Search News Articles

Magic Quadrant for Application Security Testing

Note: this is a reprint of March 19, 2018, Gartner article. The original article can be found here.


DevSecOps, modern web application design and high-profile breaches are affecting the growing application security testing market. Security and risk management leaders will need to meet tighter deadlines and test more-complex applications by integrating and automating AST in the software life cycle.

Strategic Planning Assumptions 

By 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10% today. 

By 2020, 60% of security vendors will claim machine-learning capabilities, an increase from fewer than 10% today.

Market Definition/Description 

Gartner defines the AST market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. Gartner identifies four main styles of AST: 

  • Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases. 
  • Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable. 
  • Interactive AST (IAST) technology combines elements of SAST and DAST simultaneously. It is typically implemented as an agent in the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks and identifies vulnerabilities. 
  • Mobile AST performs SAST, DAST, IAST and/or behavioral analysis on byte or binary code to identify vulnerabilities in mobile applications.
The above technology approaches can be delivered as a tool or as a subscription service. Many vendors offer both options to reflect enterprise requirements for a product and service. Gartner's 2017 Survey on Security Buying Behavior showed nearly two-thirds of enterprises with more than 1,000 employees use some form of AST. However, the various technologies differ in adoption and maturity. 1 DAST and SAST are the most widely adopted, whereas IAST adoption is still growing.

The 2018 Magic Quadrant will focus on a vendor's SAST, DAST, IAST and mobile AST offerings; maturity; and features as tools or as a service. AST vendors innovating, partnering and offering runtime application self-protection (RASP), which enables applications to protect themselves from vulnerability exploitation at runtime, were weighted heavily. This is also true of software composition analysis (SCA), which identifies open-source and third-party components in applications and their known security vulnerabilities. 

In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at or 1-888-711-MILL (6455).