Daily Archives: April 5, 2019

A Deeper Look at Gartner’s Hype Cycle for Application Security

The application security market is ever-changing, with new technologies emerging on a continuous basis. One helpful way to stay on top of the AppSec market is Gartner’s most recent Hype Cycle for Application Security, 2018.

When it comes to DevSecOps, Gartner notes that “adoption is slow, but interest is high,” and showcases development’s shift towards DevOps environments in the name of speed and agility. DevOps is great for an organization, but not if the security piece is siloed and acts in a way that disrupts the speed of development. This is why, Gartner points out, “Security must be a part of this shift, but in a way that respects the collaborative nature of DevOps.”

Veracode’s own Tim Jarrett, Director of Product Management, recently attended DevSecOps Days as part of this year’s RSA Conference, and took away some valuable points on trends in DevSecOps. The general overview was that the theory of DevOps is fantastic, but the practice itself isn’t as straightforward, which is why it makes sense that DevSecOps is catching on in theory, but remains aspirational in practice. This might seem like a bump in the road of progression, but DevSecOps can be successful if security teams are able to communicate the definitive business value.

Read more about Tim’s DevSecOps Days takeaways here.

Software composition analysis

According to Gartner, “Software Composition Analysis is expected to reach the ‘Plateau of Productivity’ in two to five years.” This is supported by the fact that SCA has become more of a mainstream technology that vendors offer as a part of their solution suites. The surge of SCA offerings from software security vendors essentially began when attention was called to the widespread impact of software vulnerabilities like Heartbleed and Apache Struts.

The need for a solution that could analyze open source components was only furthered by the widespread use of open source code and the rampant amount of vulnerabilities that came along with such components. Veracode’s own State of Software Security Report Vol. 9 reported that in last year alone, 87.5% of Java applications contained a component with at least one vulnerability.

In addition to recommending that organizations use SCA tools on a regular basis to ensure software security, Gartner also stated that “SCA tools fit well within DevSecOps-style workflows, where scanning can be automated as part of the rapid development processes.”

Get the State of Software Security Volume 9 Software Composition Analysis Infosheet here.

Application security testing suites

Application security testing suites are a consolidation of AST technologies, including – but not limited to – static analysis, dynamic analysis, software composition analysis, and secure code training to more effectively verify the security of a company’s codebase.

To cover all of your bases when it comes to application security, one option is to use multiple vendors so that you have access to the “best-of-breed” technologies in each category. However, Gartner points out the downside to this approach; “the requirement to deal with different systems, separate dashboards,” and a not-really-unified approach. “Rather than engaging multiple vendors, Gartner clients have increasingly been seeking ‘one-stop-shop’ vendors that offer multiple technologies in a single platform with flexible deployment options.”

Veracode is one of those “one-stop-shops,” and can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing in one centralized view. To learn more about Veracode’s comprehensive AppSec platform, check out this Platform Overview eBook, or, schedule a demo to see how we can help your specific organization.


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Hype Cycle for Application Security, 2018, 27 July 2018, Ayal Tirosh

Weekly Update 133

Weekly Update 133

Wow, a weekly update back on the normal schedule! I also realised when watching this back how less tired I look compared to the last few weeks. Travel takes its toll so I touched on that a bit in this week's update, along with the usual raft of new data breaches to go into HIBP. Plus there's Facebook's incidents, both the one they're not directly responsible for and the one they are responsible for, but is also both a bit of a non-event and something that's reflective of broader issues in the industry.

Next week should be bang on schedule again and with any luck, I'll look even less tired again 😎

Weekly Update 133
Weekly Update 133
Weekly Update 133


  1. Here's everything that goes into a massive international speaking trip (people always publicly share the good stuff in their lives, this is the warts and all version)
  2. Stop hosting forum software yourself! (that was specifically targeted at vBulletin, I later also wrote about my broader approach to platform outages when I'm not responsible for them)
  3. The Intelimost breach has a really interesting write-up by Zack Whittaker (and it's kinda fun to sleazy spammers come undone!)
  4. It's not Facebook's fault that 3rd party developers exposed a bunch of data from their APIs (but there's still a discussion to be had about how much data Facebook should be exposing in the first place)
  5. It is Facebook's fault that they were asking for people's email account passwords (although in practical terms, it also doesn't particularly matter)
  6. Twilio is this week's blog sponsor (they're talking about how 2FA helps secure online transactions and helps comply with regs like PSD2 )