On July 28, 2017, Gartner published Hype Cycle for Application Security, 2017. In this report, Gartner provides an update to introduced in 2016 application vulnerability correlation (AVC) product segment and introduces for the first time application security testing orchestration (ASTO). Gartner positions both products segment “On the Rise” phase of Inflated Expectations.
Correlation
Dale Gardner, the Gartner analyst describing AVC product segment, provided the following definition: “Application vulnerability correlation (AVC) tools are workflow and process management tools that streamline software development application vulnerability testing and remediation. They incorporate findings from various security-testing data sources (static and dynamic application security testing, software composition analysis, penetration testing, and code reviews) into a centralized tool. AVC tools correlate vulnerability findings to centralize data, perform analysis, prioritize remediation and coordinate application security activities.”
Gartner identified the following benefits of correlation functionality: “Because of the competitive nature of the application security testing tools market, very few existing products offer correlated vulnerability information from adjacent scanning tools, creating demand for AVC products providing this capability. Without AVC tools, it’s difficult to prioritize vulnerability information in a coherent manner so remediation efforts may be structured to address the highest risk vulnerabilities across an entire software portfolio. The status quo also creates a barrier to visibility into the risk posed by applications within a portfolio because of the lack of a single consolidated source of software vulnerability data.”
Gartner estimated market penetration of AVC tools at 1% to 5% of target audience.
Orchestration
Dale Gardner and Michael Isbitski, the Gartner analysts describing ASTO product segment, provided the following definition: “Application security testing orchestration (ASTO) integrates security tooling across a software development life cycle (SDLC), typically as part of DevSecOps initiatives. The products act as middleware or a management layer between:
- Development systems such as integrated developer environments (IDEs), continuous integration/continuous delivery (CI/CD) systems and bug tracking;
- Operations systems such as container orchestration engines and continuous configuration automation;
- Security systems such as scanning tools and vulnerability management”;
Gartner identified the following benefits of orchestration functionality: “These tools are particularly beneficial to organizations adopting more rapid application development methodologies, specifically DevOps. The ability to rapidly “stitch together” disparate tools and processes, coordinate their execution, and examine the results offers significant benefits.”
Gartner estimated market penetration of ASOC tools at less than 1% of target audience.