In the latest static application security testing (SAST) rankings by Forrester, Veracode, Synopsys, and Checkmarx maintained their positions as leaders in the industry, while Micro Focus dropped out of the leaderboard following its acquisition by OpenText. This shift in rankings highlights the evolving landscape of application security and the increasing focus on infrastructure as code scanning.
According to Forrester Senior Analyst Janet Worthington, SAST vendors have expanded their offerings to include not just code analysis, but also the assessment of the infrastructure on which the code runs. This shift is in response to the growing importance of evaluating the safety and security of the entire application ecosystem. Vendors now support new versions of infrastructure as code (IAC) languages such as Azure Bicep, as well as low-code platforms like OutSystems.
The inclusion of infrastructure as code scanning reflects a broader trend in the industry, with software composition specialists purchasing or building their own SAST tools and vice versa. Additionally, developer-focused tools have entered the picture in the continuous integration/continuous delivery (CI/CD) pipeline or binary artifact space to reduce noise and streamline the development process. Cloud security vendors have also entered the SAST and software composition analysis (SCA) space, prompting pure-play vendors to take a consolidated approach.
Veracode emerged as the leader in Forrester’s rankings, receiving the highest strategy ranking by a significant margin. Synopsys and Snyk tied for the second-highest scores, followed by Checkmarx and HCL Software. This marks a change from the previous rankings in 2021, when Checkmarx surpassed Veracode for the top score.
Looking ahead, Worthington predicts that generative artificial intelligence (AI) will revolutionize the development process by enabling developers to be more productive in writing code, performing test cases, and issuing documentation. Generative AI will also enhance the static application security testing space by automating the remediation of code vulnerabilities and providing developers with the actual code needed to make fixes.
In addition to the leaders, Forrester identified several other players in the static application security testing market. HCL Software, Snyk, and OpenText were labeled as strong performers, while GitLab, GitHub, and SonarSource were categorized as contenders. Perforce Software and Contrast Security were identified as challengers.
Among the leaders, Veracode has implemented artificial intelligence and machine learning to improve its static scanning engine. The company has re-architected its system to provide various options for fixing vulnerabilities and to deliver results within milliseconds. Veracode has also leveraged AI to automate the remediation process and produce results for the most common vulnerabilities across coding languages. Chief Product Officer Brian Roche highlighted the company’s comprehensive approach to identifying vulnerabilities at every step in the software development lifecycle.
Synopsys, on the other hand, has focused on aligning its SAST capabilities with software composition analysis (SCA) and application security posture management (ASPM). The company has improved the speed and consistency of incremental analysis through deep procedural analysis. It has also introduced a software risk manager that combines SAST with SCA and ASPM, enabling customers to access static analysis through multiple avenues. Integrations with popular platforms like GitHub, GitLab, and Azure facilitate the seamless integration of SAST and SCA results.
Checkmarx has embraced AI by developing a plug-in for OpenAI that allows developers to check third-party code for vulnerabilities before accepting it. CEO Sandeep Johri emphasized the importance of checking code at the onset to prevent the introduction of insecure code into an organization’s systems. Checkmarx aims to consolidate the application security space by providing a comprehensive SAST solution. Forrester criticized the company for lacking automated remediation and certain features for its on-premises offering.
Overall, the SAST market is evolving rapidly, with vendors expanding their offerings to encompass not just code analysis, but also infrastructure as code scanning. The rankings by Forrester reflect these changes and highlight the importance of a comprehensive approach to application security in today’s digital landscape. The integration of artificial intelligence and machine learning is expected to further transform the industry by automating remediation efforts and improving the overall efficiency and security of software development processes.