In the 2019 Gartner Magic Quadrant for Application Security Testing, Synopsys leads the field for our ability to execute and our completeness of vision.
I’m proud to report that Gartner has positioned Synopsys as a leader in the 2019 Magic Quadrant for Application Security Testing for the third consecutive year. This year, Synopsys moved into the highest position for both our ability to execute and our completeness of vision. As a result, Synopsys holds the coveted “top right” position in both the Gartner report and the Forrester report for static analysis.
The Synopsys Software Integrity Group’s vision is to be the industry leader in software security and quality. Over the past several years, we’ve been building this vision through both strong internal growth and acquisition.
Synopsys has aggressively improved the capabilities of Coverity® static analysis to ensure that it represents the industry standard in security and quality testing. Since Gartner’s last MQ evaluation, we’ve added support for additional languages and dozens of frameworks, expanding the fidelity and reach of our testing. We’re committed to ensuring that our static analysis solution meets or exceeds the capabilities of our competitors and delivers accurate and actionable findings.
Our acquisition of the Black Duck® solution represents a critical extension of our software composition analysis capabilities, adding industry-leading source code analysis to our already revolutionary binary analysis tool (now Black Duck Binary Analysis). These capabilities are now fully integrated and provide SCA coverage for testing source code during development and binary code further down the supply chain.
Synopsys released a new version of Seeker® interactive application security testing. Our IAST solution provides unparalleled visibility into web application security and identifies vulnerability trends against compliance standards (e.g., OWASP Top 10, PCI DSS, GDPR, and CWE/SANS Top 25). Unlike other IAST solutions, which only identify security vulnerabilities, Seeker IAST uses patented active verification technology to determine whether a security vulnerability (e.g., XSS or SQL injection) can be exploited, helping prioritize developer response. And Seeker IAST identifies and tracks sensitive data to ensure that it is handled securely.
Finally, Defensics® protocol fuzzing provides differentiated black box testing capabilities that no other AST solution has. Organizations who use protocols extensively in their development find our automated fuzzing solution a formidable tool in their testing capabilities.
We believe that the 2019 AST MQ validates our commitment and demonstrated progress toward creating the most comprehensive software security portfolio on the market.
Having the best tools to test the code you write, the open source code you pull in, and the software in its runtime environment is just the beginning. The real benefits come from integrating these tools to create even more accuracy and depth of analysis. Synopsys is driving this integration at every level so that we can provide our customers the most value from their investments.
At the product level, you can already see the evidence of this integration. As mentioned, we’ve integrated our binary analysis capabilities into the Black Duck solution, providing one tool for testing source and binaries with a consistent bill of materials. The Seeker IAST tool also uses Black Duck Binary Analysis to test the binary open source modules that it encounters for vulnerabilities. These are representative of the many integrations on the near horizon.
At the macro level, Synopsys recently announced the Polaris Software Integrity Platform™, providing a SaaS delivery model and a centralized, web-based user interface for Synopsys products and our managed services offerings. The goal of the Polaris platform is to ensure quick deployment and a unified user experience across Synopsys solutions, and to provide an aggregated dashboard where security managers can manage projects based on an overall assessment of application security risk.
The Polaris platform really demonstrates the value of having a broad portfolio, as it uses Synopsys application security solutions as modular analysis engines to perform testing. With the Polaris platform, developers and security teams can execute the analyses they need and see consolidated results in a single interface.
Last year, Gartner said: “By 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10% today.”1 We certainly see that with our customers, and Synopsys has been working diligently to ensure that the Polaris platform and our products integrate tightly across all phases of the software development life cycle (SDLC), as confirmed by the 2019 Gartner MQ for AST.
This is demonstrated most clearly through the release of the Polaris Code Sight™ IDE plugin for IntelliJ, Eclipse, and Visual Studio. This lightweight plugin continuously scans in the background, providing near real-time identification of vulnerabilities in the developer’s environment. This means that developers can identify and remediate issues on the spot, creating secure, high-quality code faster. Think of it—a security product that actually increases productivity! For consistent findings, the Code Sight plugin uses the same analysis engines as those used by the Polaris Central Server for scanning the central build. You can’t “shift left” any better than that.
The Code Sight plugin is just the start. Synopsys is committed to providing extensive integrations to ensure that our portfolio readily becomes part of your CI/CD toolchain. The Polaris platform also makes extensive use of REST APIs to integrate Polaris data into our customers’ reporting tools and dashboards. In the companion research piece to the Magic Quadrant, Critical Capabilities for Application Security Testing, Synopsys received the highest “product or service score for DevOps.”
We at Synopsys are proud of our standing in the Gartner Magic Quadrant, as it validates our efforts to build a world-class application security portfolio. The application is increasingly the target for attacks, and we believe our portfolio can provide organizations with an integrated set of tools to build a stout defense. Our true success comes from enabling you to build secure, high-quality software faster.
1. Ayal Tirosh, Dionisio Zumerle, and Mark Horvath, Magic Quadrant for Application Security Testing, Gartner, March 19, 2018.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Synopsys.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.