Micro Focus, a software company that specializes in application security, has fallen from the top ranking in Forrester’s static application security testing (SAST) rankings. This drop in ranking comes after Micro Focus was acquired by OpenText. Meanwhile, Veracode, Synopsys, and Checkmarx have maintained their positions as leaders in the SAST market.
According to Forrester Senior Analyst Janet Worthington, SAST vendors have expanded their offerings to include infrastructure as code scanning. This means that they not only evaluate the security of the code itself but also assess the safety of the infrastructure that the code runs on. Vendors now support new versions of infrastructure as code like Azure Bicep and new programming languages like low-code platforms such as OutSystems.
Worthington also noted that there has been a trend of software composition specialists purchasing or building their own SAST tools, while developer-focused tools have entered the market to reduce noise in the CI/CD pipeline or binary artifact space. Cloud security vendors have also entered the SAST and software composition analysis (SCA) space, leading to a consolidated approach among pure-play vendors.
In the latest SAST rankings by Forrester, Veracode received the highest strategy ranking, followed closely by Synopsys and Snyk. Checkmarx and HCL Software came in behind. This is a shift from the previous rankings in 2021, where Checkmarx was ranked ahead of Veracode.
Veracode also received the highest score for its current SAST tool, with Synopsys, Checkmarx, and HCL Software following closely behind. In 2021, Synopsys outranked Veracode in terms of current offering, with Checkmarx, Micro Focus, and Parasoft following closely behind.
Looking ahead, Worthington expects that generative artificial intelligence (AI) will play a significant role in the SAST space. Generative AI will allow developers to be more productive in writing code, performing test cases, and issuing documentation. It will also enable automated remediation of code and provide developers with the actual code needed to make fixes.
Outside of the leaders, Forrester identified several other players in the SAST market. HCL Software, Snyk, and OpenText were identified as strong performers. GitLab, GitHub, and SonarSource were categorized as contenders, while Perforce Software and Contrast Security were labeled as challengers.
Veracode, one of the leaders in the SAST market, has applied artificial intelligence to its static scanning engine. The company has re-architected its engine to provide options for fixing vulnerabilities and produce results within milliseconds. Veracode has also adopted a cloud-native approach that allows customers to scan millions of apps simultaneously. The company has used AI and machine learning to automate the process of fixing issues and provide recommendations to customers.
Synopsys, another leader in the SAST market, has improved the speed and consistency of its static analysis engines. The company has also integrated SAST with software composition analysis (SCA) and application security posture management (ASPM) to provide customers with more ways to access static analysis. Synopsys aims to deliver a best-in-class software-as-a-service experience while continuing to invest in on-premise deployment options.
Checkmarx, the third leader in the SAST market, has embraced AI to check code for vulnerabilities. The company was the first to roll out a plug-in for OpenAI that allows developers to check third-party code for vulnerabilities before accepting it. This helps developers educate themselves about fixing vulnerabilities and address AI-based threat vectors. Checking code at the onset ensures organizations are not bringing in insecure code and prevents security issues caused by the higher velocity of code generated by AI.
Overall, the SAST market is evolving rapidly, with vendors expanding their offerings to include infrastructure as code scanning and integrating with other security technologies. Artificial intelligence and machine learning are also playing a significant role in automating the process of identifying and fixing vulnerabilities. As the SAST market continues to develop, it is crucial for organizations to stay updated on the latest advancements and choose vendors that can meet their unique security needs.