True leadership involves helping others succeed. This is as true in the world of cyber security as it is anywhere else, and it’s a philosophy we take seriously at Synopsys. Which is why I’m proud to report that for the fifth consecutive year, Gartner has positioned Synopsys as a Leader in the Magic Quadrant for Application Security Testing (AST). And for the third consecutive year, Synopsys is placed highest and furthest for our ability to execute and our completeness of vision.
This continued recognition from Gartner reflects our commitment to building trust in software and to helping our customers succeed by bridging the gap between development and security and enabling their developers to move faster.
Speed vs. friction: The new dynamics of AppSec
For our customers, speed is the name of the game. The faster they can go to market with their offerings, the more successful they are. Software developers must move fast to keep up, checking in code changes on a daily or even hourly basis. Anything that gets in their way or slows them down is a potential threat to their business.
Gartner has also observed this new reality, as stated in the Magic Quadrant report:
“Customers require offerings that provide high assurance, high-value findings, while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier into the development process, with testing often driven by developers rather than security specialists. As a result, this market evaluation focuses more heavily on the buyer’s needs when it comes to supporting rapid and accurate testing capable of being integrated in an increasingly automated fashion throughout the software development life cycle (SDLC).”
Given this emphasis on speed, and the complexity that comes with managing the exponential growth in software, it’s no surprise that application-layer vulnerabilities remain the biggest cyber security risk. At the same time, development and application security (AppSec) teams have learned the hard way that throwing more automation and more testing tools into the mix isn’t the answer when it just produces more noise. In fact, more automation and more testing too often lead to clogged pipelines and overwhelmed developers, causing them to spend more time tracking down dead ends than creating software.
Given our industry-leading, comprehensive portfolio of application security testing products and services, we recognized the need to do more to help our customers overcome friction and complexity within their SDLCs. What was missing was the ability to harmonize the various testing solutions, optimized for speed and efficiency, within their development toolchains and workflows.
Our answer to this need is Intelligent Orchestration—a dedicated AppSec automation pipeline that ensures the right security tests are performed at the right time. It runs only the tests you need, when you need them, and filters the results based on risk, so developers can focus on what matters most. Its concepts and technology were developed and refined through years of experience helping customers navigate the challenges of balancing speed with large volumes of security testing results.
The seamless integration of Intelligent Orchestration with existing pipelines and development toolchains, including open source and third-party tools, is essential in our quest to provide transparent, value-driven solutions to the market.
Industry-leading portfolio of products and services
Synopsys remains committed to providing the most comprehensive suite of AppSec tools, and our position in the Gartner Magic Quadrant provides validation of that commitment.
The strength of our portfolio comes through in two dimensions. First, the portfolio is the most comprehensive in the market, supplementing the foundational elements of SAST (Coverity®), DAST (Tinfoil Web Scanner™), IAST (Seeker®), and SCA (Black Duck®) with unique offerings such as Defensics® protocol fuzzing and Tinfoil API Scanner™. Second, each tool stands on its own as a market leader in its functional area. For example, Coverity and Black Duck are leaders in The Forrester Wave™ reports for static analysis and software composition analysis, respectively.
Here is a quick summary of our portfolio:
- Coverity provides world-class static application security testing (SAST) for security and quality. For organizations in the IoT space or selling products with embedded software, the combination of quality and security is critical. Coverity continues to expand language and framework support and is now available in the cloud.
- Black Duck provides comprehensive software composition analysis (SCA) capabilities, including our unique ability to perform binary code analysis through Black Duck Binary Analysis. No other product has the depth of analysis and fidelity of Black Duck, which is crucial as open source use continues to grow.
- Seeker interactive application security testing (IAST) allows users to test running applications and provides active verification to determine whether a security vulnerability (e.g., XSS or SQL injection) can be exploited. Seeker is readily integrated into CI/CD workflows, enabling testing at DevOps speed.
- Defensics protocol fuzzing enables organizations to discover and remediate software security weaknesses not discovered by traditional AST tools. Synopsys is the only vendor to offer fuzzing as part of our portfolio, and we believe that it provides organizations an interesting option for additional coverage.
- Synopsys offers a full range of managed services to perform SAST and dynamic application security testing (DAST), as well as mobile testing. Our managed services capabilities mean that we don’t have to say no to customers that have requirements involving specialized languages and other requirements.
- Tinfoil Web Scanner provides DAST capabilities that focus on the needs of developers. It integrates deeply into the DevOps environment, allowing customers to incorporate security effectively into their development processes.
- Tinfoil API Scanner provides testing for modern, API-driven applications. It’s the perfect tool for IoT applications and mobile devices. As applications are increasingly built on top of complicated microservice architectures using RESTful APIs, Tinfoil API Scanner will be a vital tool for identifying vulnerabilities.
A look ahead
In addition to continuing to optimize our suite of offerings and Intelligent Orchestration, Synopsys has several exciting initiatives underway to help our customers minimize risks while maximizing speed and productivity. And while I don’t want to give any spoiler alerts, we believe the continued recognition by Gartner for our completeness of vision is evidence of our forward-looking approach to application security.
I would be remiss if I didn’t mention our strong showing in this year’s Gartner Critical Capabilities for Application Security Testing report as well. Out of five use cases, Synopsys earned the highest score among vendors in three of them: Mobile & Client, DevOps/DevSecOps, and Cloud-Native Applications. Again, we pride ourselves in providing security solutions for the areas most relevant to our ever-changing market.
As we look ahead, we’re excited to continue this journey of bringing trust to software in a holistic and open manner.
https://securityboulevard.com/2021/06/synopsys-named-a-leader-in-the-2021-gartner-magic-quadrant-for-application-security-testing-for-the-fifth-year/