Beyond the Quadrant 2017

This year’s Gartner Magic Quadrant for Application Security Testing₁ has published, and while many people read the report for the vendor assessments, the authors offered some insight into the overall application security market. In the report, first time AST Magic Quadrant authors Dionisio Zumerle and Ayal Tirosh commented that the “security testing is growing faster than any other security market, as AST solutions adapt to new development methodologies and increased application complexity. Security and risk management leaders must integrate AST into their application security programs.”₁

The rapid growth of the AppSec market is not surprising given the rise of CI/CD environments like DevOps and the dependence our economy has on software. Our digital economy is based on the use of software. And as a result the growth and success of our economy is also reliant on keeping those applications secure. This is why DevOps must evolve to become DevSecOps. By seizing the opportunity to integrate into inherently collaborative process, security can become an essential part of the software lifecycle, and move earlier in the development process. 

Zumerle and Tirosh also predicted that by 2019, 80 percent of application security testing vendors will include software composition analysis in their offerings – up from 40 percent today. Veracode is one of the 40 percent that combines Static testing with software composition analysis. Components are one of the four major ways vulnerabilities get into applications. And the latest version of Veracode’s State of Software Security report found that open source components proliferating digital risk at an alarming rate. For example, Veracode’s analysis revealed the growing risk caused by the proliferation of vulnerable open source components. Veracode found that a single popular component with a critical vulnerability spread to more than 80,000 other software components, which were in turn then used in the development of potentially millions of software programs. Approximately 97 percent of Java applications contained at least one component with a known vulnerability.

These predictions are valuable in that they tell us how the market is shifting and where vendors will invest in order to keep up with customers’ demands. As DevSecOps gain traction we will see more demand for technologies like Veracode SCA, and secure development tools like Veracode Greenlight.  With these technologies, our APis and IDE integrations as well as our static and dynamic analysis and RASP technologies we are leading the way in integrating security into DevOps.

₁Gartner, Inc. 2017 “Magic Quadrant for Application Security Testing” by Dionisio Zumerle and Ayal Tirosh. February 28, 2017

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Leave a Reply