The 2022 Gartner® Critical Capabilities for Application Security Testing report provides useful guidance for teams wanting to build an AppSec program optimized for their business needs.
There are two cars in my driveway right now. One was built in 1978, and what’s great about it is how easy it is to work on. It’s a simple vehicle, and most repairs can be performed with only a half-dozen tools: two screwdrivers, three wrenches, and a hammer (you always need a hammer).
The other car was built in 2020, and I don’t work on that one. It’s vastly more sophisticated—and complicated—than the ’78, and my mechanic wields a dizzying assortment of specialized tools and diagnostic systems to ensure that everything is working correctly.
And so it is with software. As the software we build has become more sophisticated—and complicated—the array of security testing tools required to test that software is expanding. In fact, most organizations today use dozens of tools and techniques to test their software for vulnerabilities.
But which ones should you be using? The answer to that question depends on the type of software you are developing and how you are delivering it. Gartner® recently published its 2022 Critical Capabilities for Application Security Testing report. It provides insight into which tools and techniques are most important for five specific Use Cases, as well as ratings and reviews of the vendors who provide those tools. Let’s look at the five Use Cases in the report and the differences in their respective application security needs.
Gartner defines the first Use Case as being focused on the needs of organizations with a broad mix of applications and development methodologies and thus requiring a comprehensive approach to application security. Put another way, if your team builds software that isn’t your product but is instead the primary enabler of your business (e.g., it is the means by which your customers access your products or services), this Use Case applies to you (even if you aren’t a large organization).
The complex make up and delivery of enterprise applications requires that security be addressed for all application components and at all stages of the application lifecycle. To address these needs, organizations are increasingly taking a supply chain risk management approach, where multiple tools are used in concert to provide visibility and control of security risks across proprietary, open source, and third-party software and services, as well as the DevOps and cloud infrastructure used to deliver applications to end users.
Learn how to secure your software supply chain
DevSecOps is perhaps the most used yet least understood term in information security. Gartner indicates simply that this Use Case is focused on the requirements of organizations investing heavily in DevOps and the fast-moving, iterative software development and delivery that goes with it.
Not surprisingly, for application security testing (AST), the emphasis is also on tools that support modern, developer-centric, automated security analysis. Building security into DevOps requires that teams prioritize three things:
Learn more about how to build security into your DevOps program
Here is where the Use Cases start to overlap a bit. Gartner indicates that this third Use Case focuses on the needs of organizations wanting to integrate AST with their CI environment and/or wanting to make sure their testing adapts to the changing attack surface of their applications. Many organizations have heavily automated testing programs but may not consider themselves “DevOps shops,” or at least not yet.
Organizations in this category may be looking to shift from a manual dynamic application security testing (DAST)-centric testing model to some combination of automated static AST (SAST), software composition analysis (SCA), and DAST. However, many traditional DAST solutions don’t fit well in automated CI pipelines. Interactive AST (IAST) has emerged as an automation-friendly alternative to traditional DAST, allowing teams using test automation solutions like Selenium to convert their automated functional tests into dynamic application security tests.
Learn more about Seeker Interactive Security Testing
There is also considerable overlap between Gartner’s prescriptions for cloud-native applications and DevSecOps. The main difference is that DevSecOps places a bit more emphasis on developer enablement, while cloud-native applications place a bit more emphasis on Infrastructure-as-Code (IaC) and the containers that are central to most cloud application environments.
Since many cloud-native applications are also “enterprise” applications, the focus on software supply chain security also applies here. However, it’s important to understand the impacts of the cloud architecture on the attack surface of these applications, which typically use a mix of open source components, third-party APIs, serverless functions, containers, and IaC.
Learn more about Synopsys solutions for cloud & container security
As the label implies, the fourth Use Case is focused on software that runs on a client piece of hardware. For Gartner, this means mobile applications, which often require specialized testing tools and techniques to emulate the target mobile device(s) for the application.
However, many of the challenges for mobile applications also extend to other forms of client-side software, such as network device firmware, embedded software, and IoT devices. In most cases, testing of this software is difficult to automate, requires direct access to or emulation of the hardware, and includes testing of the APIs or network protocols used for communication with other systems and services. If you are building this type of software, you probably already have specialized tools for unit and integration testing—the challenge is finding complementary tools and services to test for security defects.
Learn more about Synopsys application security testing tools and services
There’s no doubt that it can be difficult for security and development teams to assemble the right toolkit to ensure that their users can trust that the software they deliver to them is secure. But as Gartner illustrates in the Critical Capabilities for Application Security Testing report, if you take a step back and think about the Use Cases your team is trying to support, a framework for making your tool selections emerges.
As for me, I’m going to stick to tinkering on the ’78 on the weekends and leave the diagnostics and service of the ‘20 to the shop where they have the right tools (and skills) for the job!
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Patrick is the Senior Director of Product Marketing for Synopsys Software Integrity Group where he is laser focused on bringing solutions to market that help development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity.