FOR SECURITY & RISk PROFESSIOnALS
The Forrester Wave™: Static Application Security
Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up
by Amy DeMartine
December 12, 2017
Why Read This Report
In our 29-criteria evaluation of the static
application security testing (SAST) market, we
identified the 10 most significant vendors —
CAST, CA Veracode, Checkmarx, IBM, Micro
Focus, Parasoft, Rogue Wave Software, SiteLock,
SonarSource, and Synopsys — and researched,
analyzed, and scored them. This report shows
how each measures up and helps security
professionals make the right choice.
FORRESTER.COM
key Takeaways
Synopsys And CA Veracode Lead The Pack
Forrester’s research uncovered a market in which
Synopsys and CA Veracode lead the pack. CAST,
Micro Focus, and Checkmarx offer competitive
options. IBM, Parasoft, SonarSource, Rogue
Wave Software and SiteLock lag behind.
Security Pros Need SAST Tools To Enable
Developers
Companies have traditionally used SAST tools
late in the software development life cycle (SDLC)
to scan products for vulnerabilities in proprietary
code. now, SAST vendors are trying to serve new
users as security pros demand that their products
give developers early remediation advice
throughout the SDLC.
Language Support And Depth Of Results Are
Key Differentiators
As developers use more source code languages,
and as more outside agencies start to develop
applications, breadth of languages and binary
support are becoming increasingly important.
In addition, vendors that offer developers
detailed security information inside their existing
tools and processes help ensure adoption and
improvement of secure coding practices.
For Security & Risk Professionals

The Forrester Wave™: Static Application Security Testing, Q4 2017

The 10 Vendors That Matter Most And How They Stack Up

by Amy DeMartine
with Christopher McClean, Trevor Lyness, and Andrew Reese
December 12, 2017

Table Of Contents Related Research Documents

2 SAST Remains Critical To Eliminate Assess The Maturity Of Your Application Security
Proprietary Software Vulnerabilities Program

3 Static Application Security Testing TechRadar™: Application Security, Q3 2017

Evaluation Overview
Vendor Landscape: Application Security Testing
Evaluated Vendors And Inclusion Criteria

6 Vendor Profiles

Leaders Offer The Most Complete Solutions

Share reports with colleagues.
For Application Security Pros And Developers
Enhance your membership with
Strong Performers Have Competitive Research Share.
Offerings In Specific Areas

Contenders Are Consolidating To Create A

Combined SaaS And On-Premises Product

Challengers Build On Software Quality

Products Or Runtime Protection

11 Supplemental Material

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

SAST Remains Critical To Eliminate Proprietary Software Vulnerabilities

Much as a preflight checklist helps ensure a safe airplane flight, using static application security testing
(SAST) as part of prerelease application testing can remove vulnerabilities so attackers can’t exploit
them in production. SAST remains the best prerelease testing tool for catching tricky data flow issues
and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security
testing (DAST) have trouble finding. Security pros should use SAST tools because:

›› They empower developers to fix security weaknesses while they develop. Because SAST tools
evaluate nonexecuting code, developers can run them extremely early in the software delivery life
cycle (SDLC) on code that is not complete enough to compile. Tools have even emerged that can act
like a spell-checker inside an integrated development environment (IDE) while developers are editing
the code. These are pushing the use of SAST earlier in the SDLC; in 2017, 33% of global network
security decision makers who are planning to implement SAST in the next 12 months planned to do
so in the development phase, compared with only 20% during production (see Figure 1).

›› They teach developers how to write secure code. Schools don’t usually teach developers how
to write secure code. In fact, only one of the top 36 US computer science programs requires a
security course for graduation.1 Formal security training after university can be eye-opening, but it
takes alerts and remediation advice during the SDLC to reinforce security skills. Using SAST results
in quality gates that will stop check-in or build processes that emphasize how important secure
coding practices are for the final product.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

FIGURE 1 SAST Is Moving To The Development Stage Of The SDLC

Phase of the SDLC in which SAST is implemented

Implementing/implemented SAST
Planning to implement SAST in the next 12 months

35% 34%
33% 33%

22%
20%

9% 8%

Design Development Testing Production

Base: 703 global network security decision makers at firms with 20+ employees who plan to implement
or are implementing/have implemented SAST
Source: Forrester Data Global Business Technographics® Security Survey, 2017

Static Application Security Testing Evaluation Overview

To assess the state of the SAST market, Forrester evaluated the strengths and weaknesses of top
SAST vendors. After examining past research, user need assessments, and vendor and expert
interviews, we developed a comprehensive set of 29 evaluation criteria in three categories:

›› Current offering. To evaluate current offering, we analyzed key functionality in the areas of
scanning accuracy, remediation advice, risk reporting, rule management, binary and byte code
scanning, breadth of source code language support, SDLC integration, and vendor self-analysis.

›› Strategy. Our assessment of strategy included product strategy, market approach, execution road
map, and training.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

›› Market presence. To score market presence, we analyzed install base, growth rate, and corporate
profitability.

Evaluated Vendors And Inclusion Criteria

Forrester included 10 vendors in the assessment: CA Veracode, CAST, Checkmarx, IBM, Micro Focus,
Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys. (Note: We evaluated IBM
Application Security On Cloud and IBM AppScan Source separately, as IBM sells them separately and
they have different current offering, strategy and market presence.) Each of these vendors has (see
Figure 2):

›› A comprehensive, enterprise-class SAST tool. All vendors in this evaluation offer a range of
SAST capabilities suitable for developers and security pros. We required participating vendors to
have most of the following capabilities out of the box: source code scanning with broad language
support, incremental scans, quality gates, and integrations with developer tools such as IDEs and
build tools.

›› Interest from Forrester clients, or relevance to them. Forrester clients often discuss the
participating vendors and products during inquiries and interviews. Alternatively, the participating
vendor may, in Forrester’s judgment, have warranted inclusion because of technical capabilities
and market presence.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

FIGURE 2 Evaluated Vendors: Product Information And Selection Criteria

Product version
Vendor Product evaluated evaluated

CA Veracode CA Veracode Application Security Platform 2017.7

CAST Application Intelligence Platform (AIP) 8.2

Checkmarx CxSAST 8.4.2

IBM AppScan Source IBM Security AppScan Source 9.0.3.6

IBM ASoC IBM Security Application Security on Cloud (ASoC) N/A

Micro Focus HPE Security Fortify SCA 17.10

HPE Security Fortify SSC (Management) 17.10
HPE Fortify on Demand Static Testing (FoD) 17.20

Parasoft Parasoft Jtest 10.3

Parasoft C/C++test 10.3
Parasoft dotTEST 10.3
Parasoft Development Testing Platform 10.3

Rogue Wave Software Klocwork 2017.2

SiteLock SiteLock SMART N/A

SonarSource SonarQube 6.5

Synopsys Coverity 2017.07

Vendor inclusion criteria

A comprehensive, enterprise-class SAST tool. All vendors in this evaluation offer a range of SAST
capabilities suitable for developers and security pros. We required participating vendors to have most of
the following capabilities out of the box: source code scanning with broad language support, incremental
scans, quality gates, and integrations with developer tools such as IDEs and build tools.

Interest from Forrester clients, or relevance to them. Forrester clients often discuss the participating
vendors and products during inquiries and interviews. Alternatively, the participating vendor may, in
Forrester’s judgment, have warranted inclusion because of technical capabilities and market presence.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

Vendor Profiles
This evaluation of the SAST market is intended to be a starting point only. We encourage clients to
view detailed product evaluations and adapt criteria weightings to fit their individual needs using the
Forrester Wave™ Excel-based vendor comparison tool (see Figure 3).

FIGURE 3 Forrester Wave™: Static Application Security Testing, Q4 2017

Strong
Challengers Contenders Performers Leaders
Strong

Go to Forrester.com
to download the
Forrester Wave tool for
Synopsys more detailed product
evaluations, feature
IBM AppScan Micro Focus comparisons, and
Source customizable rankings.
CA Veracode

Current SonarSource Checkmarx CAST

offering

Parasoft IBM ASoC

Rogue Wave Software

Market
presence SiteLock

Weak

Weak Strategy Strong

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

FIGURE 3 Forrester Wave™: Static Application Security Testing, Q4 2017 (Cont.)

e
ce

ar
ur

ftw
So

So ck So
AS an
e

ps e
Lo ve
us
od

no urc
Ap x
M Sc
gh r’s

ic oC

a
r

ys
g

IB ma
C rac

W
Pa Fo
p

o
tin

Ro oft
ei te

rS
e
ck
w res

Ve

s
ro

gu

na
ra
AS

he

te
r

A
Fo

Sy
IB

Si
C

C
Current offering 50% 3.26 2.59 2.62 2.47 1.70 3.32 1.78 1.42 0.67 2.35 3.45

Accuracy 20% 2.60 3.80 0.70 3.20 3.20 3.60 2.10 1.30 2.10 1.50 3.50

Remediation advice 5% 3.00 1.00 5.00 1.00 1.00 3.00 0.00 1.00 0.00 0.00 1.00

Risk reporting 5% 3.00 2.00 4.00 3.00 0.00 2.00 1.00 2.00 0.00 1.00 2.00

Rule management 15% 3.00 2.60 3.20 3.00 0.00 2.20 2.00 0.60 0.00 1.60 4.60

Binary and byte code scanning 5% 5.00 0.00 3.00 0.00 0.00 5.00 0.00 0.00 1.00 5.00 3.00

Breadth of source code 15% 4.00 5.00 5.00 3.00 2.00 4.00 2.00 1.00 1.00 3.00 3.00
language support

SDLC integration 30% 2.95 1.30 2.00 2.25 2.20 3.40 2.20 2.40 0.15 2.70 4.20

Vendor self-analysis 5% 5.00 3.00 1.00 1.00 1.00 3.00 1.00 1.00 0.00 5.00 1.00

Strategy 50% 4.25 3.55 2.85 1.50 2.10 2.55 1.30 1.00 1.05 0.70 4.55

Product strategy 30% 3.00 3.00 3.00 2.00 2.00 1.50 2.50 2.00 1.00 1.00 3.50

Market approach 20% 5.00 5.00 1.00 2.00 5.00 1.00 2.00 2.00 2.00 2.00 5.00

Execution road map 15% 4.00 4.00 0.00 1.00 1.00 1.00 1.00 0.00 0.00 0.00 5.00

Training 35% 5.00 3.00 5.00 1.00 1.00 5.00 0.00 0.00 1.00 0.00 5.00

Market presence 0% 4.22 1.88 3.96 4.10 2.00 3.80 2.16 0.70 2.48 4.44 3.38

Install base 60% 4.20 1.80 4.60 5.00 1.00 5.00 3.60 1.00 0.80 4.40 3.80

Growth rate 10% 2.00 5.00 3.00 2.00 5.00 2.00 0.00 1.00 5.00 3.00 2.00

Corporate profitability 30% 5.00 1.00 3.00 3.00 3.00 2.00 0.00 0.00 5.00 5.00 3.00

All scores are based on a scale of 0 (weak) to 5 (strong).

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

Leaders Offer The Most Complete Solutions For Application Security Pros And Developers

›› Synopsys provides SAST scanning capabilities for use early in the SDLC. Synopsys Static
Analysis (formerly Synopsys Coverity) is the company’s traditional SAST scanning tool, and
SecureAssist provides on-the-fly scanning inside the IDE. Synopsys Static Analysis helps users
view the impact of rule changes by displaying a comparison of results before and after the
change without requiring a new scan. Static Analysis and SecureAssist are licensed per developer
based on annual or multiyear contracts. Synopsys Static Analysis stands out for its strong rule
management and SDLC integration.

›› CA Veracode delivers desktop and SaaS SAST for SDLC coverage. CA Veracode engineers
continuously review scans from the company’s SaaS offering and tweak vulnerability discovery
algorithms to reduce false positives. Along with its Application Security Platform, which provides
traditional static analysis SaaS capabilities, CA Veracode offers the Greenlight IDE plug-in for early,
on-the-fly SAST checking. CA Veracode Greenlight is sold as a subscription based on number
of developers, while CA Veracode Static Analysis is sold as a subscription based on number of
applications. CA Veracode shows very strong support for binary and byte code scanning as well as
wide support of source code language.

Strong Performers Have Competitive Offerings In Specific Areas

›› CAST marries security with quality metrics. The CAST Application Intelligence Platform (AIP)
offers a dashboard that security pros, development managers, and CIOs can use to capture
quality characteristics called health factors. These include robustness, efficiency, changeability,
transferability, and overall quality, along with security. CAST licenses AIP based on the functionality
an organization desires and its size (determined by the number of full-time engineers). Customers
can choose between a perpetual license on-premises implementation or a SaaS subscription
model. CAST AIP offers very strong breadth of source code language support but lacks many of
the SDLC integrations it needs to fully support developers.

›› Micro Focus’ SAST portfolio has different products depending on deployment need. In the
second half of 2017, HP Enterprise (HPE) software and Micro Focus merged, and now the products
formerly known as HPE Fortify on Demand Static Testing (FoD), HPE Security Fortify SCA, and HPE
Security Fortify SSC (Management) now fall under the Micro Focus name. HPE Security Fortify SCA
is the on-premises product, and FoD is the SaaS offering. The only difference between the two is
that FoD can operate more like a service that lets Micro Focus’ security team evaluate scan results
to remove false positives and give remediation advice. The company licenses SCA per developer,
and it sells FoD on a per-scan subscription basis. Micro Focus’ products provide strong breadth of
source code language support along with sound support for SDLC integration, however they offer
weak rule management.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

›› Checkmarx CxSAST offers contextual training as a part of its remediation advice. Checkmarx
CxSAST is part of a broader portfolio that also includes products for software composition analysis
and interactive security testing. In early 2017, the company acquired the developer training
company Codebashing, and it now provides contextual training as part of its remediation advice,
as well as on-demand training for specific vulnerabilities and coding languages. Checkmarx
CxSAST is sold on a subscription basis in one-, two-, and three-year terms based on number of
users and number of projects or applications. Checkmarx CxSAST offers very strong remediation
advice and wide source code language support, along with sound risk reporting. By comparison,
however, the product offers weak support of SDLC integrations.

Contenders Are Consolidating To Create A Combined SaaS And On-Premises Product

›› IBM AppScan Source brings to bear long standing SAST functionality. As the on-premises
offering in IBM Security’s two-product SAST portfolio, AppScan Source has been on the market
longer, so it has more robust traditional SAST functionality such as rule management. AppScan
Source is sold under a perpetual license model per user, based on desired functionality. AppScan
Source features sound accuracy and very strong numeric scoring, but it lacks many of the SDLC
integrations it needs to fully support developers.

›› IBM’s Application Security on Cloud will gain AppScan Source functionality. Application
Security on Cloud (ASoC) is IBM’s SaaS offering. ASoC and AppScan Source currently share much
of the same code; over time, the two products will merge completely. However, the company
has not given a timeline for integration. Right now, ASoC has more advanced functionality than
AppScan Source — build tool integration, for example. ASoC is sold on a subscription basis either
per scan or unlimited scans per application. ASoC is missing much of the rule management and
risk reporting that AppScan Source provides, but it features increased build tool integration and the
same very strong numeric scoring and sound accuracy.

Challengers Build On Software Quality Products Or Runtime Protection

›› Parasoft licenses SAST modules based on source code requirements. Parasoft sells SAST in
individual modules with perpetual, subscription, and enterprise pricing models. The modules are
based on source code language, with options of Parasoft Jtest, Parasoft C/C++test, and Parasoft
dotTEST. The Parasoft Development Testing Platform product brings results from these different
modules together for reporting. Parasoft focuses its SAST scanning functionality on internet of
things (IoT) and embedded software use cases. The company’s SAST technology offers sound
ticketing tool and IDE integration, but it lacks remediation advice.

›› SonarSource provides SAST capabilities in popular developer tools. SonarSource SonarQube

is best known as an open source developer tool for measuring software quality for maintainability
and reliability. In 2016, the company enhanced SonarQube to include SAST scanning. SonarLint is
the company’s IDE plug-in, which provides on-the-fly SAST assessments. SonarQube sells via an

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

enterprise license that includes base source code language scanners and SonarLint. It sells additional
source code language scanners individually. SonarQube is very strong at binary and byte code
scanning, but it lacks remediation advice and offers limited risk reporting and remediation advice.

›› Rogue Wave Software Klocwork includes security as part of software quality checks. Clients
use Rogue Wave Software’s Klocwork SAST product to find security vulnerabilities as well as
other software quality issues such as reliability and maintainability flaws. Klocwork is sold via
subscription licenses for users and servers. It provides on-the-fly scanning inside the IDE, but
offers only limited rule management and remediation advice.

›› SiteLock TrueCode provides SAST scanning for small development teams. SiteLock targets
small development teams with its TrueCode product, which automates functionality such as severity
scoring to make SAST adoption easier. TrueCode is a SaaS offering sold via subscription on a per-
developer basis. SiteLock has very weak remediation advice and no integration into the SDLC.

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.

Analyst Inquiry Analyst Advisory Webinar

To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
— or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.

Forrester’s research apps for iOS and Android.

Stay ahead of your competition no matter where you are.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

Supplemental Material

Online Resource

The online version of Figure 3 is an Excel-based vendor comparison tool that provides detailed
product evaluations and customizable rankings. Click the link at Forrester.com at the beginning of
this report to download.

Data Sources Used In This Forrester Wave

Forrester used a combination of two data sources to assess the strengths and weaknesses of each
solution. We evaluated the vendors participating in this Forrester Wave, in part, using materials that
they provided to us by August 7, 2017.

›› Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation
criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where
necessary to gather details of vendor qualifications.

›› Product strategy presentations and demos. We asked vendors to conduct product strategy
presentations and demonstrations of their products’ functionality. We used findings from these
presentations and product demos to validate details of each vendor’s product capabilities.

The Forrester Wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria for evaluation in this
market. From that initial pool of vendors, we narrow our final list. We choose these vendors based on:
1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have
limited customer references and products that don’t fit the scope of our evaluation.

After examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria,
we gather details of product qualifications through a combination of lab evaluations, questionnaires,
demos, and/or discussions with client references. We send evaluations to the vendors for their review,
and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies — and/or
other scenarios as outlined in the Forrester Wave evaluation — and then score the vendors based
on a clearly defined scale. We intend these default weightings to serve only as a starting point and
encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool.
The final scores generate the graphical depiction of the market based on current offering, strategy, and
market presence. Forrester intends to update vendor evaluations regularly as product capabilities and
vendor strategies evolve. For more information on the methodology that every Forrester Wave follows,
please visit The Forrester Wave™ Methodology Guide on our website.

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals December 12, 2017
The Forrester Wave™: Static Application Security Testing, Q4 2017
The 10 Vendors That Matter Most And How They Stack Up

Integrity Policy

We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity
Policy posted on our website.

Survey Methodology

The Forrester Data Global Business Technographics® Security Survey, 2017, was fielded between
May and June 2017. This online survey included 3,752 respondents in Australia, Brazil, Canada, China,
France, Germany, India, New Zealand, the UK, and the US from companies with 2 or more employees.

Forrester Data Business Technographics ensures that the final survey population contains only those
with significant involvement in the planning, funding, and purchasing of business and technology
products and services. Research Now fielded this survey on behalf of Forrester. Survey respondent
incentives include points redeemable for gift certificates.

Please note that the brand questions included in this survey should not be used to measure market
share. The purpose of Forrester Data Business Technographics brand questions is to show usage of a
brand by a specific target audience at one point in time.

Endnotes
Source: “CloudPassage Study Finds U.S. Universities Failing In Cybersecurity Education,” CloudPassage press
1

release, April 7, 2016 (https://www.cloudpassage.com/company/press-releases/cloudpassage-study-finds-u-s-

universities-failing-cybersecurity-education/).

© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
›› Core research and tools
›› Data and analytics
›› Peer collaboration
›› Analyst engagement
›› Consulting
›› Events

Forrester’s research and insights are tailored to your role and

critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel ›› Security & Risk
Strategy Sourcing & Vendor
Management

Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 139431