Magic Quadrant for Application Security Testing

Magic Quadrant for Application Security Testing (2017)

Latech, فناوری لاجورد تکوین, لاتک

Published: 28 February 2017

https://www.gartner.com/doc/reprints?id=1-3UH2T9R&ct=170228&st=sb

Latech, فناوری لاجورد تکوین, لاتک

Summary

Security testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity. Security and risk management leaders must integrate AST into their application security programs.

Latech, فناوری لاجورد تکوین, لاتک

Strategic Planning Assumptions

By 2019, 80% of application security testing vendors will include software composition analysis in their offerings, up from 40% today.

By 2019, enterprise IAST adoption will have exceeded 30%; however, runtime application self-protection (RASP) adoption will be no more than 10%.

Latech, فناوری لاجورد تکوین, لاتک

Market Definition/Description

Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. Gartner identifies three main styles of AST:

• Static AST (SAST) technology analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically at the programming and/or testing phases of the software development life cycle (SDLC).
• Dynamic AST (DAST) technology analyzes applications in their dynamic running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services) and analyzes the application’s reactions to determine whether it is vulnerable.
• Interactive AST (IAST) technology combines inside-out observation of a running application being tested with DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks from within the application and identifies vulnerabilities.

All of the above technology approaches can be delivered as a tool or as a subscription service. Many vendors offer both options to reflect enterprise requirements for both a product and service. The majority of enterprises that develop applications employ some form of AST, but the various technologies differ in adoption and maturity. DAST and SAST are the most widely adopted, while IAST adoption is still growing.

This Magic Quadrant focuses on a vendor’s SAST, DAST and IAST offering, maturity and features as tools or as a service. AST vendors innovating, partnering, and offering RASP (a technology for allowing applications to protect themselves from vulnerability exploitation at runtime) or software composition analysis (SCA; a technology used to identify open-source and third-party components in use in an application and their known security vulnerabilities) were weighted more heavily. Also, although mobile application security testing, intended as AST for applications that run on mobile platforms (such as iOS and Android), was kept out of the scope of the Magic Quadrant for this year, vendors that provide mobile AST were valued in terms of their AST innovation.

Latech, فناوری لاجورد تکوین, لاتک

Magic Quadrant

Figure 1. Magic Quadrant for Application Security Testing

Latech, فناوری لاجورد تکوین, لاتک

Latech, فناوری لاجورد تکوین, لاتک

Source: Gartner (February 2017)

Latech, فناوری لاجورد تکوین, لاتک

Vendor Strengths and Cautions

HPE

Hewlett Packard Enterprise (HPE) is a U.S.-based global provider of AST products and services under the Fortify brand. HPE offers Static Code Analyzer (SAST), WebInspect (DAST and IAST), Software Security Center (its console) and Application Defender (monitoring and RASP). HPE provides its AST as a product as well as in the cloud, with Fortify on Demand. DevInspect combines HPE’s SAST with real-time, in-line vulnerability detection via a spell-checker (called Security Assistant) in the Eclipse IDE. Security Assistant highlights vulnerable code as the developer programs. It is also available in other versions and license models of the SAST solution.

In September 2016, HPE announced that it would be spinning off its software group to Micro Focus, including the Fortify portfolio, in addition to its IT operations management, security, data analytics, and information management and governance software. The deal is expected to finalize during mid-2017 and the Fortify brand is expected to be maintained.

On the product side, HPE’s efforts have included employing machine learning with crowdsourced and customer historical results data to reduce false positives, as well as integration of Swagger-supported REST APIs to support security testing.

HPE’s AST offerings should be considered by enterprises looking for a comprehensive set of AST capabilities, either as a product or service, or both combined, with enterprise-class reporting and integration capabilities.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• HPE Fortify is a well-known brand worldwide. It very frequently appears on clients’ shortlists, particularly where multiple testing technologies are desired, and was the first AST vendor to provide capabilities in SAST, DAST and IAST.
• HPE’s SAST has the broadest language support of any of the SAST providers, and its WebInspect IAST agent for Java and .NET is included at no cost for WebInspect DAST tool customers.
• HPE has one of the strongest SDLC integrations and includes innovative features in this space, such as DevInspect and Security Assistant.
• HPE has a comprehensive set of enterprise capabilities, such as role-based access control (RBAC), full authentication integration, extensive WAF integration and its own SCA capabilities, as well as integration with Sonatype and Black Duck.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• The spinoff and merger of HPE’s software group with Micro Focus raises concerns for clients about how the newly expanded company will integrate and support the Fortify brand and its customers, and the future commitment of the merged company to the existing roadmap as well as continued innovation and investment in research and development of the AST solutions.
• Some AST capabilities, such as malware detection, are only available with the Fortify on Demand offering.
• Clients have frequently mentioned that the on-premises Fortify AST solutions can have a steep learning curve and require extensive configuration to properly integrate and run.
• IAST support for PHP and Node.js is not yet available.

Latech, فناوری لاجورد تکوین, لاتک

Veracode

Veracode is a well-established global AST provider with a strong presence in the North American market as well as presence in the European market. Veracode’s offering includes SAST, DAST and SCA cloud services, as well as IAST (and RASP).

In the last 12 months, Veracode launched Greenlight, a SAST service to be used early on in the development process by integrating into the IDE to scan an individual class or file. In addition to Greenlight, Veracode provides the Developer Sandbox, which can statically scan an application or component and measure results without impacting or penalizing developer metrics. Veracode focused some of its recent efforts on extending its language and framework support, as well as SDLC integration, and most recently it announced a single instrumentation agent to provide IAST and RASP capabilities.

Veracode will meet the requirements of organizations looking for a broad set of AST services and that want support for their AST and SCA from a third-party expert with a comprehensive AST solution.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Gartner clients highly rate the ease of use of the solution, as well as the vendor’s support and willingness to work with customer requirements.
• Veracode provides a comprehensive AST-as-a-cloud service. The results of all types of testing can be integrated into a single dashboard to simplify vulnerability management and remediation.
• For integration into SDLC processes, Veracode offers built-in integration with multiple IDEs, bug-tracking systems and build servers, as well as APIs for integration, Greenlight and the Developer Sandbox.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Veracode does not offer AST tools, only AST as a service, though it provides a virtual scan appliance that can be located on the client’s network to support discovery and testing of internal applications, with scanning configured and controlled via the cloud service.
• Veracode SAST requires byte/binary code for analysis of compiled languages, such as Java, C/C# and Objective-C. This requires the application to be compiled before being shipped to Veracode for analysis.
• Veracode’s IAST is still on early availability and needs to establish itself in the market.

Latech, فناوری لاجورد تکوین, لاتک

IBM

IBM is a global vendor of IT services and products based in the USA. IBM provides a desktop DAST tool (AppScan Standard), a management console and enterprise DAST tool (AppScan Enterprise), and a SAST tool (AppScan Source). IBM also provides IAST in AppScan Standard and Enterprise, via a functionality called glass box. IBM Application Security on Cloud (ASoC) is its SaaS offering.

IBM provides Intelligent Code Analytics (ICA) and Intelligent Finding Analytics (IFA), which improve the speed and accuracy of scan results. ICA detects APIs in languages and frameworks, and determines the security implications of those APIs to reduce false negatives. IFA provides automated analysis of scan findings to reduce false positives and provide recommendations to optimize vulnerability remediation.

In the last 12 months, IBM has worked on making features of its on-premises offerings available to its ASoC offering (for example, adding SAST-as-a-service offering for Java and .NET).

IBM will appeal to enterprises seeking a single provider of AST technologies, with IBM offerings in adjacent security areas, looking for an AST solution that can provide risk-based management and a full set of enterprise-class capabilities.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• IBM is a large provider of a complete AST solution (SAST, DAST and IAST) and other security products/services with multiregional presence and delivery capabilities.
• IBM’s Application Security Management provides risk-centric unified reporting and dashboard functionality and an underlying framework to manage business-impacting security risks in applications.
• IBM has added innovative SAST functionality to improve accuracy, namely Intelligent Code Analysis (ICA) and Intelligent Findings Analytics (IFA), both of which are delivered via the cloud to on-premises and cloud clients.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Gartner inquiry feedback indicates IBM solutions are showing up in fewer competitive shortlists than other Leaders, and that a large percentage of AppScan clients leverage it as part of an existing relationship or spend with IBM.
• The stability and evolution of IBM’s partnership with Cigital to deliver managed, human-augmented DAST services is unclear with the recent acquisition of Cigital by Synopsys.
• IBM does not have its own SCA, and its integration with partner Black Duck is limited to AppScan Enterprise.
• IBM’s IAST has not earned brand recognition in this space compared to its direct competitors.

Latech, فناوری لاجورد تکوین, لاتک

Synopsys

Synopsys is a global company based in Mountain View, California that has a number of diverse offerings in the software and semiconductor areas. Synopsys has been expanding its application security portfolio in the last few years. In November 2016, during the creation of this research, Synopsys closed the acquisition of Cigital and Codiscope. This acquisition follows a series of application security acquisitions, namely Quotium’s Seeker IAST, Codenomicon, Protecode and Coverity, which provided Synopsys with IAST, SAST and SCA functionalities.

With the acquisition of Cigital, Synopsys integrates DAST as a service and SAST as a service in its offering, while via Codiscope’s SecureAssist, Synopsys integrates a lightweight SAST tool in its offering. Gartner will be closely following the integration of Cigital into Synopsys’s portfolio of security testing technologies.

Synopsys is well-positioned in the Internet of Things (IoT) AST space, where it supports a broad range of protocols, such as XMPP, Message Queuing Telemetry Transport (MQTT), Constrained Application Protocol (CoAP) and Advanced Messaging Queuing Protocol (AMQP) via Defensics.

Synopsys should be considered by organizations looking for a complete AST offering, and wanting variety in terms of AST depth capabilities, deployment options and licensing.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Synopsys’s Seeker continues to be one of the most broadly adopted IAST solutions, providing a wide range of language coverage and good SDLC integration.
• Cigital 3D licensing provides flexible options for organizations to choose among three levels of SAST and DAST testing for any application, for a fixed yearly cost.
• Codiscope’s SecureAssist provides strong integration with IDEs to provide a SAST spellchecker early on in the development phase.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Interaction with Gartner clients shows that Synopsys, contrary to its individually acquired AST players, is not yet a well-recognized AST brand, especially outside North America.
• Even though Synopsys has a positive track record in handling acquisitions, it remains to be seen how it will manage to integrate all the Cigital AST offerings with the ones from its previous acquisitions.
• Synopsys does not offer a DAST on-premises product or an automated DAST offering.

Latech, فناوری لاجورد تکوین, لاتک

WhiteHat Security

WhiteHat Security, based in the U.S., is a global provider of DAST and SAST as a service. It was one of the pioneers for DAST as a service. WhiteHat’s AST suite, Sentinel, also provides SAST as a service, using an on-premises appliance to keep scanning local. Its SAST solution can scan both binaries and source code. The results of all of WhiteHat’s DAST and SAST scans are reviewed by an expert in WhiteHat’s Threat Research Center before delivery to the customer.

WhiteHat Security provides risk management capabilities, such as Factor Analysis of Information Risk (FAIR)-based quantification of application risk, the WhiteHat Security Index (WSI) for comparisons with peers and a dedicated customer success manager. WhiteHat focused in the last 12 months on adding binary analysis and additional languages to its offering, as well as expanding its SDLC integration options .

WhiteHat Security should be considered by organizations looking to outsource their DAST and (to a lesser degree) SAST practices to an expert third-party testing service provider with a scalable solution.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• WhiteHat Security is widely visible and has a very strong reputation as a DAST as-a-service provider among Gartner clients.
• WhiteHat Security offers the ability to interact via chat with a security engineer from the Threat Research Center to answer questions and offer remediation guidance on demand through the UI.
• The WSI provides a visual overview of the robustness of the website and scores the overall application security posture, and also allows for comparison of metrics with peers via the Peer Benchmarking dashboard.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• WhiteHat Security does not sell DAST and SAST tools, only testing services. However, its on-premises virtual appliance can keep scanning locally, including SAST.
• WhiteHat Security provides SAST for a limited number of programming languages, despite having recently added languages to its offering, and is not frequently included in shortlists where SAST is the primary requirement.
• WhiteHat does not provide IAST.

Latech, فناوری لاجورد تکوین, لاتک

Checkmarx

Checkmarx is an AST vendor based in Israel with a strong reputation for its SAST solution. Checkmarx has significant presence in North America and Europe, while it also serves the Asia/Pacific (APAC) region. Checkmarx provides CxSAST, which is a SAST product with broad language coverage that provides a variety of options to customize it for specific applications. Checkmarx also provides SCA under the name of Checkmarx Open Source Analysis, and AppSec Coach, which is a developer education platform for secure coding. Checkmarx Managed Services provide services to help development organizations integrate application security testing within their SDLC.

Over the last 12 months, Checkmarx has introduced AppSec Coach as an in-workflow developer education platform for application security and secure coding training. It has added analysis of open-source components via its Checkmarx Open Source Analysis offering as a result of its partnership with WhiteSource. Checkmarx has also experienced significant growth and has obtained substantial market share in the SAST space.

Checkmarx appeals to application development and security organizations that are seeking a comprehensive SAST tool for a variety of programming languages and frameworks, with advanced customization possibilities, low turnaround times and a full set of options for integration in the SDLC.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Checkmarx offers one of the strongest SAST technologies, which supports a broad variety of programming languages and frameworks beyond only the most common ones, such as Java and .NET.
• Checkmarx has one of the most complete integrations in the SDLC, including source code repositories, build systems, bug-tracking systems, integrated development environments (IDEs) and quality assurance (QA) testing tools.
• The SAST tool can test composite applications, and provide scalability and quick turnaround times via incremental and parallel tests, as well as the ability to write custom queries to discover vulnerabilities or check for code adherence to secure programming best practices.
• Checkmarx gets very good marks from users for ease of use and low learning curve.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Even though Checkmarx partners with Rapid7 for DAST, Checkmarx’s focus on SAST makes them less suitable for situations where an all-in-one suite is desired.
• Checkmarx’s IAST solution is in beta, while its RASP technology did not come out of beta.
• While Checkmarx offers a cloud-based version of its SAST product, the majority of clients use the on-premises tool.
• Its SAST integration with WAFs supports only ModSecurity, and not popular commercial WAFs.

Latech, فناوری لاجورد تکوین, لاتک

Acunetix

Acunetix is a Malta-based provider of DAST and IAST with a strong presence in the North American and European markets. Its primary offering is an on-premises vulnerability scanner (formerly referred to as Web Vulnerability Scanner [WVS] and now called Acunetix). Its Acunetix Online service delivers Acunetix as a service (formerly referred to as Online Vulnerability Scanner [OVS]). Acunetix provides integrated IAST via AcuSensor for PHP and .NET. Acunetix also provides a free suite of manual tools that includes an HTTP Fuzzer and HTTP Sniffer.

Over the last 12 months, Acunetix has centered its efforts on providing a new dashboard, improving reporting and management of vulnerabilities, as well as improving multiuser and multirole capabilities. Acunetix has also added SDLC and web application firewall (WAF) integration options.

Acunetix should be considered by organizations looking for DAST with advanced functionality and integrated IAST, as well as organizations seeking a tool for manual web penetration testing.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Acunetix has a strong reputation for its extensive DAST capabilities, such as being able to parse complex client-side JavaScript applications to test for vulnerabilities via its DeepScan crawling technology.
• Acunetix’s AcuMonitor can identify vulnerabilities that do not provide any response to a scanner (for example, blind cross-site scripting [XSS]) by providing the scanner with access to an intermediary service that monitors the application over time for vulnerabilities.
• Acunetix offers integrated IAST included at no additional cost with both of its offerings.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Acunetix does not have SAST capabilities, nor does it partner to offer these.
• Acunetix and Acunetix Online do not share policies and configurations for organizations that may use both.

Latech, فناوری لاجورد تکوین, لاتک

Trustwave

Trustwave is a worldwide provider of security-related products and services, based in Chicago and owned by Singtel since 2015. Trustwave offers a portfolio of application-layer products and services, including web application firewalling, web application vulnerability assessment, network vulnerability scanning and database activity monitoring. Trustwave is a well-known player in the managed security services and Payment Card Industry Data Security Standard (PCI DSS) assessment markets.

Trustwave is focused on offering DAST products (App Scanner Enterprise) and cloud-based services. In its Managed Security Testing (MST) offering, there are options for application penetration testing, managed application scanning and self-service application scanning.

In the last 12 months, Trustwave has focused on expanding DAST attack capabilities, such as enhancing support for testing of REST services, handling scans that were affected by account lockout and verifying XSS vulnerabilities.

Trustwave should be considered by organizations looking for an enterprise-class DAST solution with product and service options at competitive pricing, or a “one-stop shop” for PCI-compliance-related products and services.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Trustwave’s comprehensive portfolio of technologies and managed security services remains well-known for its support of PCI DSS.
• Trustwave provides a number of options for integration in the SDLC, including IDE, bug-tracking, quality testing and a number of WAF tools, including Trustwave’s own WAF and the ModSecurity commercial ruleset.
• Trustwave’s proprietary Hailstorm Application Risk Metric (HARM) risk scoring provides high-level management, customization and view of risks across the portfolio, helping organizations prioritize remediation and testing by risk.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Trustwave does not offer a SAST product or service, or application vulnerability correlation, nor does it partner to provide these.
• Trustwave does not offer IAST capabilities, nor does it partner to provide this.
• Trustwave rarely appears in Gartner client inquiries where PCI DSS compliance is not a main driver.

Latech, فناوری لاجورد تکوین, لاتک

Qualys

Qualys, based in Redwood City, California, is a provider of cloud-based security services. It has a strong presence in North America and APAC, as well as a presence in the European market. Qualys offers Web Application Scanning (WAS), which is a DAST service that is completely automated and integrates with the other Qualys security services in the Qualys Cloud Platform. Qualys provides WAS through an affordable yearly subscription, as well as pay-per-scan licensing.

In the last 12 months, Qualys has focused on improving DAST scanning for modern web applications, introducing SmartScan for testing web applications leveraging Ajax and new frameworks, and enhancing testing for DOM-based XSS.

Organizations looking for a lower-cost automated DAST service that provides WAF integration and malware scanning should consider Qualys.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Qualys WAS is quite visible in the DAST market, and customer feedback indicates that WAS is relatively straightforward to deploy and use.
• Qualys provides extensive WAF integration, including its own WAF-as-a-service offering.
• Qualys WAS provides malware scanning at no additional cost.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Qualys offers no IAST, SAST or SCA capabilities, nor does it partner to offer these.
• Qualys WAS does not provide certain types of authentication options, such as OAuth.
• Qualys WAS does not provide any human augmentation options.

Latech, فناوری لاجورد تکوین, لاتک

Rapid7

Rapid7 is a provider of security, data and analytics software and IT services based in Boston, Massachusetts. It has a strong presence in the North American market, as well as a presence in the European market. In the AST space, Rapid7 provides DAST. Its offering consists of an automated web app scanner called AppSpider Pro, an enterprise portal called AppSpider Enterprise and DAST as a service under the name of AppSpider Enterprise OnDemand. In addition, Rapid7 provides AppSpider Managed Services, which offer the same on-demand DAST in a completely outsourced fashion.

In the past 12 months, Rapid7 has focused on improving DAST scanning for modern web applications, including support for automated testing of Swagger-enabled REST APIs and supporting frameworks used in single-page web applications.

Rapid7 should be considered by organizations looking for DAST as a competitive alternative to the larger providers.

Latech, فناوری لاجورد تکوین, لاتک

STRENGTHS

• Rapid7’s “universal translator” technology allows its DAST solution to adapt to, parse and attack new and complex web applications, involving REST, JSON, JavaScript and other technologies.
• AppSpider has good SDLC and enterprise integration capabilities, including plug-ins with bug-tracking tools, WAF and IPS products.
• Rapid7 gets mostly good marks from users for ease of use and reporting.

Latech, فناوری لاجورد تکوین, لاتک

CAUTIONS

• Rapid7 does not provide any SAST capabilities, even though it provides SAST through its partnership with Checkmarx.
• Rapid7 does not provide any SCA functionality.
• Rapid7 does not support distributed scanning with its DAST offering.
• Rapid7 does not provide IAST, nor does it partner to provide it.

Latech, فناوری لاجورد تکوین, لاتک

Latech Solution in Application Security Testing

HPE Fortify  –  HPE WebInspect  –  Micro Focus

CheckMarx  –  Rapid7 AppSpider  –  Tenable Nessus

HPE LoadRunner  –  HPE UFT  –  PortSwigger BurpSuite

Core Impact Professional – Immunity Canvas