A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018

February and March are the hot months for marketing reports. I already wrote about IDC and Forrester reports about Vulnerability Management-related markets. And this Monday, March 19, Gartner released new “Magic Quadrant for Application Security Testing”. You can buy it on the official website for $ 1,995.00 USD or download it for free from the vendor’s sites. For example, Synopsys or Positive Technologies. Thank you, dear vendors, for this opportunity!

I’m not an expert in Application Security. I am more in Device Vulnerability Assessment (IDC term) or Vulnerability Management. However, these field are related. And well-known Vulnerability Management vendors often have products or functionality for Web Application scanning and Source Code analysis as well. Just see Qualys, Rapid7 and Positive Technologies at the picture!

Gartner AST MQ 2018

I have already mentioned in previous posts that grouping products in marketing niches is rather mysterious process for me. For example, Gartner AST niche is for SAST, DAST and IAST products:

  • SAST is for source code or binary analysis
  • DAST is basically a black box scanning of deployed applications. it can be also called WAS (Web Application Scanning)
  • IAST is a kind of analysis that requires agent in the test runtime environment. Imho, this thing is still a pretty exotic.

As you can see, these are very different areas. But, the market is the same – AST.

Therefore, it is difficult to understand whether the amount of SAST/DAST/IAST features in the  product is enough for counting it as real AST product. Here are the vendors in this year’s Gartner AST Magic Quadrant:

  1. Checkmarx
  2. CA Technologies (Veracode)
  3. Contrast Security
  4. IBM
  5. Micro Focus
  6. Positive Technologies
  7. Qualys
  8. Rapid7
  9. SiteLock
  10. Synopsys
  11. Trustwave
  12. WhiteHat Security

If you look at the vendors that were excluded from Gartner MQ since the last year (Acunetix, ERPScan, Fasoo, N-Stalker, NSFOCUS, PortSwigger and Virtual Forge), you can see that there are many traditional WAS vendors among them. If someone tells me: “you need to scan a web application”, my first thought will be to use Acunetix or Burp (by PortSwigger – see my post “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“. Well, they are not in the Gartner AST list any more. I will not say that Gartner wanted to make AST MQ 2018 more focused on the SAST. There are actually more than 12 Exclusion Criteria. But for me it definitely seems like this.

Also, need to mention that Gartner marked all excluded vendors and edgescan, Netsparker, High-Tech Bridge as “specific additional AST vendors”.

What about Qualys and Rapid7? They are presented in MQ because of the WAS products: Qualys WAS and Rapid7 AppSpider. Why there is no Tenable there? Most likely because Tenable.io WAS was not presented as a separate product until recently. I think next year we will see Tenable in MQ as well.

And I’m certainly very pleased that my former employer, Positive Technologies, got into Gartner’s AST report for the first time because of their PT AI solution.

I will not comment vendor’s descriptions, Market Definition and Context. I’m not an expert in AST, especially in SAST and IAST. But the text looks solid and informative. If you are involved in Application Security and building SDLC, I strongly recommend you to read it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.