Following Joseph Feiman’s post on the Veracode blog, Application Security Predictions for 2017 and Beyond, we are glad to see that a significant number of his predictions aligned with the trends that we have both seen and continue to act on, however when it comes to certain predictions, our perspective is notably different.
Joseph’s predictions focus on adapting security testing solutions to the fast-paced development environments that are increasingly dominating the application development landscape. Therefore, security testing solutions should enable organizations to perform analysis at the earliest stage of the SDLC, specifically during development and ideally by developers.
Let’s review Veracode’s predictions while demonstrating how and why Checkmarx’s perspective differs:
Veracode: “By 2018, use of SAST-as-a-cloud-service will outpace use of SAST-as-a-tool “
Checkmarx counter-prediction: “By 2019 most organizations will use Hybrid delivery model combining product and managed services accelerating developer enablement.”
The Checkmarx angle:
While organizations today certainly “produce more software at a faster pace than ever before,” Joseph believes that the solution for companies lacking in security expertise is delegating their static application security testing (SAST) to third-party, independent, cloud-based security experts.
At Checkmarx, however, we believe that the solution is fundamentally different.
We think that developer-enablement, along with the guidance of application security experts, is the correct approach to addressing the growing skills shortage when it comes to secure development.
Examining a comparable trend, such as Software Quality Assurance, it is clear how over the past decade, companies such as Google have favored incorporating this responsibility into the daily tasks of developers rather than handing the responsibility over to a third party– ie: throwing code over the fence.
This transformation has proven that responsibility leads to mindfulness which leads to better long term quality. The same effect also occurs in the realm of application security testing as developers who understand security and get fast feedback for their mistakes, are proven to write better, and more secure, code in the long run.
Initially, AppSec program onboarding and operations may be somewhat challenging and organizations may need assistance in the setup process. As a result, such organizations will seek out vendors who can offer a hybrid approach that covers the entire spectrum between having a fully cloud based solution to a solution that is entirely on-premise.
Such vendors will need to provide the services necessary to help organizations complete their transition to a secure SDLC (sSDLC) which includes in-context, on-demand developer support and dedicated assistive services to ensure that the transition is done smoothly.
These vendors will have to provide services to help organizations transition their projects to a secure SDLC, as well as in-context, on-time, developer support and assistance services making sure the transition goes smoothly.
Veracode: “By 2019, more than 30 percent of enterprises that have adopted DevOps will also adopt SAST specially-designed for DevOps”
The Checkmarx angle:
At Checkmarx, we also see this trend taking shape and fully agree with this prediction. However, we’d like to highlight the requirements for a SAST solution to be a citizen of the CI\CD pipeline. For a solution to fit DevOps requirements, it has to meet a zero-friction, quick-turnaround policy.
For SAST solutions, these requirements translate into Incremental Scanning, Partial-Code Scanning and Compiler-Free capabilities. Rather than being add-on features to the product, each of these functionalities are fundamental parts of the analysis engine design. SAST solutions that were not designed for DevOps from the ground up will have a hard time adjusting to the DevOps scheme.
On a related topic, Joseph claims that dynamic application security testing (DAST) will fall behind SAST in importance as it cannot act as natural citizen of the CI/CD pipeline.
Checkmarx prediction: “By 2019 IAST will outpace DAST in terms of market size.”
We, however, believe that the solution for DAST shortcomings can be solved by integrating interactive application security testing (IAST) into DevOps.
Therefore, the Dynamic testing market will evolve into two different technologies:
- IAST will replace “DAST-as-an-Automated-Tool”
IAST, when properly delivered, can overcome a majority of DAST’s downsides by becoming an integral part of the tested application which allows it to work during runtime covering a much wider variety of functionalities and vulnerabilities while being part of the SDLC testing stage. SAST and IAST synergy will further leverage the capabilities of both products and will be key for DevSecOps success.
- “DAST-as-a-service” will remain a pen-testing tool
“DAST-as-a-service” will be mainly used for penetration testing purposes provided by in-house, or outsourced, penetration testing experts.
As IAST will replace Automated DAST within the SDLC, and DAST will shift right as a pen-testing tool, the following figure illustrates how the different technologies would be used in the different software environments:
Veracode: “By 2019, more than 50 percent of enterprises will test some of their applications for security vulnerabilities”
Checkmarx: “In agreement.”
Veracode: “By 2019, more than a third of enterprises will adopt software supply chain assurance programs.”
Checkmarx: “At Checkmarx, we believe that this is a very conservative estimate and this prediction will actually become a reality much sooner.”
Many organizations are already searching for a solution to analyze the open source components which are the vast majority of components in the supply chain and used by most of their applications. This solution should ideally be available as part of the SAST platform they use.
Based on both Joseph’s post and this one, we believe that the following best illustrates the difference in the suggested AST solution framework:
|Topic||Veracode Prediction||Checkmarx Prediction|
|Delivery Model||Cloud-based delivery will outpace On-Premise||Flexible delivery model composed of Cloud, On-Premise & Managed services|
|Appsec expertise (SAST)||Delegate SAST to third-party, independent, cloud-based security experts||Developer-enablement along with guidance from application security experts|
|SAST in DevOps||SAST version specially-designed for DevOps||Agreed yet, SAST products which were not designed for DevOps from the ground up, will find it hard to adjust to the stringent DevOps requirements|
|Dynamic testing in DevOps||DAST, which is used mostly at the test phase, lags behind SAST in meeting individual developers’ needs||IAST will outshine DAST in DevOps. DAST will become a staging and Pen-testing service|