This year Magic Gartner Application Security Testing (AST) can summarize in one theme, either DevSecOps ready or you are out from being covered as the leading supplier. DevSecOps being a mega trends as the world under strong business and market pressure for being “Digital Transformation” ready, regardless of sector or industry. From the top down or external market demanding for the company they do business being “digital transformed” at the speed of internet. Market pressure for shorten application development to the product rolling time, include fixing and maintenance release.
From the past, the issue to deal with is 1 to 3 month buffer cycle time, for each stage or department involved. It is not acceptable for the modern standard for DevSecOps, that the most is 1 day cycle time for most of the tasks.
Security and operation required to study and capable to perform the dynamic application security testing (DAST) sudden become not enough, and the whole DevSecOps emerge, and required to perform interactive application security testing (IAST) to Static Application Security Testing (SAST), include 3rd party module or plug in libraries software composition analysis (SCA), and mobile application security testing (Mobile AST), and at the same time capable to perform vulnerability verification, exploitation testing with the right tools in the right way.
For the same expectation is being pushing or “shift left” where developer is expect to get the code right and secured while they perform coding (plug in and enforce secure coding on the IDE environment), integration and automation for the application security testing (AST) effort and project initiative had being carry out with the aim for catch up for the speed and cycle time requirement.
Surprising enough, DevOps and now DevSecOps being open discuss for a long period of time, we notice lot of supplier being taken out from the latest Magic Gartner report due to the “shift” of the criteria for consideration and ranking. Pure play for single either DAST, IAST, SAST or Mobile AST is not more enough. What really looking for is the modern and future continuous relevancy for the supplier in the changing market requirement, capable to continue to supply market required technology for get the things done.
We notice “shift left” is the trend, as modern application become harder for automated DAST to scan and log for so many vulnerability, and required to turn toward static application security testing (SAST) or unique “binary SAST” to get the security check and audit. As the trend move forward, the complex and hard to reach or affordable SAST is available for reasonable licensing, and at the same time for just licensing the portion or instance for the use, ie software as a service (SaaS) or license by per application that simplified for the expense budgetary is available.
Tool alone even heavy invested or multi million application security testing (AST) infrastructure for the cyber defense or military operation may not generate the best result, if the person and team that handle it do not possess the manual application security testing (AST) capability and understand what is the right way for the right tool to be optimize or fully utilize correctly for the organization. We notice for some is purely thoughts of bought the most expensive tool or system is what that is needed, but never know that the fit for the organization strategic and operation requirement. And they are end up for keep invest and expand the infrastructure and bought even more tool (due to original purchase) do not address it, or the changing market technology is being missed from the previous purchase. The cycle for bought and then replaced and then bought the new one keep repeat. The right supplier and solution vendor will be able to provide always future relevancy technology and solution architect for the enterprise customers, what technology required for what kind of requirements. And then assist the customer for select the right technology for their environment. Due to solution first approach, no driving by the hard sell product, the solution will always running in the longer period of time. If certain product can not catch up with the market technology requirement, just change that portion, but the overall solution architect still work. E-SPIN provide that kind of solution requirement and architect services since 2005. It solution, no product that matter. If the solution do not address the right issue and requirement, all the product that choose will be miss the requirement, regardless of how expensive you are invested on it.
We also notice for reach the end for perpetual license (PL) scheme for most of the product, for those still provide in the old and legacy model is rare, if you can still had one. The trend toward cloud since whole world economy now is on the “computing cloud”. In certain extent it is even much more secure than you hosted it yourself due to infrastructure and security know how, best practice, policy and trained professional and expert employee required to maintain it. Thru cloud and license by what used also help the company adopt to the new technology faster due to no capital expenditure (capex) required, and just focus on operating expenditure (opex).
Another mega trend is the rise on the demand for as a service engagement. The company found it make business viable sense to just outsource or managed services by company who are in the business, so they can focus on other core business area. Application security testing (AST) as a services is become highly demand as well that well suite for lot of scenario, from project, ad hoc, strategic and mission critical, all can be discuss with the service provider and tailor made the right mix of the technology, tool and services required for the operation requirement at the fraction of the service fee.
Feel free to contact and discuss with E-SPIN for your application security testing (AST) requirement, whether in the form of purchase, license, software as a service or application security testing (AST) as a service engagement or managed services. E-SPIN for sure had the right mix of technology cover your operation and strategic requirements.