GigaOm Radar for Development Securityv2.01

1. Summary

Development security is not a new topic, but the need for it is the strongest it has ever been. Security was already lagging when development operations (DevOps) and agile processes increased the rate at which software and features were being created, and all that new development needs protection from an increasingly aggressive adversary base. As such, security scanning should be built into the software development process to help safeguard your code.

Static scanners have been around for decades, offering feedback on code quality. From security functionality added to lint code analysis tools to full-on static application security testing (SAST), the source code analysis field has grown as the need for increased security scanning has grown.

However, the need for different types of analysis has become apparent. Development security tools added dynamic application security testing (DAST) to their product offerings to address perceived gaps in SAST solutions. DAST looks at the completed code and runs it in a sandbox environment to simulate attacks and determine whether there are vulnerabilities that were not obvious from static analysis. Some tools also offer interactive application security testing (IAST), which tests the completed application as it runs or will run in production. IAST testing considers the entire application and its environment when performing tests, and sometimes discovers vulnerabilities that were not found with the other testing methods.

Nearly all static analysis is based on the tool having an awareness of what is included in the build. By knowing that a given open-source library was included, tools can look for documented vulnerabilities in that library. To do this, however, a software inventory needed to be created within the tool, a type of analysis known as software composition analysis (SCA). Compliance requirements and security teams wanting to better understand their exposure have driven many of these tools to offer that inventory externally instead as a software bill of materials (SBoM).

Finally, organizations wanting their development security solution to also offer runtime protections from zero-day attacks while the code is changed have impelled vendors to offer runtime monitoring and/or protection. While not the only kind of runtime protection, runtime application security protection (RASP) is the predominant implementation. Some solutions offer runtime functionality directly while others do so through integrations. As this market continues to evolve, we expect all vendors to offer either monitoring or protection and most to do so natively, rather than through integrations.

While our companion Key Criteria report offers comprehensive guidance on what is important, evaluators will first and foremost want to determine fit for their organization, finding answers to the questions, “Does the tool support the languages, integrated development environments (IDEs), build tools, and operating environments my organization uses?” Next, they should consider the breadth of the offering. “Does the tool cover the range of features and capabilities my organization needs?” The best, most insightful source security analysis tool is worthless if it can’t be used in a given environment.

his GigaOm Radar report highlights key development security vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Development Security Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.