Professional Documents
Culture Documents
TheForresterWave StaticApplicationSecurityTesting Q4 2017
TheForresterWave StaticApplicationSecurityTesting Q4 2017
by Amy DeMartine
December 12, 2017
FORRESTER.COM
For Security & Risk Professionals
by Amy DeMartine
with Christopher McClean, Trevor Lyness, and Andrew Reese
December 12, 2017
6 Vendor Profiles
11 Supplemental Material
›› They empower developers to fix security weaknesses while they develop. Because SAST tools
evaluate nonexecuting code, developers can run them extremely early in the software delivery life
cycle (SDLC) on code that is not complete enough to compile. Tools have even emerged that can act
like a spell-checker inside an integrated development environment (IDE) while developers are editing
the code. These are pushing the use of SAST earlier in the SDLC; in 2017, 33% of global network
security decision makers who are planning to implement SAST in the next 12 months planned to do
so in the development phase, compared with only 20% during production (see Figure 1).
›› They teach developers how to write secure code. Schools don’t usually teach developers how
to write secure code. In fact, only one of the top 36 US computer science programs requires a
security course for graduation.1 Formal security training after university can be eye-opening, but it
takes alerts and remediation advice during the SDLC to reinforce security skills. Using SAST results
in quality gates that will stop check-in or build processes that emphasize how important secure
coding practices are for the final product.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Implementing/implemented SAST
Planning to implement SAST in the next 12 months
35% 34%
33% 33%
22%
20%
9% 8%
Base: 703 global network security decision makers at firms with 20+ employees who plan to implement
or are implementing/have implemented SAST
Source: Forrester Data Global Business Technographics® Security Survey, 2017
›› Current offering. To evaluate current offering, we analyzed key functionality in the areas of
scanning accuracy, remediation advice, risk reporting, rule management, binary and byte code
scanning, breadth of source code language support, SDLC integration, and vendor self-analysis.
›› Strategy. Our assessment of strategy included product strategy, market approach, execution road
map, and training.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
›› Market presence. To score market presence, we analyzed install base, growth rate, and corporate
profitability.
Forrester included 10 vendors in the assessment: CA Veracode, CAST, Checkmarx, IBM, Micro Focus,
Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys. (Note: We evaluated IBM
Application Security On Cloud and IBM AppScan Source separately, as IBM sells them separately and
they have different current offering, strategy and market presence.) Each of these vendors has (see
Figure 2):
›› A comprehensive, enterprise-class SAST tool. All vendors in this evaluation offer a range of
SAST capabilities suitable for developers and security pros. We required participating vendors to
have most of the following capabilities out of the box: source code scanning with broad language
support, incremental scans, quality gates, and integrations with developer tools such as IDEs and
build tools.
›› Interest from Forrester clients, or relevance to them. Forrester clients often discuss the
participating vendors and products during inquiries and interviews. Alternatively, the participating
vendor may, in Forrester’s judgment, have warranted inclusion because of technical capabilities
and market presence.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Product version
Vendor Product evaluated evaluated
A comprehensive, enterprise-class SAST tool. All vendors in this evaluation offer a range of SAST
capabilities suitable for developers and security pros. We required participating vendors to have most of
the following capabilities out of the box: source code scanning with broad language support, incremental
scans, quality gates, and integrations with developer tools such as IDEs and build tools.
Interest from Forrester clients, or relevance to them. Forrester clients often discuss the participating
vendors and products during inquiries and interviews. Alternatively, the participating vendor may, in
Forrester’s judgment, have warranted inclusion because of technical capabilities and market presence.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Vendor Profiles
This evaluation of the SAST market is intended to be a starting point only. We encourage clients to
view detailed product evaluations and adapt criteria weightings to fit their individual needs using the
Forrester Wave™ Excel-based vendor comparison tool (see Figure 3).
Strong
Challengers Contenders Performers Leaders
Strong
Go to Forrester.com
to download the
Forrester Wave tool for
Synopsys more detailed product
evaluations, feature
IBM AppScan Micro Focus comparisons, and
Source customizable rankings.
CA Veracode
Weak
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
e
ce
ar
ur
ftw
So
So ck So
AS an
e
ps e
Lo ve
us
od
no urc
Ap x
M Sc
gh r’s
ic oC
a
r
ys
g
IB ma
C rac
W
Pa Fo
p
o
tin
Ro oft
ei te
rS
e
ck
w res
Ve
s
ro
gu
na
ra
AS
he
te
r
A
Fo
Sy
IB
Si
C
C
Current offering 50% 3.26 2.59 2.62 2.47 1.70 3.32 1.78 1.42 0.67 2.35 3.45
Accuracy 20% 2.60 3.80 0.70 3.20 3.20 3.60 2.10 1.30 2.10 1.50 3.50
Remediation advice 5% 3.00 1.00 5.00 1.00 1.00 3.00 0.00 1.00 0.00 0.00 1.00
Risk reporting 5% 3.00 2.00 4.00 3.00 0.00 2.00 1.00 2.00 0.00 1.00 2.00
Rule management 15% 3.00 2.60 3.20 3.00 0.00 2.20 2.00 0.60 0.00 1.60 4.60
Binary and byte code scanning 5% 5.00 0.00 3.00 0.00 0.00 5.00 0.00 0.00 1.00 5.00 3.00
Breadth of source code 15% 4.00 5.00 5.00 3.00 2.00 4.00 2.00 1.00 1.00 3.00 3.00
language support
SDLC integration 30% 2.95 1.30 2.00 2.25 2.20 3.40 2.20 2.40 0.15 2.70 4.20
Vendor self-analysis 5% 5.00 3.00 1.00 1.00 1.00 3.00 1.00 1.00 0.00 5.00 1.00
Strategy 50% 4.25 3.55 2.85 1.50 2.10 2.55 1.30 1.00 1.05 0.70 4.55
Product strategy 30% 3.00 3.00 3.00 2.00 2.00 1.50 2.50 2.00 1.00 1.00 3.50
Market approach 20% 5.00 5.00 1.00 2.00 5.00 1.00 2.00 2.00 2.00 2.00 5.00
Execution road map 15% 4.00 4.00 0.00 1.00 1.00 1.00 1.00 0.00 0.00 0.00 5.00
Training 35% 5.00 3.00 5.00 1.00 1.00 5.00 0.00 0.00 1.00 0.00 5.00
Market presence 0% 4.22 1.88 3.96 4.10 2.00 3.80 2.16 0.70 2.48 4.44 3.38
Install base 60% 4.20 1.80 4.60 5.00 1.00 5.00 3.60 1.00 0.80 4.40 3.80
Growth rate 10% 2.00 5.00 3.00 2.00 5.00 2.00 0.00 1.00 5.00 3.00 2.00
Corporate profitability 30% 5.00 1.00 3.00 3.00 3.00 2.00 0.00 0.00 5.00 5.00 3.00
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Leaders Offer The Most Complete Solutions For Application Security Pros And Developers
›› Synopsys provides SAST scanning capabilities for use early in the SDLC. Synopsys Static
Analysis (formerly Synopsys Coverity) is the company’s traditional SAST scanning tool, and
SecureAssist provides on-the-fly scanning inside the IDE. Synopsys Static Analysis helps users
view the impact of rule changes by displaying a comparison of results before and after the
change without requiring a new scan. Static Analysis and SecureAssist are licensed per developer
based on annual or multiyear contracts. Synopsys Static Analysis stands out for its strong rule
management and SDLC integration.
›› CA Veracode delivers desktop and SaaS SAST for SDLC coverage. CA Veracode engineers
continuously review scans from the company’s SaaS offering and tweak vulnerability discovery
algorithms to reduce false positives. Along with its Application Security Platform, which provides
traditional static analysis SaaS capabilities, CA Veracode offers the Greenlight IDE plug-in for early,
on-the-fly SAST checking. CA Veracode Greenlight is sold as a subscription based on number
of developers, while CA Veracode Static Analysis is sold as a subscription based on number of
applications. CA Veracode shows very strong support for binary and byte code scanning as well as
wide support of source code language.
›› CAST marries security with quality metrics. The CAST Application Intelligence Platform (AIP)
offers a dashboard that security pros, development managers, and CIOs can use to capture
quality characteristics called health factors. These include robustness, efficiency, changeability,
transferability, and overall quality, along with security. CAST licenses AIP based on the functionality
an organization desires and its size (determined by the number of full-time engineers). Customers
can choose between a perpetual license on-premises implementation or a SaaS subscription
model. CAST AIP offers very strong breadth of source code language support but lacks many of
the SDLC integrations it needs to fully support developers.
›› Micro Focus’ SAST portfolio has different products depending on deployment need. In the
second half of 2017, HP Enterprise (HPE) software and Micro Focus merged, and now the products
formerly known as HPE Fortify on Demand Static Testing (FoD), HPE Security Fortify SCA, and HPE
Security Fortify SSC (Management) now fall under the Micro Focus name. HPE Security Fortify SCA
is the on-premises product, and FoD is the SaaS offering. The only difference between the two is
that FoD can operate more like a service that lets Micro Focus’ security team evaluate scan results
to remove false positives and give remediation advice. The company licenses SCA per developer,
and it sells FoD on a per-scan subscription basis. Micro Focus’ products provide strong breadth of
source code language support along with sound support for SDLC integration, however they offer
weak rule management.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
›› Checkmarx CxSAST offers contextual training as a part of its remediation advice. Checkmarx
CxSAST is part of a broader portfolio that also includes products for software composition analysis
and interactive security testing. In early 2017, the company acquired the developer training
company Codebashing, and it now provides contextual training as part of its remediation advice,
as well as on-demand training for specific vulnerabilities and coding languages. Checkmarx
CxSAST is sold on a subscription basis in one-, two-, and three-year terms based on number of
users and number of projects or applications. Checkmarx CxSAST offers very strong remediation
advice and wide source code language support, along with sound risk reporting. By comparison,
however, the product offers weak support of SDLC integrations.
›› IBM AppScan Source brings to bear long standing SAST functionality. As the on-premises
offering in IBM Security’s two-product SAST portfolio, AppScan Source has been on the market
longer, so it has more robust traditional SAST functionality such as rule management. AppScan
Source is sold under a perpetual license model per user, based on desired functionality. AppScan
Source features sound accuracy and very strong numeric scoring, but it lacks many of the SDLC
integrations it needs to fully support developers.
›› IBM’s Application Security on Cloud will gain AppScan Source functionality. Application
Security on Cloud (ASoC) is IBM’s SaaS offering. ASoC and AppScan Source currently share much
of the same code; over time, the two products will merge completely. However, the company
has not given a timeline for integration. Right now, ASoC has more advanced functionality than
AppScan Source — build tool integration, for example. ASoC is sold on a subscription basis either
per scan or unlimited scans per application. ASoC is missing much of the rule management and
risk reporting that AppScan Source provides, but it features increased build tool integration and the
same very strong numeric scoring and sound accuracy.
›› Parasoft licenses SAST modules based on source code requirements. Parasoft sells SAST in
individual modules with perpetual, subscription, and enterprise pricing models. The modules are
based on source code language, with options of Parasoft Jtest, Parasoft C/C++test, and Parasoft
dotTEST. The Parasoft Development Testing Platform product brings results from these different
modules together for reporting. Parasoft focuses its SAST scanning functionality on internet of
things (IoT) and embedded software use cases. The company’s SAST technology offers sound
ticketing tool and IDE integration, but it lacks remediation advice.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
enterprise license that includes base source code language scanners and SonarLint. It sells additional
source code language scanners individually. SonarQube is very strong at binary and byte code
scanning, but it lacks remediation advice and offers limited risk reporting and remediation advice.
›› Rogue Wave Software Klocwork includes security as part of software quality checks. Clients
use Rogue Wave Software’s Klocwork SAST product to find security vulnerabilities as well as
other software quality issues such as reliability and maintainability flaws. Klocwork is sold via
subscription licenses for users and servers. It provides on-the-fly scanning inside the IDE, but
offers only limited rule management and remediation advice.
›› SiteLock TrueCode provides SAST scanning for small development teams. SiteLock targets
small development teams with its TrueCode product, which automates functionality such as severity
scoring to make SAST adoption easier. TrueCode is a SaaS offering sold via subscription on a per-
developer basis. SiteLock has very weak remediation advice and no integration into the SDLC.
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Supplemental Material
Online Resource
The online version of Figure 3 is an Excel-based vendor comparison tool that provides detailed
product evaluations and customizable rankings. Click the link at Forrester.com at the beginning of
this report to download.
Forrester used a combination of two data sources to assess the strengths and weaknesses of each
solution. We evaluated the vendors participating in this Forrester Wave, in part, using materials that
they provided to us by August 7, 2017.
›› Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation
criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where
necessary to gather details of vendor qualifications.
›› Product strategy presentations and demos. We asked vendors to conduct product strategy
presentations and demonstrations of their products’ functionality. We used findings from these
presentations and product demos to validate details of each vendor’s product capabilities.
We conduct primary research to develop a list of vendors that meet our criteria for evaluation in this
market. From that initial pool of vendors, we narrow our final list. We choose these vendors based on:
1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have
limited customer references and products that don’t fit the scope of our evaluation.
After examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria,
we gather details of product qualifications through a combination of lab evaluations, questionnaires,
demos, and/or discussions with client references. We send evaluations to the vendors for their review,
and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.
We set default weightings to reflect our analysis of the needs of large user companies — and/or
other scenarios as outlined in the Forrester Wave evaluation — and then score the vendors based
on a clearly defined scale. We intend these default weightings to serve only as a starting point and
encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool.
The final scores generate the graphical depiction of the market based on current offering, strategy, and
market presence. Forrester intends to update vendor evaluations regularly as product capabilities and
vendor strategies evolve. For more information on the methodology that every Forrester Wave follows,
please visit The Forrester Wave™ Methodology Guide on our website.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
Integrity Policy
We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity
Policy posted on our website.
Survey Methodology
The Forrester Data Global Business Technographics® Security Survey, 2017, was fielded between
May and June 2017. This online survey included 3,752 respondents in Australia, Brazil, Canada, China,
France, Germany, India, New Zealand, the UK, and the US from companies with 2 or more employees.
Forrester Data Business Technographics ensures that the final survey population contains only those
with significant involvement in the planning, funding, and purchasing of business and technology
products and services. Research Now fielded this survey on behalf of Forrester. Survey respondent
incentives include points redeemable for gift certificates.
Please note that the brand questions included in this survey should not be used to measure market
share. The purpose of Forrester Data Business Technographics brand questions is to show usage of a
brand by a specific target audience at one point in time.
Endnotes
Source: “CloudPassage Study Finds U.S. Universities Failing In Cybersecurity Education,” CloudPassage press
1
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
›› Core research and tools
›› Data and analytics
›› Peer collaboration
›› Analyst engagement
›› Consulting
›› Events
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 139431