Developing and maintaining secure code at scale is hard. Having the right Static Application Security Testing (SAST) solution makes it easier, but how are practitioners to choose? In the following interview, you’ll learn about three emerging trends from detailed analysis of the SAST landscape in The Forrester Wave™: Static Application Security Testing, Q3 2023.
Veracode earns the top scores across the Current Offering, Strategy, and Market Presence (tied) categories. To quote the report, “Veracode differentiates with reporting, remediation, and a programmatic approach” with a forward-looking vision that “translates to an exciting roadmap with AI-powered features for flaw prevention, automated remediation, intelligent prioritization, and cross-correlation of application security testing (AST) scans.”
Why a Report on SAST Matters Today
I sat down with Christy Smith, Veracode’s Head of Analyst Relations, to talk about this timely report and what trends can be found in this quickly evolving market – especially since the advent of AI.
Natalie Tischler: Decades ago, SAST kicked us off into the world of securing code. Why now in 2023 would a report on it still matter?
Christy Smith: It’s true that static is one of the first types of application scanning, and it's been around for a long time. That said, there are a lot of pressures in the marketplace due to moving to the cloud, microservices, and changes to working with containers and infrastructure as code (IaC) which are getting scanned using static analysis. Also, there are also so many new programming languages and new development technologies.
The shift to DevOps or DevSecOps has made it even more important to bring static scanning in, too. And even though it's an older technology, many of the changes that have happened have been in where this type of testing happens. For the longest time, scanning was happening after stuff was in production or right before it went to production; it was this process that got bolted on to everything else.
This report tracks the need for static scanning to become usable and friendly to developers early in the lifecycle where it’s a lot cheaper and easier to fix flaws. SAST has a reputation as being something that slows development down, but it doesn't have to.
Key Observations Emerging from the SAST Market
NT: Let’s go deeper into what you see emerging from the SAST market and what’s important to consider in an evaluation.
CS: One of the things I love about the way that Forrester runs a vendor analysis is that they first produce a vendor Landscape report. It looks at what the problems in the market are, what the benefits of a particular type of technology or process are, and what challenges organizations might have in adopting it. This broader look at the overall trends and the use cases sets the stage for a smaller subset of vendors that Forrester takes a closer look at, and they are able to distill the trends that they're seeing in the marketplace.
And in this SAST report, they talk about what SAST customers should look for in a provider. These are:
Increasing developer velocity. This is what I was just talking about with the need to pull these analysis tools earlier in the development lifecycle without taking a hit on the speed and productivity.
Secure new and emerging technologies. Just look at the advent of generative AI. I'll be honest and say that I have taken a lot of research from firms like Forrester back to our own security operations teams to talk about new attack vectors and new threats that can be posed by a lot of these new technologies. AI and ML applications rely heavily on API's. They rely heavily on cloud, container, and infrastructure is code. Static analysis can be used in many cases to help remove vulnerabilities in those areas.
Automating the remediation process. Now, I spend more time than I'm probably willing to admit looking at the last version of a report and the current version of the report to really understand how trends reflect the way vendors are assessed. And this automation of the remediation process is really well represented in the changes that Forrester made in this wave to their categories and criteria for current offering.
Remediation is an expanded category. It now includes automation and prioritization in the underlying criteria that you don't see in the report. It jumped from being worth 10% of the score to 25% of the score. It's worth a full quarter of the Current Offering score, which means to me that they’re acknowledging the shift from the find to the fix.
NT: Why is that?
CS: Let's face it: in many communities, SAST doesn't have a great reputation. It can generate a lot of noise, but the key word there is “can”. When Veracode pioneered static analysis, we had a very interesting way of doing this. It’s binary scanning as opposed to source code scanning like many of our competitors. Veracode’s way of binary scanning is more accurate and raises fewer false positives, so developers spend less time chasing noise around.
That's why we built Veracode Fix, a tool that helps automate remediation in the environment where developers work. It's something we started around four years ago when Veracode leadership asked our customers what the most important thing to solve is, and they came back to us with: remediation.
That’s when we realized it was not about the find; it was about the fix. Some Java teams, we know this from our State of Software Security data, struggle to remediate even just a quarter of their static analysis findings. And in many cases, the rate of introducing new flaws is higher than their rate at being able to close them.
This means that despite all of the time and energy that developers are spending trying to fix flaws, security debt could still be increasing overall.
With Veracode Fix, we are not trying to solve every problem. We don't have automated remediation assistance for every flaw category that's out there. And that's by design: We would rather be able to provide high-quality, high-confidence fixes that developers can trust. There’s no way we’d put the burden on them to guess whether it's accurate.
How Security Practitioners Can Best Utilize these Insights
NT: We talked about why a report on SAST matters – but why would a security practitioner find this report valuable?
CS: Analyst reports are designed to help practitioners make unbiased, informed decisions about the technology and processes that they bring into the people inside their organization. Analysts' reports matter. There’s a lot of research and due diligence that goes into one of these.
To be in an analyst report like this, I first go through the whole landscape process where we provide a briefing to talk about the trends that we were seeing. Next, we review our customers’ key use cases against the trends the analyst has spotted, highlight industries we serve, provide revenue numbers...the whole process takes about four months before the Landscape report is published.
And then we move into a six-month process for the evaluation itself. That involves an in-depth survey, where I get individuals from all over the company to talk about everything from our financial metrics to how we run our services to our own product security. We submit multiple customer references, who must complete an online survey, and then there’s a two-hour briefing, which covers both how we run our business and a very structured, in-depth technical product demo.
An industry analyst firm goes through this rigorous process to provide meaningful results to their readers.
Practitioners can use reports like the Forrester Wave to make decisions about what technology to bring in based on the criteria that are most important to them. The way in which the scores are categorized helps a practitioner determine the right solution for them, not just for today, but for tomorrow.
Current Offering is: How strong is your offering today?
Strategy is: How are you executing on that, and what does your vision and innovation look like in the future?
For us, the profile reads, “Veracode’s forward looking vision is to lower the development burden, while providing security with a 360-degree view of the application risk landscape. This translates to an exciting roadmap with AI-powered features for flaw prevention, automated remediation, intelligent prioritization, and cross correlation of application security testing scans.”
NT: It's like analyst reports make this demilitarized zone where people can safely go for information about a rapidly changing world. At the end of the day, every person working at every company in this report wants a more secure world. I’d like to thank them for their efforts to make this world a safer place, and thanks for your insights on this topic, Christy.