On July 27, 2018, Gartner published an updated Hype Cycle for Application Security, 2018. In this report, Gartner provides an update to application security testing orchestration (ASTO) and application vulnerability correlation (AVC) product segments. Gartner positions both product segments “On the Rise” phase of Inflated Expectations.
Orchestration
Dale Gardner and Michael Isbitski, the Gartner analysts describing ASTO product segment, provided the same as in the previous year definition: “Application security testing orchestration (ASTO) automates security testing tooling, typically as part of DevSecOps initiatives. These products act as a management layer between:
- Development systems such as integrated developer environments (IDE), continuous integration/continuous delivery (CI/CD) systems and bug tracking
- OSs such as container orchestration engines and continuous configuration automation
- Security testing, such as AST, vulnerability assessment/management”
Gartner identified the following benefits of orchestration functionality: “Application security, development and operations teams are challenged with issues around coordinating and executing application security testing activities and programmatically examining the results. ASTO tools are well-positioned to resolve these challenges, and offer significant benefits. “
Gartner estimated market penetration of ASOC tools at 1% to 5% of target audience.
Correlation
Dale Gardner, the Gartner analyst describing AVC product segment, provided the following definition: “Application vulnerability correlation (AVC) tools are workflow and process management tools that streamline software vulnerability testing and remediation. They incorporate findings from multiple data sources (static, dynamic and interactive security testing [SAST/DAST/IAST], software composition analysis [SCA] and other sources) into a centralized database. AVC tools then correlate and analyze findings to centralize and prioritize remediation efforts. Some tools also orchestrate and automate testing activities.”
Gartner identified the following benefits of correlation functionality: “Gartner clients struggle with prioritizing and managing vulnerability remediation efforts, given the volume of vulnerability information provided by application security testing tools and other sources of vulnerability data. Developers and operations team also encounter difficulty in reporting the risk posture of applications to management, absent meaningful metrics. These factors continue to drive interest in AVC tools, which can assist in automating application security testing and prioritization activities, as well as delivering more risk-based reporting suitable for managers and application owners.”
Gartner estimated market penetration of AVC tools at 1% to 5% of target audience.