Synopsys, Checkmarx Top Gartner MQ for App Security TestingVeracode, Micro Focus, and HCL Software Were Also Recognized as Leaders by Gartner
Synopsys and Checkmarx sit atop the Gartner Magic Quadrant for application security testing as more functions shift into the hands of development and operations teams.
Gartner Magic Quadrant authors Dale Gardner, Mark Horvath and Dionisio Zumerle say that applications are increasingly moving from their existing environment into the cloud, creating a lack of understanding around both the cloud attack surface and defense options. In addition, Gartner finds that more than half of software engineering leaders are now responsible for application security design and testing tasks.
"Given that both developers and security teams are moving at a fast pace, neither has a lot of spare time to understand the details and consequences of the other team's technology," the authors write. "This can lead to awkward, costly delays and exposure."
Gartner heaped praise on Synopsys for having the most complete vision and strongest execution ability around application security testing among the 14 vendors evaluated, while Checkmarx took the silver in both categories. Veracode was awarded bronze for its execution ability, while HCL Software took the bronze for completeness of vision. Micro Focus was also recognized as a leader by Gartner (see: CrowdStrike, Microsoft, Trend Micro Top EDR Forrester Wave).
"Leaders should be able to support the testing of mobile applications and should exhibit strong execution in the core AST [application security testing] technologies they offer," the authors write. "Although they may excel in specific AST categories, leaders should offer a complete platform with strong market presence, growth and client retention."
Gartner's take on the application security testing market was quite similar to last year, when the technology research firm also named Synopsys, Veracode, Checkmarx, HCL Software and Micro Focus as its overall leaders. But the specific rankings were different, with Veracode narrowly trailing Synopsys for the lead in execution ability and narrowing trailing Checkmarx for the silver in completeness of vision. Synopsys took the gold.
Outside of the leaders, three vendors were named as application security testing visionaries in 2022: Contrast Security, Data Theorem and Rapid7. GitLab, Invicti and Snyk were named application security testing challengers by Gartner, and GitHub, NTT Application Security and Onapsis rounded out the Magic Quadrant as niche players.
"The major driver in the evolution of the AST market is the need to support enterprise DevSecOps and cloud-native application initiatives," the authors write. "Customers require offerings that provide high-assurance, high-value findings, while not unnecessarily slowing down development efforts."
Synopsys Automates Security Testing
Synopsys has focused over the past year on automating security testing activity so that it can run in parallel to the development pipeline rather than interrupting it, according to Jason Schmitt, general manager of the software integrity group. The offering can determine when a test should be run, isn't intrusive to the development pipeline and works with both Synopsys and third-party tools, Schmitt says.
The company sets itself apart from other application security testing firms through strategic consulting capabilities that go beyond the products Synopsys sells and deep partnerships with large services firms, Schmitt tells Information Security Media Group. This allows Synopsys to address the people and process side of application security and apply risk management to complex software development processes.
"Educating people and changing processes is more important than just the tooling and technology," Schmitt says. "This allows us to look at it more holistically than just dropping a tool and hoping for the best."
Gartner criticized Synopsys for complex pricing and limitations from a reporting perspective. Schmitt says Synopsys has made big strides in allowing customers to price across all products in a consistent manner and has focused on providing a more common reporting experience across all products as well as generating insights beyond reporting that provide customers with analysis and insight.
"What we're really thinking about is going beyond testing programs and figuring out how we can look holistically at software from any source and then build trust in the software from the perspective of identifying where the software came from, what makes it up, and can we trust it," Schmitt says.
Checkmarx Correlates Different Test Types
Over the past year, Checkmarx has released an application security testing platform on the public cloud that can simultaneously run code through static testing, interactive testing and dynamic testing and correlate the results from all the engines using an analytical lens, says Chief Revenue Officer Roman Tuma. The correlation process gives organizations a more accurate view of vulnerabilities in their code.
The company has also invested in software composition analysis scanning, which examines not only the code itself but also the reputation of the code and where it is sourced from, Tuma says. Checkmarx can bundle its testing with managed or consulting services to get customers on track as quickly as possible and increase consumption of the company's offerings, he tells ISMG.
"Being a leader for the past five years gives us visibility into what the threat vectors generally are," Tuma says. "We are capable of seeing some of the threat vectors before they actually become vulnerabilities because of the research we put in."
Gartner criticized Checkmarx for high costs and relying on a partnership with Invicti to provide dynamic application security testing, or DAST. Tuma says Checkmarx has retooled and simplified its pricing to offer it all on a per user, per month basis, and determined it was commercially and strategically better to partner around DAST than to acquire or develop the capability on its own.
"Our view is that API security will become prevalent over DAST and IAST [interactive application security testing] in the long run," Tuma says. "So for us, [it's about] being able to take Invicti and put it on our platform and then make sure we deliver something more cutting-edge to our clients in the long run, which should be API security."
Veracode Pursues Market Expansion
Veracode has doubled down on market expansion of its application security testing platform, building out a dedicated instance in the European Union that satisfies data residency requirements, and has launched a FedRAMP certified instance that will be available to U.S. government customers, says CEO Sam King. This allowed Veracode to work with European customers who didn't want their data going to the U.S.
The company has a huge amount of data and intelligence about vulnerabilities in software applications, which King says allows Veracode to benchmark how a customer's security posture compares to their peers as well as industry best practices. The benchmarking and insights have made it easier for CISOs to respond to scrutiny they've received from the board and members of the executive team, he says.
"It's not just about scanning code and finding these vulnerabilities," King tells ISMG. "It's ultimately about fixing these vulnerabilities. We have put a lot of effort into thinking about the process and the expertise that we can provide to our customers to help them ultimately fix these security vulnerabilities, and better yet have their developers not even create these vulnerabilities to begin with."
Gartner criticized Veracode for not providing fuzzing or Infrastructure as Code - IaC - scanning and for having limited support for container security scanning. King says Veracode has been researching container security and IaC scanning and wants to incorporate them into the platform, but over the past year the company had prioritized bringing Veracode's capabilities to the global stage and becoming less North America-centric.
"I like to have our team do their own research and proof of concept to firm up our thinking around, 'What is a good capability in this area?'" King says. "Once we do that, we can make a more educated decision around, 'Are we going to build this on our own or are we going to buy something in this area? And if we're going to buy something in this area, what are the criteria that we're looking to satisfy?'"
Micro Focus Safeguards Cloud Code
Micro Focus has launched a full suite of capabilities around infrastructure as code security to natively assess Amazon Web Services, Microsoft Azure and Ansible templates in the firm's static analysis offering without having to use third-party tools, says Dylan Thomas, head of Fortify product management. This can ensure developers aren't unintentionally opening up access when deploying to the public cloud.
Developers aren't used to thinking about network security and the configuration of cloud environments, and Thomas says extending to more languages, such as Ansible, and covering additional threat vectors in AWS and Azure will keep developers secure. Micro Focus has also rolled out an API discovery capability that's fully integrated with the API testing process that pulls in relevant files and enhances automation.
"When developers are defining how they deploy to AWS or Azure or GCP [Google Cloud Platform], helping them know that they're not inadvertently opening up access that shouldn't be there and that they're using proper security principles is critical," Thomas tells ISMG.
Gartner criticized Micro Focus for a complex on-premises user interface, the lack of stand-alone passive IAST and the cost of the product line. Thomas says customers can get up and running on the Fortify app in a single day, the company now offers a freemium product line that makes it easier for customers to get started at no cost and Micro Focus sees DAST as more ultimately essential for clients than IAST.
"The inherent limitation of IAST is that it's only as good as the quality assurance tests that you have in place, whereas running dynamic testing allows you to test the full scope of the application - both how it was intended to be used and how it was intended not to be used, which is often how an attacker is going to try to exploit," Thomas says.
HCL Software Sees Need for Speed
HCL Software has invested in statistical analysis and machine learning for its dynamic application security testing offering so that customers can scan their code more quickly and more precisely pinpoint where vulnerabilities might be, Head of Marketing Peter Tran tells ISMG. New auto-remediation features can help customers fix code more quickly as they're standing up an application, he says.
The company has made a tremendous investment around the application scanning technology it acquired, Tran says, releasing hundreds or thousands of new features and capabilities. HCL Software works with a significant number of Fortune 1000 or Global 2000 companies, and Tran says the company excels in fixed location analysis as well as providing customers with a broad and deep suite of products.
"As we listen to our customers talk about what their needs are, it's about getting things done faster, identifying where the vulnerabilities are and really pinpointing what the problems are, so they can fix it quickly and fix it accurately," he says.
Gartner criticized HCL Software for complex pricing models, lackluster technical support and user interfaces, and relying on third-party technology for its software composition analysis, or SCA, product. Tran says HCL's technical support scores well in customer surveys, the SCA product works well and is complementary to other capabilities and that the company has worked to simplify its pricing.