Application Security , Next-Generation Technologies & Secure Development
Veracode, Synopsys, Checkmarx Dominate SAST Forrester Wave
Micro Focus Falls From Leaders Ranking as Static App Testing Vendors Embrace Gen AIVeracode, Synopsys and Checkmarx held steady atop Forrester's static application security testing rankings, while Micro Focus fell from the leaderboard following its acquisition by OpenText.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
Providers have gone beyond simply evaluating the security of the code itself and now assess the safety of the infrastructure the code is running on. Every SAST firm now offers infrastructure-as-code scanning, said Forrester Senior Analyst Janet Worthington. Vendors now support new versions of IAC such as Azure Bicep as well as new programming languages as low-code platforms such as OutSystems.
"SAST is going beyond what we traditionally call code as something that security has to be looking at," Worthington told Information Security Media Group. "The SAST vendors are really embracing the idea of, 'You have to look at not just the code that you have, but also the infrastructure that the code is going to be running on.'"
Worthington said there's been an acceleration in software composition specialists purchasing or building their own SAST tools as well as vice versa, while developer-focused tools also have entered the picture in the CI/CD pipeline or binary artifact space to reduce noise. In addition, cloud security vendors have gotten into the SAST and SCA space, pushing pure-play vendors to take a consolidated approach, she said.
The static application security testing Forrester Wave replaced the version from winter 2021. This time around, Veracode received the highest strategy ranking by a large margin. Synopsys and Snyk tied for the second-highest scores, and Checkmarx and HCL Software came in behind. That's in contrast to 2021, when Checkmarx edged out Veracode for the top score, and Synopsys and HCL Software trailed (see: Synopsys Extends Lead in Gartner MQ for App Security Testing).
Veracode also received the highest score from Forrester for its current static application security testing tool, and Synopsys, Checkmarx and HCL Software got the second-, third- and fourth-highest rankings, respectively. In 2021, Synopsys edged out Veracode for the highest current offering ranking, and Checkmarx, Micro Focus and Parasoft were bunched close together behind.
"SAST is going beyond what we traditionally call code."
– Janet Worthington, senior analyst, Forrester
Going forward, Worthington anticipates generative AI will allow developers to be much more productive in writing code, doing test cases and issuing documentation. Generative AI will aid the static application security testing space by allowing vendors and clients to do automated remediation of first-write code as well as give developers the actual code needed to make fixes rather than just code samples, she said.
"Generative AI is going to change things in ways that we can't even predict yet," Worthington said. "We're going to have a whole lot of code that's going to be written, a lot of code that has to be tested, and a lot of code that has to be maintained. We're going to see some interesting changes and evolution in how we do things because of that."
Outside of the leaders, here's how Forrester sees the static application security testing market:
- Strong Performers: HCLSoftware, Snyk, OpenText;
- Contenders: GitLab, GitHub, SonarSource;
- Challengers: Perforce Software, Contrast Security.
How the SAST Leaders Climbed Their Way to the Top
Company Name | Acquisition | Amount | Date |
---|---|---|---|
Checkmarx | Dustico | Not Disclosed | August 2021 |
Checkmarx | Custodela | Not Disclosed | November 2018 |
Synopsys | Code Dx | Not Disclosed | June 2021 |
Synopsys | Black Duck Software | $547 million | December 2017 |
Synopsys | Coverity | $334 million | March 2014 |
Veracode | Jaroona | Not Disclosed | April 2022 |
Veracode Applies Artificial Intelligence to Fixing Flaws
Veracode re-architected from the ground up how its static scanning engine works to provide several options for how to fix vulnerabilities as well as produce results within milliseconds, said Chief Product Officer Brian Roche. The company kept its core intelligence engine that identifies app vulnerabilities while adopting a cloud-native approach that allows customers to scan millions of apps simultaneously.
The company also began using artificial intelligence and machine learning to automate the process of fixing issues and can now automatically produce results for the most common vulnerabilities across the coding languages that matter most, according to Roche. He said customers are now turning to artificial intelligence to automatically fix the vulnerabilities Veracode has found while keeping data on-premises (see: Veracode CEO Sam King on Joining AppSec, Container Security).
"We are taking a more holistic, comprehensive approach to identifying vulnerabilities at every step in the software development life cycle," Roche told ISMG. "Whether you're writing your code in the IDE or you're integrating and delivering or you're deploying code to production, we are the most comprehensive AI solution that enables and will provide the biggest recommendations."
Forrester chided Veracode for subpar secrets detection and incremental scans, the pipeline scan missing already-triaged approvals, and the lack of integration between Veracode Fix and the rest of the product. Roche said Veracode has completely re-architected its plug-in system to increase time to value and have everything behind a single command line. Updates to the integration front are coming next month.
"We wanted to get value to customers quickly," Roche said. "We recognized that AI was being used by developers, and we were seeing those risks and that vulnerable code making its way into production environments."
Synopsys Pursues Tight SAST Alignment With SCA, ASPM
Synopsys has doubled down on its core static analysis engines to improve the speed and consistency of incremental analysis and more effectively spot issues through deep procedural analysis, said Beth Linker, director of product management for the software integrity group. The company has improved the speed and efficiency of deep scans by having them run incrementally without losing consistency.
Synopsys wants to give customers more ways to access static analysis by debuting a software risk manager that combines SAST with software composition analysis and application security posture management, Linker said. Integrations with GitHub, GitLab and Azure enable Synopsys to look at SAST and software composition analysis together and deal with the results consistently, Linker said (see: Appeals Court Upholds Synopsys Victory in Trade Secrets Suit).
"We are committed to both delivering a best-in-class software-as-a-service experience and also continuing to invest in the on-premises deployment options that many of our customers are using today," Linker told ISMG.
Forrester chided Synopsys for subpar scan speeds, a high false positive rate through scan configuration, and requiring ASPM to access reporting, prioritization and triage. Linker said Synopsys will build out auto configuration capabilities to address the large number of customization options and has invested in a large number of projects related to intelligence and scanning speeds.
"Some of our longer-standing customers have very well-established workflows where that kind of change management and introduction of new capabilities can be hard," Linker said. "We've rolled out a lot of great capabilities that we are working slowly and steadily with customers to help them take full advantage."
Checkmarx Embraces AI to Check Code for Vulnerabilities
Checkmarx was the first SAST vendor to roll out a plug-in for OpenAI that allows developers to check third-party code for vulnerabilities before accepting it, and CEO Sandeep Johri said the company plans to expand it to Azure AI. Johri said the plug-in helps developers use OpenAI to educate themselves about how to fix vulnerabilities after spotting them and helps them effectively address AI-based threat vectors.
Checking code at the onset ensures organizations aren't bringing in dirty code and ensures the higher velocity of code stemming from generative AI isn't resulting in larger security workloads or more flaws getting through, Johri said. Each scanning engine identifies vulnerabilities from its perspective, and Johri said providing context across engines eliminates some potential issues and results in de-duplication (see: Checkmarx Snags Ex-Tricentis CEO Sandeep Johri as New Leader).
"Customers are looking for consolidation across the application security space, so they're tending toward platforms," Johri told ISMG. "We've been a leader in the SAST space for a long time. And so most of the SAST capability is organic."
Forrester criticized Checkmarx for lacking automated remediation as well as certain features for its on-premises offering and said complex pricing for products and services is time-consuming for customers. Johri said that by the end of 2023 Checkmarx will have features available on-premises to give clients more choice and flexibility from a packaging standpoint, and it will instruct developers on how to remediate with AI.
"We don't do an auto-remediation. We have seen our customers be very skeptical about that," Johri said. "They would rather have vendors like us suggest how to remediate but leave it to the developer to actually remediate. They don't want another automated engine to go change code since that could create other problems."