Table of Contents
- Summary
- Market Categories and Deployment Types
- Key Criteria Comparison
- GigaOm Radar
- Vendor Insights
- Analyst’s Take
- Methodology
- About Jon Collins
- About GigaOm
- Copyright
1. Summary
As we learned in the associated report, “Key Criteria for Evaluating DevSecOps Tools,” the field of DevSecOps is part principle and part tooling. The principle hinges on bringing security best practices as early as possible into DevOps-based software creation, delivery, and operation—so-called “shift-left.” The tooling should enable this to take place.
We can see DevSecOps tooling as the set of capabilities that directly increases pipeline governance to reduce application and infrastructure risk, without increasing associated costs and overheads. DevSecOps tools offer capabilities that automate best practices, augment the pipeline, and support development activities, addressing security challenges across the software development and operations.
As we consider how to evaluate vendors for DevSecOps, we need to take two points into account:
- All vendors involved in improving application security can contribute to an organization’s overall DevSecOps stance.
- Many vendors are aligning themselves to DevSecOps, even though their solution set is not particularly specific to improving security across the DevOps pipeline.
In this report, we have identified a number of vendors that address the specific needs of DevSecOps, which we articulate in this report as table stakes, key criteria, and evaluation metrics. While we assess 10 vendor solutions here, we ruled out many more, including several offering capabilities such as software composition analysis (SCA) and static application security testing (SAST) with CI/CD APIs. This alone was not deemed sufficient to define a vendor solution as falling into the DevSecOps category. For example, a number of providers that do not appear in this report offer scanning capabilities that merited review in our forthcoming Key Criteria and Radar Report on Vulnerability Management.
With all this in mind, read on.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Vendor Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.