Report:

Magic Quadrant for Application Security Testing

How does Gartner define the Application Security Testing market in 2023?

Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. This market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and enabling technologies. The market comprises tools offering core testing capabilities (static, dynamic and interactive testing; software composition analysis) and various optional, specialized capabilities. AST tools are offered either as software-as-a-service (SaaS)-based subscription offerings, or less often, as on-premises software.

Key Facts for Magic Quadrant for Application Security Testing in 2023

• Publication Date: 17 May 2023
• Document ID: G00770949
• Coverage: Global
• Authors: Mark Horvath, Dale Gardner
• Core Purpose: Modern application design, the shift to the cloud and the accelerating adoption of DevSecOps are expanding the scope of the AST market. Security and risk management leaders can meet tighter deadlines and test more complex applications by integrating and automating AST in the software life cycle.

Strategic Planning Assumptions

No strategic planning assumptions provided.

How was the Application Security Testing market evolved in 2023?

• Worldwide end-user spending on application security tools reached approximately $3.4 billion in 2022, a 27% increase from 2021's $2.6 billion
• North America represents approximately 68% of total spending
• EU and U.K. ranked second at 17%, with Asia/Pacific region totaling 12% of spending
• Middle East and Africa at 2%, and South America at 1% remain nascent but growing markets
• The market comprises tools offering core testing capabilities including SAST, DAST, IAST, and SCA
• Optional capabilities include API testing, ASPM, container security, developer enablement, fuzzing, IaC testing, mobile AST, and software supply chain security
• AST tools are offered as SaaS-based subscription offerings or on-premises software, with many vendors offering both options
• The market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and enabling technologies
• Increased focus on DevSecOps and cloud-native application initiatives is driving market evolution
• Strong demand has enabled vendors to maintain higher pricing despite increased competition

What product features are required to be included in this year's evaluation?

• Static application security testing (SAST): Analyzes an application's source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC)
• Software composition analysis (SCA): Used to identify open-source and, much less frequently, commercial components in use in an application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified
• An offering primarily focused on security testing to identify software security vulnerabilities, with templates to report against OWASP Top Ten and other common vulnerability definitions and standards
• Developer support or guidance in the remediation of vulnerabilities
• For SAST products and/or services: Support for common development languages (e.g., Python, Java, C#, PHP, JavaScript)
• For SCA products and/or services: Ability to scan for commonly known vulnerabilities; Ability to scan for out-of-date vulnerable libraries; Ability to scan for undesirable or inappropriate licenses

What are the common features of top products in the Application Security Testing space?

• API testing: APIs have become an important part of modern applications, but traditional AST toolsets may not fully test them. Typical functions include the ability to discover APIs in both development and production environments and test API source code, as well as the ability to ingest recorded traffic or API definitions to support the testing of a running API
• Application security posture management (ASPM): ASPM continuously manages application risks through the detection, correlation and prioritization of security issues from across the SDLC, from development to deployment
• Container security: Container security scanning examines container images, or a fully instantiated container prior to deployment, for security issues
• Developer enablement: Developer enablement tools and features support developers and members of the engineering team in their efforts to create secure code
• Dynamic AST (DAST): DAST analyzes applications in their running (i.e., dynamic) state during the testing and operational phases
• Fuzzing: Fuzz testing relies on providing random, malformed or unexpected input to a program to identify potential security vulnerabilities
• Infrastructure-as-code (IaC) testing: IaC security testing tools help ensure conformance with common configuration hardening standards, identify security issues associated with specific operational environments, locate embedded secrets
• Interactive AST (IAST): IAST tools initiate and equip a running application and examine its operation to identify vulnerabilities
• Mobile AST (MAST): This addresses the specialized requirements associated with testing mobile applications
• Software supply chain security (SSCS): Functions intended to identify and manage risks associated with software supply chains

Scope Exclusions

• Vendors that primarily offer consulting or managed services rather than AST tools
• Vendors that do not meet the minimum revenue thresholds
• Vendors that do not rank in the Market Momentum index requirements
• Vendors without support for both SAST and SCA as core capabilities
• Vendors without English language support for contracts, documentation and customer support

Inclusion Criteria

Vendors must, among other requirements:

• Provide a dedicated AST solution that is generally available as of 31 December 2022 that supports, at a minimum, both SAST and SCA
• Conform to a repeatable, consistent engagement model using mainly their own testing tools
• Deliver tools as on-premises software or appliance, cloud-based appliance or container, SaaS, or some combination
• Generate at least $100 million in annual (GAAP) revenue for AST products OR generate at least $35 million of AST revenue with at least 20% coming from more than one geographic region
• Rank among the top 20 organizations in the Market Momentum index defined by Gartner OR generate at least $20 million in AST revenue and rank in the top 10 vendors in the Market Momentum index
• Offer phone, email and/or web customer support
• Offer contract, console/portal, technical documentation and customer support in English

Ability to Execute — Relative Weighting

• Product or Service - High
• Overall Viability - High
• Sales Execution/Pricing - High
• Market Responsiveness/Record - High
• Marketing Execution - High
• Customer Experience - High
• Operations - NotRated

Completeness of Vision — Relative Weighting

• Market Understanding - High
• Marketing Strategy - High
• Sales Strategy - Medium
• Offering (Product) Strategy - High
• Business Model - NotRated
• Vertical/Industry Strategy - NotRated
• Innovation - High
• Geographic Strategy - High

Reference

• Gartner, Magic Quadrant for Application Security Testing, 17 May 2023, ID G00770949

View Leaders
View Vendor Movements