Published by the leading IT consulting firm Gartner, Magic Quadrants are a series of market research reports that offer valuable insights into technology providers. Covering a wide variety of software and technology offerings, Gartner Magic Quadrants are a trusted source of information for enterprises and key decision makers to compare vendors as well as understand their own placing in the ranks.
Like previous years, the 2020 Gartner Magic Quadrant for Application Security Testing dives deep into the top vendors and companies providing transformational technologies that focus on the future needs of end users. This Magic Quadrant provides interesting changes in market leaders as well as new additions hoping to level the playing field.
What is Application Security Testing?
Gartner defines the application security testing (AST) market as “the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities.”
In order to be included in this Magic Quadrant, all vendors must offer at least one of four main AST technologies:
- Static AST (SAST). Technology that analyzes applications’ binary codes or sources for security vulnerabilities
- Dynamic AST (DAST). Technology that analyzes applications in their running states during either testing or operational phases
- Interactive AST (IAST). Technology that is combined with DAST within the test runtime environment
- Software composition analysis (SCA). Technology that is used to identify open-source components in an application along with their security vulnerabilities and any known license restrictions
Magic Quadrant for Application Security Testing 2020
Here is this year’s Magic Quadrant for Application Security Testing:
Magic Quadrant categories
No matter the technology, Gartner uses the same four categories for every Magic Quadrant:
- Leaders are typically recognized as giants in the industry that are both visionaries in their products and successful executors of that vision.
- Challengers usually dominate a large segment of the market, but do not necessarily demonstrate an established understanding of where the market is going in the future.
- Visionaries have a fairly clear vision of where the market is heading, but they may not be able to outperform other vendors.
- Niche Players hyper-focus on a small segment of the market, but lack in innovation and performance in the big picture.
Results from 2020 and 2019
|2020 Results||2019 Results|
|Visionaries||Contrast Security |
|Niche Players||Onapsis |
Strong Leaders in Application Security Testing 2020
Although the four main vendors maintained the Leaders status from 2019 to 2020, their positions within this quadrant slightly shifted—and a new Leader made it to the race.
Although Synopsys was listed high last year, thanks to their strong execution strategy of expanding their AST portfolio over the past five years, 2019 was even more successful as they spent the year consolidating their offerings and integrating their products together. With their large suite of products, including a recent acquisition that will only further their case for next year, Synopsys is no doubt the giant in the AST market.
Synopsys is considered an excellent entry point for organizations that are easing their way into more developer-centric approaches to security, and this will only continue to become more advantageous as companies adopt DevSecOps.
Expanding its scope to include SAST, IAST, SCA, and managed DAST, Checkmarx made quite a jump this year in their completeness of vision. Its offerings provide a wide variety of deployment options for organizations, with identical capabilities for managed services, cloud, and on-premises. Their SAST capabilities support a range of programming languages and they are well-known for their reports, guiding how to best prioritize vulnerabilities.
Veracode also includes an offering of DAST, SAST, SCA, and IAST services, with strong markets in the United States and Europe. Compared to last year’s AST Magic Quadrant, Veracode has continued to push itself further towards a completeness of vision, making huge changes to their offerings and extensions in 2019.
Their services included customized remediation and vulnerability advice, and their willingness to work with customers is consistently one of their highest ratings. Their SCA offering provides a unique database that contains 50% more vulnerabilities than the National Vulnerability Database, helping to solidify their position in the Leader category.
Tucked underneath the Fortify brand, Micro Focus is a global AST provider with offerings that include SAST, DAST, IAST, as well as its own console and monitoring services. Its AST is a hybrid model, offered both as a product as well as in the cloud, providing a comprehensive set of capabilities.
Although it has slightly slid back this year in terms of completeness of vision, Micro Focus has put major investments into evolving towards a more DevSecOps developer-centric model, making it the perfect fit for large enterprises with multiple coding styles that are looking to further scale their strategies.
Jumping into the Leader’s ring this year versus a Challenger in 2019, WhiteHat Security is rising in both vision and execution and is not backing down anytime soon. They continue to stand out in DAST-required use cases and their new partnership with NowSecure ranks them well for mobile AST, as well. Its Directed Remediation capabilities help it stand out among competitors, and it holds its claim to fame as the first vendor to offer chat-based assistance to developers.
With its continued expansion of Machine Learning services and its dedication to addressing the requirements of DevOps, it will be interesting to see where WhiteHat sits in the quadrant next year.
Joining the quadrant this year are a few newcomers: HCL Software, Onapsis, and GitLab.
HCL Software is a newcomer to the quadrant, at least in name, after they acquired IBM’s AppScan products after their exit from the application security business. Their product portfolio includes solutions for both on-premises as well as the cloud. HCL AppScan was one of the first products to leverage ML techniques for application security tasks, improving accuracy and crucial insights for vulnerability fixes. This progress has continued as they apply ML-based analytics to their DAST findings. The past year, they have also spent significant time reworking the product line to offer more efficiency and functionality across all platforms, which is a big part of why they are placed in the Visionary category.
After its 2019 acquisition of Virtual Forge, a major leader in the SAP code security space, Onapsis has established strong relationships with strategic system integrators in order to offer services that protect businesses using SAP and Oracle. Onapsis offers standard AST tools and only supports the most common languages used in development, which make it a great fit for organizations who are looking to integrate with their existing ERP development tools.
GitLab is the final new addition to the 2020 Application Security Testing Magic Quadrant, providing AST as part of its Ultimate/Gold tier of a CI/CD platform. It also provides open-source scanning capabilities, for both vulnerabilities as well as for code deployments in Docker containers and Kubernetes.
In the past year, GitLab has introduced a security dashboard, support for Java, and remediation recommendations along with integrating SCA technology and adding Secret Detection to its SAST. Although it is just starting its climb on the quadrant, GitLab could quickly become a preferred option for organizations that already use its platform and are looking for a broader CI/CD-enabling solution.
Application Security Testing in 2020
Even though most Leaders remain consistent over the past few years, the new additions to the 2020 Application Security Testing Magic Quadrant make it apparent that the future of AST is looking expansive. With the continued adoption of DevSecOps, vendors must evolve and work to both seamlessly integrate and automate AST in the delivery lifecycle, expanding the scope of the AST market as we know it.