There are few aspects of modern IT security that are as critical as application security. Simply put, if an application isn't secure, then everyone that uses the application could potentially be at risk, and the critical data processed by the application is at risk too.
The market for application security vendors is vast and varied, as there are multiple facets to application security that should be considered. There are also various ways in which application code can be tested to identify different types of vulnerabilities that could be potential security risks. These tools can boost DevOps and DevSecOps efforts by integrating security into the development process.
Key elements of application security
A key concept to understand in application security is that of the Software Development Lifecycle (SDLC). In that process, there are stages for code development, deployment and ongoing maintenance. As part of that lifecycle there are a number of critical application security approaches.
- Static Analysis: At the foundational level is the security of the application code as it is being developed, which is often an area where static code analysis tools (SCAT) can play a role. This area is called static application security testing, or SAST.
- Dynamic Analysis: For code that is running, dynamic application security testing (DAST) enables the detection of different types of security risks.
- Interactive Application Security Testing: Combining both DAST and SAST approaches is the domain of Interactive Application Security Testing (IAS).
- Software Composition Analysis (SCA): There can also be configuration issues with applications that can potentially be exploited. There are also software dependency and libraries that have known vulnerabilities, which is where vulnerability management capabilities fit in.
Top application security products
Here are our picks for the top vendors offering different classes of application security products and services.
Value proposition for potential buyers: Acunetix provides a web application security scanner platform that can help organizations of any size identify potential issues in deployed applications.
- The acunetix platform is composed of several distinct capabilities, including: AcuSensor, which is an Interactive Application Security Testing (IAST) tool for PHP, ASP.NET and Java web applications; and DeepScan Crawler for HTML5.
- A key differentiator is the AcuMonitor feature, which enables out-of-band security testing that takes a different approach than IAST to detect potential issues that don't always occur in the direct application path.
- The ability to detect SQL Injection vulnerabilities is a core element of the platform, including providing context to help reduce the likelihood of false positives.
- Going beyond just scanning application code, Acunetix also has a network security scanner that uses the open source OpenVAS project to detect network vulnerabilities in applications.
Value proposition for potential buyers: CheckMarx positions itself as a platform for managing and understanding software exposure risk. It is well suited for mid-to-large organizations looking for the ability to do static code analysis and interactive application testing in a scalable approach.
- The Checkmarx Software Exposure Platform is the company's flagship offering and includes static application security testing (CxSAST), Open Source Analysis (CxOSA), Interactive Application Security Testing (CxIAST) as well as training to help developers improve code quality.
- A key differentiator for Checkmarx is that rather than just having all the different types of application security testing operating in separate silos, there is a management console that provides an overview and visibility into how all the different testing elements fit together for an application.
- Another key feature in the Checkmarx platform is delta-based scanning, where developers don't have to re-scan an entire codebase when changes are made, but rather only need to scan the incremental (delta) difference.
- The ability to identify potential false positives from the scanning tools is another valuable attribute.
Value proposition for potential buyers: Fortify is a good option for organizations looking for an easy to use solution for application security testing and monitoring.
- Fortify's Source Code Analysis is one of the pioneering tools in the space and is now part of the broader Fortify on Demand service, which also includes the WebInspect dynamic analysis tool.
- Machine learning capabilities to pre-audit test results and limit false positives is a useful capability that is built into the platform.
- A key differentiator for Fortify is the extensive list of API-level integrations with developer build and deployment tools, enabling scanning and monitoring to occur throughout the DevOps lifecycle.
- The Application Defender component of Fortify's portfolio provides monitoring as well as runtime application self-protection (RASP) for operation-side security.
Value proposition for potential buyers: NowSecure is focused on mobile security and enabling developers to integrate secure practices and code as part of the mobile DevOps lifecycle.
- Now Secure has multiple application security capabilities in its offering, including automated mobile security testing that integrates static, dynamic and behavioral code analysis to identify areas of potential risk.
- A key differentiator for NowSecure is its penetration testing service that takes an attack approach to identify areas of weakness and potential exploitability in a mobile application.
- Another differentiator for Now Secure is the integration with third-party mobile app risk intelligence capabilities that can provide developers and security staff with insights into a broad set of threat intelligence from mobile applications in the Apple AppStore and Google Play apps.
- The management interface is a strong element across Now Secure, enabling developers and management to help enable regulatory compliance.
Value proposition for potential buyers: Rapid7's insightAppSec is well suited for organizations of any size that are looking for dynamic application security testing that provides developers with the ability to also test if a fix actually works.
- The insightAppSec service is part of Rapid7's cloud SaaS platform, which also includes insightIDR for SIEM and UBA, and insightOps for log management.
- A key differentiator for insightAppSec is attack replay functionality that enables developers to replay a potential attack vector to understand if remediations are effective.
- Workflows is another strong element in the platform, providing users with templates to test different scenarios.
- The core scanning engine comes preset with intelligent defaults that can be customized by users if needed.
- Beyond just providing an inventory of application vulnerabilities, Rapid7's system provides context, severity and recommendations for remediation.
Value proposition for potential buyers: Snyk's technology enables organizations to monitor applications for potential risks stemming from underlying application dependencies that can change over time.
- Among the core features of the Snyk platform is the ability to fully map and track an application's dependency tree.
- A key differentiator for Snyk is that it's not a point in time vulnerability scanner, but a platform that continuously scans and notifies users when there is a new vulnerability discovered in a library or dependency that a given application relies on.
- Integration with DevOps workflows is another important capability that can help users implement fixes for known issues.
- Snyk can integrate with developer environments to help identify coding vulnerabilities during the development stage of an application.
Value proposition for potential buyers: Synopsys has a broad portfolio of application security tools that can meet different needs, as well as a new overarching platform that can take a more holistic approach than point products.
- In February 2019, Synopsys launched its new Polaris Software Integrity Platform, bringing together multiple tools, including Coverity static analysis, Seeker IAST and Black Duck software composition analysis into a single unified offering.
- The integration of multiple tools provides a comprehensive overview for developers and security professionals into multiple aspects of application security that are often treated as separate silos.
- A key differentiator for Synopsis is the Polaris Platform's Code Sight IDE plugin, which can help developers identify and remediate bad coding practices that can lead to application vulnerabilities in production.
- Reporting is another strength of the Polaris platform, with a dashboard view for visibility into open issues, trends and charting over time.
Value proposition for potential buyers: Veracode's Application Security Platform is well suited for both developers and security professionals at organizations of any size looking for multiple application security scanning capabilities.
- As a company, Veracode has changed ownership several times in recent years. It was acquired by CA Technologies in March 2017 for $614 million. CA itself was acquired by Broadcom in November 2018, which then sold Veracode to private equity firm Thoma Bravo for $950 million.
- The overall platform integrates multiple capabilities, including static, dynamic, interactive and software composition analysis.
- With Greenlight, Veracode enables developers to scan code from directly within an Integrated Developer Environment (IDE).
- A key differentiator for Veracode is the platform's integration with GRC (Governance, Risk and Compliance) tools to help organizations track regulatory and policy compliance.
- Analytics is another area where Veracode shines, with a dashboard than can track issues as well as provide metrics on how long it takes to fix flaws.
Value proposition for potential buyers: Whitehat's platform provides a solid basis for organizations with separate developer and security teams to stay on top of potential risks and identify both known and unknown application vulnerabilities.
- WhiteHat's Application security platform includes source code analysis, Sentinel Source (SAST) and Sentinel Dynamic (DAST).
- Via a partnership with Now Secure (listed above), the company has Sentinel Mobile for mobile application security.
- A key differentiator for WhiteHat is the company's attack vector database, which is used to help the various tools find and identify potential paths to exploitation.
- For developers, the WhiteHat Scout integrates with DevOps tools to provide inline scanning and remediation options.