The Gartner Magic Quadrant for Application Security Testing 2020 reports a 50% increase in the number of their end-user client conversations about DevSecOps and AST (Application Security Testing) tools, in 2019.
According to the report, users continue to adopt DevOps methods like integrating security into the software development lifecycle from the earliest stages of development. Additional trends in AST tools include a 65% increase in attention to container security, as well as increased interest in the detection of known open source vulnerabilities.
We’ve put together an overview of the Gartner Magic Quadrant for AST to provide you with the key takeaways, including new and continuing trends in the market, and what organizations should look for when adopting AST tools.
According to Gartner’s definition, the AST market includes “the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities.” One notable change in the Magic Quadrant is that it added SCA (Software Composition Analysis) to the AST technologies included in the report. The report now focuses on four AST technologies:
#1 SCA is the technology used to detect open source and third-party components in applications and track their known security vulnerabilities and licenses,
#2 Static AST (SAST) analyzes an application’s source, bytecode, or binary code for
security vulnerabilities, typically at the programming and/or testing software life cycle (SLC)
#3 Dynamic AST (DAST) analyzes applications in their dynamic, running state during
testing or operational phases. It simulates attacks against an application (typically web-enabled
applications and services and APIs), analyzes the application’s reactions, and determines
whether it is vulnerable.
#4 Interactive AST (IAST) combines elements of DAST simultaneously with instrumentation of the application under test. Typically implemented as an agent within the test runtime environment (e.g., instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks and identifies vulnerabilities.
The addition of SCA tools is not surprising since this is one of the fastest-growing application security technologies. It’s important to note that as SCA technologies continue to evolve, a substantial gap still exists between the maturity level of SAST and IAST vendors offering SCA and the pure players focusing exclusively on SCA.
According to the Gartner Magic Quadrant, the need to support enterprise DevOps initiatives moved the evolution of AST tools forward. The days of DevSecOps are upon us, and that means customers are looking for technologies that offer “high-assurance, high-value findings while not unnecessarily slowing down development efforts.”
This generation of AST tools is expected to support a shift left approach, allowing security to be integrated into the earlier stages of development. This approach requires giving developers, rather than security specialists, more responsibility over testing. Gartner also focused on the rising popularity of containerized environments for cloud-native applications in particular.
Gartner makes a distinction between broadening and deepening, two strong trends observed this year in AST tools.
Broadening refers to solutions that offer all-inclusive platforms that provide some combination of SAST/ DAST/ IAST/ SCA, with integrated reporting, CI/CD integration, and support for developers in the IDE. Gartner notes that strengths and weaknesses vary from tool to tool in each of these “broad” offerings.
Deepening, on the other hand, is the approach other vendors are taking, focusing on providing specific tools or technologies that specialize in doing a few things very well. According to Gartner, many of these solutions combine aspects of deep security testing with other functions, like code quality analysis, business-critical apps, or specific types of testing that the “broad” offerings don’t fully or successfully address.
The Gartner 2020 Magic Quadrant for AST also reports a number of new DevSecOps trends and the AST toolsets that attempt to support them:
#1 Developers Are Taking over AppSec
Security and compliance testing are being integrated into development, and developers are taking more responsibility over security, performance, reliability, and code quality. In order to enable developers to address application security and other areas without slowing down development, some AST tools are integrating into their IDEs and CI/CD toolchain so that they can own their code from within their native environments.
#2 Open Source Security Vulnerabilities Detection
Organizations are becoming more aware of the importance of open source components and integrating SCA solutions, including specialized offerings and SCA tools that are part of broader offerings.
#3 Vulnerability Prioritization
Security and development teams are beginning to accept that it’s nearly impossible to address all vulnerabilities found in their code. Instead, they are beginning to direct their attention to the most urgent issues, addressing vulnerabilities with the highest impact and risk first.
#4 Container Security
Development teams are adopting more containerized environments and becoming more aware of container security. According to Gartner, while “vendors are starting to deliver options for covering some of the container and microservice attack surfaces,” most container security tools don’t supply a comprehensive solution yet.
As security shifts left, quick remediation is becoming a priority for developers. Vendors have begun enhancing their fix suggestions, making them more context-aware, providing more specific instructions as well as options for manual review, and developing technologies for eliminating false positives.
The Gartner Magic Quadrant reports that while AST vendors are most focused on “better accuracy, faster results, easier integrations and enhanced remediation guidance,” Gartner client inquiry feedback reflects that remediation guidance, and testing speed and accuracy, are areas that still require improvement. In addition, many of AST solutions are still complex and time-consuming for clients to adopt, integrate, and scale.
Gartner warns that when DevSecOps is a priority, “incompatible security technologies can impede progress, in which case development and security teams risk being driven further apart rather than becoming better collaborators.”
Gartner makes the following recommendations to organizations interested in adopting the AST tools that best support their DevSecOps efforts:
#1 Adopt tools that integrate easily into all phases of the DevSecOps pipeline (including IDE, build, repository, QA, and pre-production), to enable shifting security left, fixing issues early in development, and improve coordination between development and security.
#2 Make sure that your AST tools also cover comprehensive testing of APIs, as well as containers, single-page applications, microservices, serverless, and other aspects of modern development and distributed systems.
#3 Include SCA technologies in your AST strategy. Gartner recommends focusing on SCA solutions that enable proactive open source policy enforcement throughout development, from the moment components are added to the codebase to production, “to alert to new vulnerabilities as they become known.”
#4 Choose a solution that helps developers prioritize vulnerabilities rather than attempting to fix them all. Enable teams to easily manage their vulnerabilities without wasting costly development time.
The Gartner 2020 Magic Quadrant for AST foresees software development and security teams will have to continue to speed up development while testing more complex applications. This requires the DevSecOps practice of integrating automated AST tools throughout the development lifecycle from the earliest phases of development.
Choosing the right AST tools that enable quick and accurate testing that can be integrated seamlessly into development environments is key. It’s important organizations keep in mind the increasing complexity of modern development environments as well as the evolving security landscape. This will allow security and development teams to test easily, without sacrificing speed or agility.