On July 12, 2021, Gartner published an updated Hype Cycle for Application Security, 2021.
This report shows that the adoption of cloud-native design patterns and the mainstreaming of microservices architectures, containers, and functions have accelerated the adoption of application security controls. Gartner’s Enabling Cloud-Native DevSecOps Survey for 2021 showed that more than two-thirds of the participating organizations are using static application security testing (SAST) in development to secure cloud-native applications.
Gartner’s analyst Dale Gardner defines ASOC tools as a solution that allows to ease software vulnerability testing and remediation by automating workflows and processing findings. ASOC tools correlate and analyze findings to centralize efforts for easier interpretation, triage, and remediation.
It is highly important to know, that ASOC products support broad integration and interoperability with commercial application security testing products, enabling greater control over and visibility into testing. Orchestration capabilities allow solutions to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing and control the release of a given build based on results.
Key drivers for this solution class are the following:
- Struggling with prioritizing vulnerability remediation and mitigation efforts during and after development, given the growing volume of information provided by application security testing tools. In this case, ASOC tools address this challenge by ingesting information from multiple testing sources, correlating results, and increasingly aiding in the automation of prioritization and triage tasks.
- Difficulty in reporting the risk posture of applications, absent meaningful business metrics and threat intelligence between developers and operations team. ASOC helps to translate raw vulnerability data into a form more relevant to executives and application owners.
Gartner estimated the market penetration of ASOC tools at 5% to 20% of target audience.
Source: Hype Cycle for Application Security, 2021