If you’re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry’s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, “For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.”
The Forrester report specifically mentions, “Veracode has invested in the developer experience.” Veracode’s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
- IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
- Pipeline Scan happens in the build phase. It directly embeds into teams’ CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, “is the code my team is writing secure?”
- Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, “are my organization's applications secure?”
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, “…Veracode’s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.” In addition, the report states, “References complimented Veracode's premium support,” and Veracode is highly rated by customers for remediation guidance. As one customer stated, ‘the relationship [with Veracode] really stands out.’
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode’s position as a Leader.