On August 6, Gartner published the 2015 edition of the "Magic Quadrant for Application Security Testing¹" – and once again, Veracode is positioned in the "Leaders" quadrant. Our position in the quadrant, as well as the subsequent write-up of the company's strengths and cautions, is exciting, as we feel it validates that we are the best pure-play provider of application security.
While our position within the quadrant, and Gartner's analysis of our company, is exciting, I found the market write-up equally interesting. Once the Magic Quadrant is released, the promotion around company positions is so dense that the market analysis is often overlooked. But the market analysis done by Gartner is just as important as the vendor analysis because this information can help enterprises shape their strategies for reducing risk.
The report opens with a paragraph describing why application security is so important:
"Highly publicized breaches in the past 12 months have raised awareness of the need to identify and remediate vulnerabilities at the application layer. Enterprise application security testing solutions for Web, native, cloud and mobile applications are key to this strategy."
As the quote notes, we've seen an uptick in the number of breaches that are attributed to the application layer – which made 2014 the year of the application-layer breach. In a report published by Symantec earlier this year, the company stated that "In 2014, 20 percent (1 in 5) of all vulnerabilities discovered on legitimate websites were considered critical, meaning they could allow attackers to access sensitive data, alter the website's content, or compromise visitors' computers." And as the Verizon report shows, web applications are one of the most common attack vectors. This is because, more than ever, companies are relying on applications as a source of innovation. But the traditional tools-based approach to application security can't scale with the rapid proliferation of applications.
Gartner's 2015 "Magic Quadrant for Application Security Testing¹" also discussed technologies that will be critical to securing the application infrastructure of the future. Gartner postulates that emerging technologies like IAST (Interactive Application Security Testing) and RASP (Runtime Application Self-Protection) will be a critical part of the application security program of the future, and thus placed a stronger emphasis on these technologies in respect to the evaluation criteria of each vendor in the quadrant. Gartner calls this criteria "market understanding" and "innovation," meaning that the companies that have greater market understanding "understand the buyers' needs and translate them into products and services." Veracode's position within the quadrant demonstrates our understanding of market needs as well as our consistent product innovation to meet those needs.
I recommend that anyone interested in how the AppSec market is evolving to help enterprises reduce risk read the entire report. In addition to the vendor analysis, there is some great information about the direction innovation is taking and how early adopters of new AppSec technologies are thinking about security. You can download the report here: https://info.veracode.com/analyst-report-gartner-application-security-testing-magic-quadrant-2015.html
¹ Gartner, Inc. 2015 "Magic Quadrant for Application Security Testing" by Neil MacDonald, Joseph Feiman, 6 August, 2015.