In the 2020 Gartner Magic Quadrant for Application Security Testing, Synopsys leads the field for the 2nd consecutive year for our ability to execute and our completeness of vision.
I’m proud to report that Gartner has positioned Synopsys as a Leader in the 2020 Magic Quadrant for Application Security Testing for the fourth consecutive year. This year, Synopsys again moved further up and to the right for our ability to execute and for our completeness of vision. This places Synopsys in the top right position for the second consecutive year.
Development is evolving, and AST must keep pace
Application security testing (AST) is evolving at a rapid pace as the focus shifts from out-of-band testing in the later stages of the secure development life cycle (SDLC) to event-driven testing throughout the build/test/deploy cycle. Testing must be readily integrated into development processes and support the ever-changing toolset used to create CI/CD pipelines.
Gartner highlights this evolution in the 2020 Magic Quadrant:
“Gartner has observed the major driver in the evolution of the AST market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high-assurance, high-value findings while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier in the development process, with testing often driven by developers rather than security specialists. As a result, this market evaluation focuses more heavily on the buyer’s needs when it comes to supporting rapid and accurate testing capable of being integrated in an increasingly automated fashion throughout the software development life cycle.”1
I am proud to say that Synopsys has answered this challenge, which we believe is evidenced by the 2020 Magic Quadrant for Application Security Testing and the associated Critical Capabilities for Application Security Testing. In the latter document, Synopsys tied for the highest score among vendors in the “Use Case for DevOps/DevSecOps.”2 Support for CI/CD tools is also called out as a strength in the narrative for Synopsys.
Further, our Code Sight plugin, which brings real-time testing to the developer’s IDE, has become the embodiment of the shift-left paradigm. Gartner calls out Code Sight in the “Strengths” section of the Synopsys narrative as providing the ability to spot security issues while the developer is coding. This functionality, which acts as a security spell-checker, helps developers prevent security flaws from entering the code so there are fewer defects to address later in development—ultimately reducing remediation costs and helping teams maintain velocity.
But we are not resting on our laurels. In February (after the deadline to be considered in the 2020 Magic Quadrant for Application Security Testing), Synopsys announced that Code Sight would become the first IDE plugin to offer both SAST and SCA capabilities in one tool. We are also adding remediation guidance capabilities that will advise developers on how to fix the issues that Code Sight finds. This will further fuel productivity and turn security from a roadblock to a critical enabler of DevOps.
In January 2020, just after the submission deadline for the 2020 Magic Quadrant for Application Security Testing, Synopsys addressed one of the “Cautions” expressed by Gartner in the Synopsys narrative: We added Tinfoil Security to our portfolio. Tinfoil adds a next-generation DAST tool to complement the DAST managed service we already provide to over 500 customers worldwide. Further, Tinfoil built their DAST offering for use by developers in the SDLC, adding even more strength to the Synopsys AST value proposition for DevOps. We closed a gap in the portfolio, and we did so with a tool that advances how DAST will be used by development organizations.
Synopsys is continuously innovating to provide organizations the AST solutions they need as they adopt DevOps. In fact, Gartner calls out our increased support for CI/CD tools in the “Strengths” section of the document. We see the results of the 2020 Magic Quadrant for Application Security Testing as validation that Synopsys is keeping pace as application development continues to evolve.
Comprehensive, market-leading portfolio
Synopsys is committed to being the industry leader in software security and quality, and our position in the Gartner Magic Quadrant provides validation of that commitment. As Gartner notes in the Synopsys narrative, our portfolio is perfect for those organizations getting started with AST and is equally a strong fit for advanced organizations.
The strength of our portfolio comes through two dimensions. First, the portfolio is the most comprehensive in the market, supplementing the foundational elements of SAST (Coverity®), DAST (Tinfoil Application Scanner), IAST (Seeker®), and SCA (Black Duck®) with unique offerings such as Defensics® protocol fuzzing and the Tinfoil Security API Scanner. Second, each tool stands on its own as a market leader in its functional area. For example, Coverity and Black Duck are leaders in The Forrester Wave™ reports for static analysis and software composition analysis, respectively.
A summary of our portfolio is as follows:
- Coverity provides world-class static analysis testing for security and for quality. For organizations in the IoT space or selling products with embedded software, the combination of quality and security is critical. Coverity continues to expand language and framework support and is now available in the cloud.
- Black Duck provides comprehensive software composition analysis capabilities, including our unique ability to perform binary code analysis through Black Duck Binary Analysis. No other product has the depth of analysis and fidelity of Black Duck, which is critical as open source use continues to grow.
- Seeker interactive application security testing allows users to test running applications and provides active verification to determine whether a security vulnerability (e.g., XSS or SQL injection) can be exploited. Seeker is readily integrated into CI/CD workflows, enabling testing at DevOps speed.
- Defensics protocol fuzzing enables organizations to discover and remediate software security weaknesses not discovered by traditional AST tools. Synopsys is the only vendor to offer fuzzing as part of our portfolio, and we believe that it provides organizations an interesting option for additional coverage.
- Synopsys offers a full range of managed services to perform SAST and DAST testing, as well as mobile testing. In short, our managed services capabilities means that we do not have to say no to customers who have requirements involving specialized languages and other requirements.
- The Tinfoil Security Web Scanner (not included in the Gartner Magic Quadrant) provides DAST capabilities that focus on the needs of developers. The tool integrates deeply into the DevOps environment, allowing customers to integrate security effectively into their development processes.
- The Tinfoil API Scanner provides testing for those applications that lack a web interface. It’s the perfect tool for IoT applications and mobile devices. As applications are increasingly built on top of complicated microservice architectures using RESTful APIs, the API Scanner will be a critical tool for identifying vulnerabilities.
We believe that the 2020 Magic Quadrant for Application Security Testing validates our commitment and demonstrated progress toward creating the most comprehensive software security portfolio on the market.
The Synopsys team is incredibly proud of our position in the 2020 Magic Quadrant for Application Security Testing. We believe that it signifies the success of our efforts to build and evolve our offerings to meet the changing requirements of today’s development processes. Every day, organizations look for new and compelling ways to build secure, high-quality software faster. We at Synopsys have created a portfolio to help them conquer that challenge. Security should be viewed not as an inhibitor of productivity but as an enabler. That happens only when security tools integrate into DevOps processes seamlessly and efficiently, in a way that enhances productivity by making the developer a key component in the security process.
So we believe the Synopsys dot at the top right of the 2020 Magic Quadrant for Application Security Testing diagram is more than simply a dot. We believe it is an affirmation that we are truly enabling organizations to build secure, high-quality software faster.
1. Gartner, Inc. “Magic Quadrant for Application Security Testing” by Mark Horvath, Dionisio Zumerle, and Dale Gardner, April 29, 2020.
2. Gartner, Inc. “Critical Capabilities for Application Security Testing” by Dale Gardner, Dionisio Zumerle, and Mark Horvath, April 27, 2020.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Synopsys.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Jim Ivers. Read the original post at: https://www.synopsys.com/blogs/software-security/gartner-mq-ast-2020/