The application security market is ever-changing, with new technologies emerging on a continuous basis. One helpful way to stay on top of the AppSec market is Gartner’s most recent Hype Cycle for Application Security, 2018.
When it comes to DevSecOps, Gartner notes that “adoption is slow, but interest is high,” and showcases development’s shift towards DevOps environments in the name of speed and agility. DevOps is great for an organization, but not if the security piece is siloed and acts in a way that disrupts the speed of development. This is why, Gartner points out, “Security must be a part of this shift, but in a way that respects the collaborative nature of DevOps.”
Veracode’s own Tim Jarrett, Director of Product Management, recently attended DevSecOps Days as part of this year’s RSA Conference, and took away some valuable points on trends in DevSecOps. The general overview was that the theory of DevOps is fantastic, but the practice itself isn’t as straightforward, which is why it makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. This might seem like a bump in the road of progression, but DevSecOps can be successful if security teams are able to communicate the definitive business value.
Software composition analysis
According to Gartner, “Software Composition Analysis is expected to reach the ‘Plateau of Productivity’ in two to five years.” This is supported by the fact that SCA has become more of a mainstream technology that vendors offer as a part of their solution suites. The surge of SCA offerings from software security vendors essentially began when attention was called to the widespread impact of software vulnerabilities like Heartbleed and Apache Struts.
The need for a solution that could analyze open source components was only furthered by the widespread use of open source code and the rampant amount of vulnerabilities that came along with such components. Veracode’s own State of Software Security Report Vol. 9 reported that in last year alone, 87.5% of Java applications contained a component with at least one vulnerability.
In addition to recommending that organizations use SCA tools on a regular basis to ensure software security, Gartner also stated that “SCA tools fit well within DevSecOps-style workflows, where scanning can be automated as part of the rapid development processes.”
Get the State of Software Security Volume 9 Software Composition Analysis Infosheet here.
Application security testing suites
Application security testing suites are a consolidation of AST technologies, including – but not limited to – static analysis, dynamic analysis, software composition analysis, and secure code training to more effectively verify the security of a company’s codebase.
To cover all of your bases when it comes to application security, one option is to use multiple vendors so that you have access to the “best-of-breed” technologies in each category. However, Gartner points out the downside to this approach; “the requirement to deal with different systems, separate dashboards,” and a not-really-unified approach. “Rather than engaging multiple vendors, Gartner clients have increasingly been seeking ‘one-stop-shop’ vendors that offer multiple technologies in a single platform with flexible deployment options.”
Veracode is one of those “one-stop-shops,” and can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing in one centralized view. To learn more about Veracode’s comprehensive AppSec platform, check out this Platform Overview eBook, or, schedule a demo to see how we can help your specific organization.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Hype Cycle for Application Security, 2018, 27 July 2018, Ayal Tirosh