World keep changing at the fast speed. Few years on the road, once upon a time a successful entrepreneur who discovered the need for rising need for dedicated web application security testing (AST) tool and differentiate it with generic network vulnerability scanner at that time create a new product genre never existed before. The first new product invented at that time created a new market, where at that time, big player of vulnerability assessment (VA) still focus on address infrastructure device, network and host, as well as what services run inside. But never revamp the engine or thinking off create brand new scanning engine that mimic how the web hacking that place. For that define what we are called “Dynamic application security testing” (or DAST) technology.
At the very beginning, we saw a lot of as a product tool vendor successful in the market, since the big players in the market do not focus on application security testing (AST), at that time, as they focus on big share of use case for their product, and compete with the rest of me-too competitor. Market at that time for one end focus on developing tool for security officer, it eventually become DAST tool. Another development at that time, focus on assist developer who develop web application and focus on secure coding and entire project static application security testing (SAST). The dual development eventually become two main pillar of market segment within application security testing (AST).
Then market evolved, for enterprise customers need to assess to both DAST and SAST, and here come interactive application security testing (IAST). The market keep evolved and also for customer who need dedicated mobile application security testing (Mobile AST). For the IT operation and production environment, the nee for runtime application self protection (RASP) evolved into application defender product.
Deployment and licensing mode is changing along the year too. From pure on premise and perpetual based toward cloud and license subscription based. From single install unlimited scan to licensing by FQDN (fully qualified domain name), or per fixed website basis.
If you zoom out further to see how the market is operated, you notice a few key trends is undergoing fast development. World changing to DevSecOps, for those product use to focus on address either developer or security officer, need to address automation and integration, or Gartner is not ever consider it as minimal listing criteria in their application security testing (AST) market report.
From the very beginning, even using black box testing nature of DAST tool, you can discover tons of vulnerabilities (no even need specific working knowledge for the security officer, what they need is to configure scanning profile correctly with credential and generate the report). But along the years, web application is evolved in such the stage that only experience web application security analyst, pentester and consultant can discover valid vulnerability via manual web application security testing way. Automated scanner is for cover quick but no necessary cover you valuable vulnerability that thru your proxy-browsing and human eye discover behind the scene vulnerability.
It holds true as well for pure SAST, will mis lot of production use case scenario. This is why, a more knowledgeable approach is to perform both SAST and DAST, perform Mobile AST (if involved) and manual pentesting with the right tools and expertise. And have the RASP to handling continuous self protection.
Application Security Testing (AST) Market-in-Transition
Market had shift, as more me-too market in the market, customer demanding more features, cope with the DevSecOps (for instance), the vendor competency and capability required from the past alone can not fulfil the market requirements. So we start saw the big player either in-house developed application security testing (AST) or “buy off” existing companies in the market who can provide the missing piece of product, rename it and complete the new comprehensive offering for the market. In the very high level, the trend toward unified endpoint protection platform (EPP), IT/OT coverage, DevSecOps etc or whatever new term that introduce in this period of time. For those who decide for the long run no viable or can maintain competitiveness will choose to sell-off the product, milking cash cow or revised their product for maximum short term gain. We will keep seeing this kind of market behavior until the product-market consolidated into less and fewer platform vendor hand. We also saw a lot of open integration or aggressive to open up or hope so 3rd party product can be integrated to become seamless operation for the customer as possible.
Next Generation Web Application Security Testing
Next Generation of Web Application Security Testing, need a new product engine architecture and design to deal with modern and future challenges, and at the same time incorporate for the latest ground-breaking technology breakthrough to make it complete breakthrough from the existing product offering, such as leverage artificial intelligence (AI), big data, machine learning (ML) and automation to name a few. Be it named as integrated platform or all-in-one solution, it need to illuminate an organization’s external attack surface and dark web exposure, to ensure threat-aware and risk-based security testing scorecard for asset security and compliance, and to shed light on data leaks and Dark Web exposure. It provides actionable security ratings of asset hackability and attractiveness. Due to integration in nature, it diminishes application security complexity and operational costs by: eliminating grey areas, illuminating shadow and abandoned assets; delivering actionable security metrics to better prioritize risks and threats.
Best Advice and Recommendation for User
Under this massive transition period, end user is recommended to adapt a bigger picture for the future, which platform to be going, as the wrong decision made, you will end up in the very costly platform shift later on. Since it is not just about point solution or product, you can easily swap, it impacts the entire digital workflow and the backend integration and automation downtime and re-training or education/ reconfigured workflow is cost you more than you can imagine.
Small and practical point solution that provide reasonable licensing cost will remain in the market. Despite it does not in the favor for being reporting by market analyst, since they also need to write something carry commercial value in return.
Summarise the entire post in the visual concept map for easy understanding for the entire post content.
E-SPIN being in the application security testing (AST) market since 2005, go through various product/market/technology change and still active looking to seek the market in solving application security testing (AST) problem with the right resolution, that user can get it at the right price together with other value added services, from training, consulting, project implementation and maintenance support cover preventive and incident response, phone local phone, remote and onsite, as well as value added 3rd party complementary software and hardware for turnkey project supply. Feel free to talk with E-SPIN for the various application security testing (AST) challenges and requirements.