Magic Quadrant for Application Security Testing
Note: this is a reprint of March 19, 2018, Gartner article. The original article can be found here.
DevSecOps, modern web application design and high-profile breaches are affecting the growing application security testing market. Security and risk management leaders will need to meet tighter deadlines and test more-complex applications by integrating and automating AST in the software life cycle.
Strategic Planning Assumptions
By 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10% today.
By 2020, 60% of security vendors will claim machine-learning capabilities, an increase from fewer than 10% today.
Gartner defines the AST market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. Gartner identifies four main styles of AST:
- Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases.
- Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.
- Interactive AST (IAST) technology combines elements of SAST and DAST simultaneously. It is typically implemented as an agent in the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks and identifies vulnerabilities.
- Mobile AST performs SAST, DAST, IAST and/or behavioral analysis on byte or binary code to identify vulnerabilities in mobile applications.