Snyk Rises to Leader, HCL Software Falls to Challenger as Supply Chain Takes Focus
Synopsys stands head and shoulders above the competition in Gartner’s latest application security testing rankings, with Snyk rising and HCL Software falling from the leaders category.
“Synopsys has articulated a really good vision of where they want to go, and they’ve made some purchases,” Mark Horvath, Gartner, vice president and analyst, told Information Security Media Group. “The product does keep getting better. And when presented with a technical challenge, Synopsys is actually pretty good about changing course to solve the problem.”
Providers have over the past year increased their focus on software supply chain security, turning to tools like software composition analysis, static analysis and secrets management to better understand where software dependencies come from. U.S. government requirements around knowing what’s in software has a downstream effect, meaning pure commercial providers are still being asked for SBOMs.
The rise of software supply chain security has renewed interest in software composition analysis, which he said tracks software dependencies and the use of code libraries but now with an eye toward business risk rather than vulnerability severity. Horvath said the large application security vendors have all the basic tools needed to address software supply chain issues, but pure-play firms drive innovation as well.
The Leaders and Best
Longtime application security players Veracode, Checkmarx and OpenText joined Synopsys and Snyk atop the Gartner Magic Quadrant. Unlike Snyk – which broke into the leaders quadrant for the first time – the other four firms are veterans of the space. This is the 10th time Veracode and OpenText have been named leaders, while Synopsys and Checkmarx have been leaders seven and six times, respectively.
“The things that Snyk executes on, they do really, really well,” Horvath said. “They have had a really good vision for where the market is going in terms of moving to the cloud and containers and microservices. They’re moving to the right because they’ve anticipated where the market is going with their vision and they’re actually executing on that. And that was enough to push them over the line.”
Gartner again sees Synopsys as offering the most complete vision and strongest execution ability around application security testing among the 12 vendors evaluated, with the gap between Synopsys and the rest of the pack only widening. Synopsys generated $465.8 million of revenue from its software integrity business in the fiscal year ended Oct. 31, 2022, up 18.3% from $393.8 million a year earlier.
“When presented with a technical challenge, Synopsys is actually pretty good about changing course to solve the problem.”
– Mark Horvath, vice president and analyst, Gartner
But how the vendors other than Synospys stack up has changed quite a bit between last year and this year, according to Gartner.
In a major shake up from last year, OpenText, Contrast Security, Checkmarx and Veracode took second, third, fourth and fifth in completeness of vision, respectively. In 2022, Checkmarx, HCL Software, Rapid7 and Data Theorem occupied those positions. In execution ability, Veracode, GitLab and Checkmarx took second, third and fourth this year. In 2022, Checkmarx, Veracode and OpenText had those positions (see: Synopsys, Checkmarx Top Gartner MQ for App Security Testing).
“The leaders quadrant has a pure offering that’s generally a platform play and firing on all cylinders in terms of our critical capabilities use cases,” Horvath said. “Even though each individual tool may not be the best, there’s enough tools there that it represents a comprehensive picture of what you need to do.”
Over the next year, Horvath expects application security providers will explore whether or not large language models can assist developers with writing good code. If so, he anticipates that will be an important feature in the 2024 Magic Quadrant.
Outside of the leaders, here’s how Gartner sees the application security testing market:
- Visionaries: Contrast Security, Mend.io
- Challengers: GitLab, HCL Software, GitHub
- Niche Players: Sonatype, Onapsis
This is the first time Mend.io and Sonatype are listed in the Gartner Magic Quadrant for Application Security Testing, while Invicti, Rapid7 and Data Theorem no longer appear in the rankings. Horvath said Gartner now requires firms listed in the Magic Quadrant to offer native software compensation analysis and static application security testing since dynamic and interactive testing aren’t enough on their own.
Synopsys Adding SCA, Static Analysis, DAST to SaaS Platform
Synopsys in late 2022 introduced a SaaS platform for application security testing, and earlier this month added software compensation analysis to the platform, said Jason Schmitt, general manager, software integrity group. Adding API-fronted instances of Synopsys’ core technology on the SaaS platform will make it faster and easier for organizations to get on boarded and up and running with a scan, he said.
The company later this year will build out a new self-service dynamic application security testing capability that’s faster and more targeted than what a desktop scanner or penetration tester can do, Schmitt said. The tool builds off Synopsys’ June 2022 acquisition of WhiteHat Security and applies core dynamic scanning technology with modern web components to make it more future-proof, Schmitt said (see: Synopsys to Buy WhiteHat Security for $330M to Protect Apps).
“Everyone has built out a portfolio, but not in a way that has strength in every single category,” Schmitt told ISMG. “So it’s our breadth plus the strength in each of the individual analysis techniques that sets us apart today.”
Gartner criticized Synopsys for complicated pricing, a complex user interface and a lack of SaaS and hybrid delivery for SBOM generation, static testing and application security posture management. Schmitt said Synopsys is rapidly adding capabilities to its SaaS platform, has worked to bring a cohesive user experience to all on-premises products and is rolling out simplified, flexible pricing for its portfolio.
“Pricing is an attribute of the breadth of our portfolio,” Schmitt said. “We can present with too many options. What we’ve been doing actually is evolving much more flexible pricing models so that you can consume with an enterprise license agreement or a single price metric any of our tools. As a result, you don’t have to understand the pricing model for every individual part of the portfolio that you’re buying.”
Veracode Shifts from Finding to Fixing Flaws Via Automation
Veracode has automated the remediation of security vulnerabilities so that fixes can be implemented with a click of a button and without having to run a single line of code, said Chief Product Officer Brian Roche. Unlike a LLM trained on open web content, Roche said Veracode Fix uses a data set curated by security researchers over the past six months to produce results that merit developer attention.
The company also rolled out a next-generation policy engine so that customers can identity and remediate risk more quickly by modeling business processes to take action on flaws and vulnerabilities found, according to Roche. Veracode has additionally beefed up its cloud-native support to deliver broader coverage for containers being built and deployed in customer environments, Roche said (see: Veracode CEO Sam King on Joining AppSec, Container Security).
“We build delightful developer experiences that enable them to go faster and focus more on innovation than in burning down security tech debt,” Roche told ISMG. “Vendors need to bring all of these security tools together and enable developers to take action quickly and answer a simple question – “Are we good or not?'”
Gartner chided Veracode for offering a SaaS-only product, providing limited support for infrastructure as code security and being unable to ingest and attest to a software bill of materials. Veracode will boost support for forms of IaC beyond container and cloud-native and will add support in 2023 to help manage supply chain assets, though he said on-premises implementations lead to additional operational burden.
“It’s not always important that you’re there first,” Roche said. “It’s important that you build what matters to the market. Now that we’ve tested the market and gotten feedback from customers, we know what they want in the area of SBOM and supply chain visibility. And that is what we are building as part of our roadmap.”
Checkmarx Eyes Correlation to Cut Duplication, Boost Context
Checkmarx debuted a correlation engine to reduce duplicative alerts and obtain better context when multiple engines generate the same alerts to help companies decide whether or not the alert is relevant, said CEO Sandeep Johri. An infrastructure-as-code engine, for instance, might see data in an Amazon S3 bucket, but static analysis would indicate what data is being used and where in the app it’s coming from.
The company’s application security toolbox focused historically on inadvertently inserted vulnerabilities, but Johri said Checkmarx’s new supply chain security offering analyses a million packets each month to spot malicious code. Checkmarx also rolled out a dynamic application security testing offering that relies on an open-source engine to make the company’s native technology platform more comprehensive (see: Why App Security Should Shift Everywhere, Not Just Left).
“It’s the depth and completeness of app sec coverage and the most leading-edge knowledge of emerging vulnerabilities that sets us apart,” Johri told ISMG. “I don’t think any of the other vendors have a research team that compares to us.”
Gartner criticized Checkmarx for complex pricing, complicated set-up and configuration and a lack of available customer support on weekends. Johri said the lack of weekend customer support is unacceptable and will be fixed, adding that complex pricing schemes provide more flexibility to accommodate the needs of large customers and that tools with simple implementation provide only a superficial analysis.
“If you want a very rich product, sometimes you have to deal with the complexity,” Johri said. “We have a customer success model that ensures that customers benefit from the thoroughness without making it too difficult to configure. When it’s simple, you lose thoroughness and fidelity.”
OpenText Takes on DevSecOps, Cloud, Software Supply Chain
OpenText has focused its application security investments on DevSecOps, cloud transformation and software supply chain, said Dylan Thomas, head of Fortify product management. The acquisition of Debricked has brought next-generation software compensation analysis and supply chain security, leaning into data science and machine learning to rapidly scale without needing a huge team of researchers to respond.
The firm has expanded its cloud coverage from static analysis around Amazon Web Services, Microsoft Azure and Google Cloud Platform to address serverless functions, IaC, cloud secrets, Docker files and Kubernetes definitions, Thomas said. And from a static analysis perspective, Thomas said OpenText has incorporated machine learning to help identify the vulnerabilities that matter most to an organization (see: OpenText: Road to Smarter Information Management, Security).
“Great code demands great security,” Thomas told ISMG. “As a developer, you want to write the best application that’s going to solve your business problem. You’re proud of what you write. You should also want the best security tooling. And that’s what Fortify (acquired with Micro Focus) has been known for for many years.”
Gartner criticized OpenText for a complex pricing model, a lack of consistent user experience theme and uncertainty from OpenText’s buy of Micro Focus. Thomas said OpenText’s flexible pricing model allows clients to procure however they want, the complex user interface comes from addressing a wide portfolio of apps and broad range of use cases, and that due diligence questions following M&A are very typical.
“We’re in a great home,” Thomas said. “It’s a company that is committed to both organic growth and investment as well as growing through acquisition, which puts us on very strong footing moving forward. I’m excited for the future.”
Snyk Strengthens Code, Cloud Security for Developers
Snyk excels at analyzing software supply chain security use cases, with the company capitalizing on its 2020 buy of DeepCode to get a team of artificial intelligence and machine learning scientists focused on program analysis, said Chief Product Officer Manoj Nair. The company can generate security-validated fixes in real-time for both human-generated and AI-generated code as generative AI changes the game.
The company’s acquisition of Fugue in February 2022 has allowed Snyk to bring additional cloud context across the application development lifecycle from building to IaC to remediation, Nair said. Snyk also has pursued integrations with ServiceNow, Atlassian and Dynatrace to tackle challenges around supply chain and risk management, give more context around operations, and produce a dashboard with engineers in mind (see: Snyk Lays Off Another 128 Staffers as Economic Woes Persist).
“We think of ourselves as really a developer security company,” Nair told ISMG. “It’s empowering the developer to be able to do the fixing as they’re doing the work. And it’s a fix orientation, not a find orientation. We’re the first vendor right now that’s dev-first in our thinking and approach and our tooling in the leaders quadrant.”
Gartner chided Snyk for generating a large number of alerts, allowing limited reporting customization and relying on partnerships for dynamic testing, interactive testing and fuzzing. Nair said Snyk plans to address alert frequency with a June update and debuted a powerful analytics engine in May based on its buy of TopCoat. However, he said dynamic testing, interactive testing and fuzzing aren’t relevant for many users.
“We partner with the best-of-breed folks out there that think like us,” Nair said. “We want to focus on the things that we believe add the maximum value to a broad set of the market and bring in partners where required.”