Frost & Sullivan Measurement & Instrumentation Team
Developers are rapidly rolling out applications, resulting in more frequent software vulnerabilities. The functional testing of software tools and processes can be performed in the early development phase; however, to conduct security testing during the same phase is a challenge. Traditional security tools are not capable of detecting software vulnerabilities in the development phase and may increase the risk of cyber-attack once the software is deployed.
Although conventional static application security testing (SAST) and dynamic application security testing (DAST) solutions exist, they have proven to be less robust, especially for fast-evolving and automation-driven development environments. The conventional DAST approach, for example, fails to keep pace with customers’ rapidly changing application development environments, which is essential to meet enterprises’ demand for the continuous delivery (CD) of software to keep pace with time-to-market schedules. Scanning all applications with DAST solutions consumes a significantly large amount of time, which poses a serious challenge as DevOps environments demand continuous integration and delivery.
Different customers from various industries are looking to verify the security and the quality of their software by testing it at various depths. They seek a single vendor that can provide a comprehensive portfolio of software testing tools to meet their diverse and changing software/application testing needs. Vendors have realized that they have a greater role to play than just being suppliers of services.
The application security testing market accounted for $2.6 billion in 2017. Frost & Sullivan foresees sustained double-digit growth, at a 25.8% compound annual growth rate (CAGR) from 2017 to 2022. The market is classified into static, dynamic, and interactive application security testing (IAST). SAST accounts for most part of the market and is focused on the application source code analysis and detection of vulnerabilities early in the development lifecycle. DAST is the 2nd-largest segment and concentrates on the analysis of vulnerabilities on a running application, without the need of a source code. IAST is the next generation of application security testing that offers visibility into application code execution. It is expected to record the highest CAGR from 2017 to 2022. According to Frost & Sullivan, IAST adoption will exceed 28.0% over the next 3 years.
The financial market is expected to register the highest adoption with a 26.7% market share, followed by IT telecom, government, and retail.
The market is highly consolidated by the leading participants. The top companies include HP, IBM, Checkmarx, Synopsys, WhiteHat Security, and CA Veracode. These participants together accounted for more than a 50.0% percent share in 2017. Other prominent participants are Micro Focus, Parasoft, Rogue Wave Software, SiteLock, and SonarSource.
- Managing risks across software development cycles: Testing software for any lapse in application security during the nascent stage of development enables developers to immediately close security loopholes as they continue software coding. As a result, organizations are able to reduce development costs while optimizing time-to-market with reliable software the first time it is released. In contrast, identifying security gaps through software/application testing at the end stage of the development lifecycle eats up time and money as developers have to redesign from the start, which delays the development process and increases time to market.
- Identifying vulnerabilities for remediation: Advanced methodologies, such as Agile and DevOps, are relied upon to integrate automation tools in the early stage of the software development life cycle (SDLC) to expedite the development process. However, remediation is the most common failure point for organizations, creating friction between different teams (development and operations, for example) without achieving real improvement to security. Thus, remediation must be made an easier and more efficient process. Effective remediation depends on the ability to prioritize what actions and steps are required to address vulnerabilities.
- The future of dynamic application security testing: Customers are looking for a robust IAST solution that can automatically scan applications for vulnerabilities (while it is running) across the SDLC, in tandem with the fast-moving development environment; it must also be able to offer remediation and troubleshooting suggestions. This will reduce the time taken to separately scan applications for vulnerabilities with the DAST solution; it will also help to instantly detect and prompt remediation suggestions, helping to quickly fix the issues when the application is in the development stage. An accelerated development cycle due to time and resource optimization will allow application developers to meet their time-to-market schedules, thereby ensuring high returns on investment (ROI) with significant cost savings.
- Technically skilled resources: Conventional application security testing solutions require technically skilled resources to perform DAST before application release; they also need to be maintained properly to perform optimally. Conventional secure coding training, imparted annually, often fails to scale up the imparting of secure coding-related knowledge on a continuous basis across an enterprise. Besides, long hours of ineffective training on secure coding disrupts the normal routine of developers that are inclined toward writing codes to constantly build new applications. In addition, the lack of the right kind of training to enhance developers’ know-how and skillset in terms of developing applications in line with security protocol makes it difficult for companies to find application developers with the right skillset to perform application security testing during the SDLC. Overall, this slows down secure application development and integration and, consequently, time-to-market, while increasing operational expenditure. This also makes developers reluctant to perform application security testing.
Enterprises are growing increasingly dependent on software applications and are demanding continuous integration (CI) to streamline their existing business processes as they embrace the concept of automation and strive to record better margins with relatively low investments. However, this has resulted in a rising number of security breaches and cyber-attacks. Consequently, application security testing has become imperative for software application developers to help enterprises run their businesses securely.
As with traditional application development practices, it is prudent to actively identify and correct vulnerabilities throughout the development process and after deployment as well. Businesses still utilize SAST to test applications for weaknesses prior to deployment; DAST is used to identify and fix flaws during and after development. Both remain capable solutions. IAST, in particular, holds the potential to outpace DAST and replace it as an automated tool that helps to maintain complete security automation across the SDLC.