GigaOm Radar for Application Security Testingv1.0

1. Summary

Application security testing exercises an application at some point in its lifecycle. Traditionally, that testing took place at the end of development, as a last gateway step to deployment, and it required substantial amounts of IT resources. However, modern application security testing solutions are highly automated, making them viable almost anywhere in the development process—without expending all those resources. The application testing market has also merged with the traditional development security tool market. This Radar is our first report taking that merger into account by including both traditional source security tools with active application testing tools.

In the end, organizations care about getting security testing done, and we feel the two markets overlap enough at this point to focus on what organizations need—test tools that cover any point in the broad range of application security.

Testing involves developing test scenarios and running them against the target application. Some modern tools also allow automated generation of test suites that can be run against target applications.

Modern application security testing focuses on different points in the application development and deployment process and utilizes different targets with different requirements. For platforms, application security testing solutions must support web applications with scanning and/or scripting technologies, while most also support APIs and some support mobile applications. A select few support traditional client-server or mainframe applications as well.

Running tests requires some form of test runner, and vendors offer these either through agents or directly from the server or SaaS solution. While it is possible for static application security testing (SAST) to feed into these solutions, nearly all of them are implemented as straight dynamic application security testing (DAST), with a test engine that users can write specific tests against. Some offer bundles of tests to customize, so checking for common issues becomes a simple case of changing a few variables and adding the test to a test suite.

The solutions in this technology space have long been purchased and utilized by information security teams, and that is still somewhat true, but as with most IT technology today, these solutions are increasingly being sought out by DevOps or SRE teams. This is particularly true of products and services that focus on the development security side of application security testing, but newer technologies like software composition analysis (SCA) and container security are also often purchased by DevOps teams.

No matter who implements these tools or why, the results they generate include detailed vulnerability lists, compliance reporting, and information about dead-end code that is no longer needed and should be removed. This means that CISOs, compliance teams, security teams, CIOs, SREs, and DevOps teams all benefit by being able to identify weak places in any given application.

Modern solutions are automated enough to initiate test suites from within the DevOps process, feeding results back into common DevOps tools and generating the vulnerability reports these tools have always created. This is critical in modern environments, where the rate of change is accelerated and testing must keep up.

This GigaOm Radar report highlights key application security testing vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Application Security Testing Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Web application testing
• Role-based access control (RBAC)
• Test reuse
• Manual testing
• Automation
• OWASP support