On July 30, 2019, Gartner published an updated Hype Cycle for Application Security, 2019. In this report, Gartner has combined application vulnerability correlation (AVC) and application security testing orchestration (ASTO) into one product segment named application security orchestration and correlation (ASOC). Gartner positioned this product segment as approaching the Peak of Inflated Expectations.
Dale Gardner, the Gartner analyst describing this product segment, provided the following definition of the market segment: “Application security orchestration and correlation (ASOC) tools streamline software vulnerability testing and remediation by automating workflows. They automate security testing, ingesting data from multiple sources (static, dynamic and interactive testing [SAST/DAST/IAST], software composition analysis [SCA], vulnerability assessments and others) into a database. ASOC tools correlate and analyze findings to centralize and prioritize remediation efforts. They act as a management layer between application development and security testing tools.”
The orchestration can interact with continuous integration/continuous delivery (CI/CD) toolchains to control disposition of a given build based on test results. Gartner outlines clear benefits of orchestration: “The automation of security testing within a CI/CD build pipeline requires integration of disparate native capabilities, via APIs or command line scripting, and across multiple toolsets. With high volumes of development and multiple toolsets, this quickly becomes a resource-intensive effort. ASOC tooling alleviating the integration and management burden will be a significant requirement for such organizations.”
The correlation automates prioritization of discovered vulnerabilities and provide more meaningful results to developers. Gartner identified the following benefits of correlation functionality: “The analysis and correlation of testing results from multiple tools across different development projects — even among organizations relying on traditional development methodologies — is technically challenging and time-consuming. Correlation and analysis capabilities, combined with integration with defect tracking systems, speed the process while ensuring developers are presented with the most significant vulnerabilities for remediation.”
Gartner estimated market penetration of ASOC tools at 1% to 5% of target audience.