate into development processes and toolchains. Syft, a tool that performs deep inspection of container images and filesystems to generate an SBOM, now has over 400,000 downloads, representing a 150% increase in the last 5 months. Grype, a vulnerability scanner, now has over 500,000 downloads, an 80% increase in the same time period. Together, Syft and Grype have garnered over 4,500 stars on GitHub, a tenfold increase since the beginning of 2021.