The Forrester Wave Application Security Q4 2014

8/18/2019 The Forrester Wave Application Security Q4 2014

1/14

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

The Forrester Wave™: ApplicationSecurity, Q4 2014by Tyler Shields, December 23,2014

For: Security &

Risk Professionals

KEY TAKEAWAYS

HP, IBM, Veracode, WhiteHat, Contrast Security, Quotium, And

Checkmarx Lead

Forrester analyzed the application security testing market (static analysis, dynamicanalysis, and instrumented/interactive technologies). Te results o the analysis find

that HP Fortiy, IBM, Veracode, WhiteHat Security, Contrast Security, Quotium, and

Checkmarx lead the field. Beyond Security, Coverity, Qualys, and Virtual Forge offer

competitive options, while rend Micro lags behind.

S&R Pros Look For Solutions That Emphasize Accuracy, Integration, And

Scalability

Te application security testing market is steadily growing because S&R pros increasingly

trust application security testing providers to act as strategic partners, advising them on

top app security decisions. Solutions with the highest accuracy o results, best integration

points, and the capability to grow and scale will continue to find success.

Combining Assessment Methods Provides Differentiation In The Market

By combining static, dynamic, and instrumented assessment technologies, vendors

are creating a platorm-based application security assessment model. Each individual

assessment technology contains delivery weaknesses when compared with the others.

Access The Forrester Wave Model For Deeper Insight

Use the detailed Forrester Wave model to view every piece o data used to score

participating vendors and create a custom vendor shortlist. Access the report online and

download the Excel tool using the link in the right-hand column under “ools & emplates.”Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.

http://www.forrester.com/


2/14

© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available

resources. Opinions reflect judgment at the time and are subject to change. Forrester ®, Technographics®, Forrester Wave, RoleView, TechRadar,

and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To

purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

FOR SECURITY & RISK PROFESSIONALS

WHY READ THIS REPORT

In Forrester’s 82-criteria evaluation o application security vendors, we identified the 12 most significant

service providers in the category — Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortiy,

IBM, Qualys, Quotium, rend Micro, Veracode, Virtual Forge, and WhiteHat Security — and researched,

analyzed, and scored them. Tis report details our findings about how well each vendor ulfills our criteria

and where they stand in relation to each other to help security and risk proessionals select the right

partner or their application security requirements.

Table Of Contents

S&R Pros Must Build Security Into The

Application Layer

Selection Criteria Target Functional Security

Capabilities And Strategy

Vendors Offer Application Assessment Using

Multiple Technologies

The Application Security Market Uncovered

Vendor Profiles

Leaders

Strong Performers

Contenders

Supplemental Material

Notes & Resources

Forrester conducted product evaluations

in April 2014 and interviewed 12 vendor

and user companies: Beyond Security,

Checkmarx, Contrast Security, Coverity, HP

Fortify, IBM, Qualys, Quotium, Trend Micro,

Veracode, Virtual Forge, and WhiteHat

Security.

Related Research Documents

TechRadar™: Enterprise Mobile Security, Q4

2014

November 3, 2014

It’s Time To Level Up Your Mobile Application

Security Program

August 26, 2014

Address The Top 10 Nontechnical Security

Issues In Mobile App Development

April 30, 2014

The Forrester Wave™: Application Security, Q42014Tools And Technology: The Security Architecture And OperationsPlaybook

by Tyler Shields

with Stephanie Balaouras and Jennie Duong

2

2

5

7

11

DECEMBER 23, 2014

http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=BIO6764http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO6764http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/


3/14


The Forrester Wave™: Application Security, Q4 2014 2

© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014

S&R PROS MUST BUILD SECURITY INTO THE APPLICATION LAYER

Application security remains a crucial component in keeping enterprise servers and data secure.

Many firms have rushed to bring applications online, building out consumer-acing websites, buying

commercial off-the-shel (COS) products, and developing mobile applications to enable and

engage with their customers and partners without thinking about the security o the application

itsel. As a consequence, businesses are exposing their most sensitive corporate and customer data

to possible external threats and breaches.

Selection Criteria Target Functional Security Capabilities And Strategy

S&R pros are looking to work with vendors to detect vulnerabilities more efficiently and effectively,

to avoid exposing business-critical security issues, as well as to improve overall business and

development efficiency. Te vendors assessed meet the growing demand across all businesses

without compromising the security needs o their clients’ operations. Afer examining the currenttrends in the market, user needs assessments, and vendor and expert interviews, we developed a

comprehensive set o evaluation criteria or application security. We evaluated vendors against 82

criteria, grouped into three high-level categories:

■ Current offering. Te vertical axis o the Forrester Wave graphic reflects the strength o each vendor’s product offering, including its capabilities in general eatures (e.g., deployment model,

scalability, targeted scanning), static application security testing eatures, dynamic applications

security testing eatures, instrumented analysis eatures, reporting eatures and workflows (e.g.,

flaw descriptions, centralized policies, and workflow and remediation tracking), developer

education and training, integrations (e.g., IDE integration, API access, patches, WAFs, and

MDMs), remediation instructions, and customer reerences.

■ Strategy. Te horizontal axis measures the viability and execution o each vendor’s strategy,which includes planned enhancements, key technology partners, product ocus, target market,

cost, average sales prices, maintenance costs, and pricing structure.

■ Market presence. Te size o each vendor’s bubble on the Forrester Wave graphic represents each vendor’s presence in the application security market, based on its installed customer and product

base, revenue, systems integrators, services, number o employees, and key technology partners.

VENDORS OFFER APPLICATION ASSESSMENT USING MULTIPLE TECHNOLOGIES

Forrester included 12 vendors in the assessment: Beyond Security, Checkmarx, Contrast Security,

Coverity, HP Fortiy, IBM, Qualys, Quotium, rend Micro, Veracode, Virtual Forge, and WhiteHat

Security. Each o these vendors has (see Figure 1):


4/14




■ Mindshare with Forrester’s clients. Vendors included are requently mentioned in Forresterclient inquiries and other orms o client engagement relating to application security.

■ Ability to offer SAST, DAST, and/or IAST capabilities. Te vendors evaluated offercomprehensive approaches in static analysis (SAS), dynamic analysis (DAS), and instrumented/

interactive technologies (IAS) techniques in order to detect weaknesses and vulnerabilities in

general code, web applications, mobile applications, and COS product offerings.

■ Ability to provide easy deployment and integration for its customers. All vendors evaluatedcould deploy either a scalable on-premises or cloud-based service to their customers. Vendors

were ocused on improving the security development lie cycle or the enterprise buyer by creating

a solution that integrated into existing models o analysis and third-party development tools.

■ Relevance to the application security market. Inclusion in this Forrester Wave means that the vendor actively competes in the application security market, showing up in competitive usecases and discussions among experts and Forrester clients.


5/14




Figure 1 Evaluated Vendors: Product Inormation And Selection Criteria

Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.

Product evaluatedEvaluated vendors Product version

Beyond Security AVDS 4.00 build 307

CxSuite 7.1.4

Contrast Enterprise* 3.1

Code Advisor 7.5

HP Applications Security Portfolio(includes: HP Fortify Software Security

Center, HP Fortify Static Code Analyzer,HP WebInspect, HP Fortify on Demand,

and HP Application Defender)*

IBM Security AppScanStandard, Enterprise, andSource

N/A

9.0.0

Qualys Web Application Scanning 3.2

Seeker 3.0

Deep Security for Web Apps* N/A

Veracode Platform* N/A

CodeProfiler 3.5

N/A

Checkmarx

Contrast Security

Coverity

HP Fortify

IBM

Qualys

Quotium

Trend Micro

Veracode

Virtual Forge

WhiteHat Security

Vendor selection criteria

Mindshare with Forrester’s clients. Vendors included are frequently mentioned in Forrester clientinquiries and other forms of client engagement relating to application security.

Ability to offer SAST, DAST, and/or IAST capabilities. The vendors evaluated, offer comprehensiveapproaches in SAST, DAST, or IAST techniques in order to detect weakness and vulnerabilities ingeneral code, web applications, mobile applications, and COTS product offerings.

Ability to provide easy deployment and integration for its customers. All vendors evaluated coulddeploy either a scalable on-premises or cloud-based service to their customers. Vendors were focused

on improving the security development life cycle for the enterprise buyer by creating a solution thatintegrated into existing models of analysis and third party development tools.

Relevance to the application security market. Inclusion in this Forrester Wave™ means that thevendor actively competes in the application security market, showing up in competitive use cases anddiscussions among experts and Forrester clients.

WhiteHat Sentinel

WhiteHat Sentinel Source*


6/14




THE APPLICATION SECURITY MARKET UNCOVERED

Te evaluation uncovered a market in which a platorm approach strengthens the limitations o

each assessment model, raising the importance o a multitechnology approach. Vendors that built a

platorm leveraging DAS, SAS, and even IAS saw higher marks than those vendors that ocus on

one or two technology sets (see Figure 2):

■ HP, IBM, Veracode, WhiteHat, Contrast Security, Quotium, and Checkmarx lead. Whileeach vendor designed and built its original solution rom a different technology starting

point, the end result or each o these vendors is a cross-technology solution. When sorted by

technology cut, each vendor in this section excels at more than one solution, giving it the ability

to increase the accuracy o its results.

■ Beyond Security, Coverity, Qualys, and Virtual Forge offer competitive options. Competitive

offerings rom these vendors tended to ocus on one specific area (DAS, SAS, or IAS) othe cross-platorm solution. Tese vendors are working toward building an integrated platorm

but have yet to improve their nondominant offerings to the strength level that puts them in the

upper echelon. Tese vendors should be chosen specifically i their dominant technology area is

o a stronger concern to the buyer than the nondominant technologies.

■ Trend Micro is building up momentum from a late market entry. As a late market entry, rendMicro is lagging behind the other vendors in the space. Focused predominantly on DAS

assessments rom the cloud, rend Micro must expand beyond a single technology-based solution

in order to remain relevant to the enterprise buyer. Te level o resources available or continued

innovation keeps rend Micro in the picture i it can maintain its current pace o advancement.

Tis evaluation o the application security market is intended to be a starting point only. We

encourage clients to view detailed product evaluations and adapt criteria weightings to fit their

individual needs through the Forrester Wave Excel-based vendor comparison tool.


7/14




Figure 2 Forrester Wave™: Application Security, Q4 2014


Risky

bets Contenders Leaders

Strong

performers

StrategyWeak Strong

Current

offering

Weak

Strong

Go to Forrester.com to

download the Forrester

Wave tool for more

detailed product

evaluations, feature

comparisons, and

customizable rankings.

HP Fortify

IBM

VeracodeWhiteHat Security

Contrast Security

Quotium

CheckmarxBeyond

Security

Coverity

Qualys

Virtual Forge

Trend Micro

Market presence


8/14




Figure 2 Forrester Wave™: Application Security, Q4 2014 (Cont.)


CURRENT OFFERING

General features

Static analysis features

Dynamic analysis features

Instrumented analysis features

Reporting features and workflow

Developer education and training

Integrations

Remediation instructions

Customer references

STRATEGY

Product strategy

Corporate strategy

Cost

MARKET PRESENCE

Installed base

Revenue growth quarter over

quarter Revenue growth year over year

Systems integrators

Services

Employees

Technology partners

F o r r e s t e r ’ s

w e i g h t i n g

50%

21%

22%

22%

5%

10%

5%

5%

10%

0%

50%

50%

50%

0%

0%

40%

0%

0%

15%

15%

15%

15%

W h i t e H a t S e c u r i t y

3.60

4.25

3.25

4.70

0.00

4.20

5.00

2.85

1.50

3.00

4.65

4.30

5.00

0.00

3.70

4.12

0.00

0.00

1.00

5.00

3.67

4.00

V i r t u a l F o r g e

2.93

4.00

2.40

2.19

3.00

4.40

1.00

2.90

3.00

5.00

3.35

2.90

3.80

0.00

2.57

3.24

0.00

0.00

1.00

1.66

2.33

3.50

T r e n d M i c r o

1.82

3.70

0.00

2.38

0.00

3.10

0.50

0.75

1.50

5.00

3.30

3.60

3.00

0.00

3.12

3.68

0.00

0.00

1.00

3.35

3.65

3.00

Q u a l y s

2.49

3.65

0.00

3.98

0.00

4.20

0.00

2.55

3.00

5.00

3.95

4.30

3.60

0.00

4.31

4.78

0.00

0.00

5.00

2.34

3.65

5.00

V e r a c o d e

3.92

3.80

4.00

4.38

3.50

4.80

5.00

4.50

1.50

5.00

4.65

4.30

5.00

0.00

4.26

3.90

0.00

0.00

5.00

4.34

3.67

5.00

Q u o t i u m

3.21

4.40

2.80

2.59

5.00

4.60

0.00

4.90

1.50

5.00

4.65

4.30

5.00

0.00

1.96

2.58

0.00

0.00

0.00

1.00

2.66

2.50

H P F o r t i f y

4.42

4.68

4.80

4.48

5.00

5.00

5.00

4.90

1.50

5.00

4.65

4.30

5.00

0.00

4.15

4.56

0.00

0.00

1.00

5.00

5.00

4.50

C o n t r a s t S e c u r

i t y

3.97

4.25

4.50

3.82

5.00

4.00

5.00

3.85

1.50

5.00

4.00

3.00

5.00

0.00

1.37

2.36

0.00

0.00

0.00

1.00

1.34

0.50

I B M

4.62

4.55

4.60

4.56

3.50

4.80

5.00

4.85

5.00

5.00

4.35

3.70

5.00

0.00

4.60

4.76

0.00

0.00

3.00

5.00

5.00

5.00

C o v e r i t y

2.36

3.95

3.20

0.00

0.00

4.50

1.00

3.55

1.50

4.00

4.30

3.60

5.00

0.00

2.57

3.24

0.00

0.00

0.00

3.66

3.33

1.50

C h e c k m a r x

3.12

4.25

3.55

0.89

3.00

4.80

5.00

4.45

1.50

5.00

4.30

3.60

5.00

0.00

3.34

3.24

0.00

0.00

3.00

2.32

3.32

5.00

B e y o n d S e c u r i t y

2.46

4.55

0.00

3.68

0.00

3.60

1.25

2.35

1.50

3.00

4.30

3.60

5.00

0.00

4.50

5.00

0.00

0.00

5.00

3.68

2.99

5.00

All scores are based on a scale of 0 (weak) to 5 (strong).

VENDOR PROFILES

Leaders

■ HP Fortify offers an extensive application security solution. HP Fortiy displayed strongcapabilities across the majority o our criteria in both static and dynamic analysis. Its product

combines comprehensive static and dynamic testing and management across a multitude

o languages and rameworks that allow customers to deploy and scale quickly. Customer


9/14




reerences were satisfied with the vendor’s ease o installation, ease o use, configurable scans,

and administration; one customer reerence was “very happy with the SDLC-based dynamic

application security program built around HP WebInspect and would recommend it to any

other organization, even those with rapid development/agile lie cycles.” Although HP Fortiyhas more than 4,000 customers o its application security products (on-premises and cloud-

based), we noted that ewer than 500 customers were added in the past year.

■ IBM’s focus on the developer integration leads to exceptional results. Te IBM productoffering provides extensive general eatures on both on-premises and on-demand application

security solutions, depending on customer needs. Te solution offers limited static analysis

eatures, or data identification, and runtime data tracking. Te DAS offering is well-

positioned or web application discovery, Internet-sourced scanning, internal network scanning,

and large-scale assessment. IBM has a long lineage in development and has one o the strongest

integrations with other product lines and third-party development tools and services. IBM

approaches the security market with a developer-centric message and product strategy ocus.

■ Veracode unifies the SAST and DAST platform with accurate and timely results. Veracodeoffers a unified cloud-based security SAS and DAS platorm that includes capabilities or

developer workflow integration, central policy management, security analytics and

benchmarking, compliance reporting, and workflow management; differentiators include mobile

behavioral analysis and third-party assessments. Veracode has the capability to simultaneously

scan thousands o websites through its web perimeter monitoring scanning service while

providing high scalability or static binary assessments. With strong results in both SAS and

DAS segments, Veracode delivers a high level o accuracy in its technical findings while

embracing a customer-centric approach to integration into the greater development workflow

■ WhiteHat Security, although smaller than its competitors, innovates well. Although this vendor’s dedicated research team is somewhat smaller than those o the other Leaders, the

vendor’s overall SAS and DAS capabilities, coupled with its unified SaaS platorm, has gained

a large customer base ranging rom startups to large enterprise companies. WhiteHat Security

provides efficient deployment and scalability, requent scanning updates, and configurable rules

and scanning capabilities. While WhiteHat Security offers both SAS and DAS services, its

DAS capabilities are more comprehensive and can conduct continuous concurrent scanning o

tens o thousands o web applications.

■ Contrast Security is a small vendor making big advancements in application security. Although this vendor doesn’t neatly all into either the static or dynamic categories, as outlined in

our application security evaluation, Contrast Security provides an up-and-coming offering that

makes it a new and innovative contender (since 2012) to the application security space. Te

Contrast Security solution is instrumented via HP requests and responses like a dynamic tool;

contains source code and binary code analysis like a static tool; and has an on-server agent like an


10/14




interactive tool. Te vendor uses a combination o techniques to provide an effective and detailed

analysis or its customers. Contrast Security can autodiscover applications located on a specific

server and continually assess the security o these applications in real time. Since the technology is

young, there are a ew minor configuration options that are lacking; however, the assessmenttechnique is unique enough to warrant interest rom orward-thinking enterprise buyers.

■ Quotium innovating in the area of instrumented assessment results in a unique approach. Another vendor innovating in the space o application security, Quotium has created a solution

that doesn’t cleanly fit into the SAS and DAS models o assessment, instead targeting a

runtime continuous assessment model by using instrumented analysis. Te product’s runtime

analysis technology hooks into the application processes and monitors all code execution,

while simulating user, and hacker, traffic to the application. Quotium is an ideal product or

enterprises looking or simultaneous testing across a multitude o users and servers, with

a centralized repository in various test environments (e.g., AWS, Microsof Azure, and

Rackspace). Customers looking into this solution should note that while Quotium’s Seeker is not

a DAS or SAS solution, it does have several unique capabilities that accomplish reasonable

dynamic and static results using a unique methodology.

■ Checkmarx delivers SAST directly while offering DAST through partners. Checkmarx’ssolution has strong unctional capabilities in deployment, concurrent use, scanning automation,

configurable rules and scans, targeted scanning, and multiple user support. General eatures

that the vendor must continue to improve upon include scalability, alse positive elimination,

and flexible scanning unctionality. Te Checkmarx offering has strong static analysis eatures

around source code scanning, varied language and ramework support, analysis levels, and

custom static analysis rules. However, the solution is limited due to an inability to deliverdynamic assessment directly. Instead, Checkmarx looks to partners to deliver the DAS section

o its product suite.

Strong Performers

■ Beyond Security offers a competitive hybrid option/deployment for its customers. Customers that require easy deployment across multiple environments should consider

looking into Beyond Security as a viable dynamic assessment option. Not only is Beyond

Security’s solution available as a sel-contained appliance and hosted (cloud) solution, but it

also has a hybrid offering (on-site scanner managed by a cloud-based management system)

or its customers. Beyond Security’s solution offers competitive dynamic analysis eatures that

support application discovery, Internet-sourced scanning, and internal scanning with either

an appliance or VM. However, the solution does not support custom dynamic analysis rules or

private data identification. Beyond Security does not offer SAS capabilities in its product suite.


11/14




■ Coverity has a general platform for SAST code analysis but lacks dynamic capabilities. Coverity’s strength lies in its general eatures including scanning automation, targeted scanning,

multiclass administration, and alse positive elimination. Coverity static analysis can analyze

byte code or data analysis in Java applications but has little to no unctionality in binary

scanning and static interactive testing (e.g., code behavior testing and runtime data tracking).

Coverity does not support any eatures to run dynamic analysis.

■ Qualys gets aggressive in product strategy and expands into application security market. Qualys has traditionally been considered a strong vulnerability assessment vendor, providing

continuous security assessment or network-based attacks. Qualys has augmented its technology

by moving up the stack into the application assessment realm. Te solution offers dynamic

analysis eatures such as application discovery, Internet-sourced scanning, high scalability,

and appliance/virtual machine support. Although Qualys’ solution does not support static

code analysis, its solution is ideal or customers looking to automate continuous dynamicassessments o target environments. Qualys is gaining in market share and was one o the

ew vendors to show a significant amount o new enterprise customer growth in the past year.

Forrester expects that with new enhancements in its security portolio, Qualys may become a

more direct orce in the DAS space in 2015.1

■ Virtual Forge extensively secures SAP-specific content but is limited in other features. VirtualForge’s application security solution contains both a cloud-based and on-premises deployment

model that has capabilities including concurrent use and configurable rules or source code

scanning. Virtual Forge’s solution has limited eatures available or static analysis testing. Te

solution analyzes the source code o SAP applications only, limiting the product’s marketability.

Te offering is unable to ully support static binary scanning, business logic flaws, and interactivetesting. Virtual Forge’s product uses open penetration testing rameworks (Metasploit) to do

dynamic analysis and scanning, and SAP-specific content is layered on top o these open source

tools. Virtual Forge has the most comprehensive product in the space or securing SAP source

code; however, you will have to look elsewhere or other languages and eatures.

Contenders

■ Trend Micro is a new entrant to the market and has some catching up to do. rend Microis a new vendor to the application security market. In Forrester’s evaluation, rend Micro

was one o a ew vendors that did not support any SAS capabilities whatsoever, instead

ocusing only on DAS support rom a cloud-only offering. rend Micro is still developing its

product capabilities and strategies and has a robust team with over 1,000 dedicated researchers

(including global application security experts) ocused on emerging threats and vulnerabilities.

Te rend Micro offering is a cloud-based service that can dynamically scale to meet enterprise-

level demands but requires some more time in the market beore it gains significant traction.


12/14




SUPPLEMENTAL MATERIAL

Online Resource

Te online version o Figure 2 is an Excel-based vendor comparison tool that provides detailed

product evaluations and customizable rankings.

Data Sources Used In This Forrester Wave

Forrester used a combination o three data sources to assess the strengths and weaknesses o each

solution:

■ Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluationcriteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where

necessary to gather details o vendor qualifications.

■ Product demos. We asked vendors to conduct demonstrations o their product’s unctionality.We used findings rom these product demos to validate details o each vendor’s product

capabilities.

■ Customer reference calls. o validate product and vendor qualifications, Forrester alsoconducted reerence calls with three o each vendor’s current customers.

The Forrester Wave Methodology

We conduct primary research to develop a list o vendors that meet our criteria to be evaluatedin this market. From that initial pool o vendors, we then narrow our final list. We choose these

vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate

vendors that have limited customer reerences and products that don’t fit the scope o our evaluation.

Afer examining past research, user need assessments, and vendor and expert interviews, we develop

the initial evaluation criteria. o evaluate the vendors and their products against our set o criteria, we

gather details o product qualifications through a combination o lab evaluations, questionnaires,

demos, and/or discussions with client reerences. We send evaluations to the vendors or their review,

and we adjust the evaluations to provide the most accurate view o vendor offerings and strategies.

We set deault weightings to reflect our analysis o the needs o large user companies — and/or

other scenarios as outlined in the Forrester Wave document — and then score the vendors based

on a clearly defined scale. Tese deault weightings are intended only as a starting point, and we

encourage readers to adapt the weightings to fit their individual needs through the Excel-based

tool. Te final scores generate the graphical depiction o the market based on current offering,

strategy, and market presence. Forrester intends to update vendor evaluations regularly as product


13/14




capabilities and vendor strategies evolve. For more inormation on the methodology that every

Forrester Wave ollows, go to http://www.orrester.com/marketing/policies/orrester-wave-

methodology.html.

Integrity Policy

All o Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more

inormation, go to http://www.orrester.com/marketing/policies/integrity-policy.html.

ENDNOTES

1 Source: “Qualys Announces Tird Quarter 2014 Financial Results,” Qualys press release, November 3,

2014 (http://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-

nasdaq-qlys-1963889.htm).

http://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htm


14/14

Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client

segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and ac

upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and

«

Forrester Focuses OnSecurity & Risk Professionals

To help your firm capitalize on new business opportunities safely,

you must ensure proper governance oversight to manage risk while

optimizing security processes and technologies for future flexibility.

Forrester’s subject-matter expertise and deep understanding of your

role will help you create forward-thinking strategies; weigh opportunity

against risk; justify decisions; and optimize your individual, team, and

corporate performance.

SEAN RHODES, client persona representing Security & Risk Professionals

About Forrester

A global research and advisory firm, Forrester inspires leaders,informs better decisions, and helps the world’s top companies turn

the complexity of change into business advantage. Our research-

based insight and objective advice enable IT professionals to

lead more successfully within IT and extend their impact beyond

the traditional IT organization. Tailored to your individual role, our

resources allow you to focus on important business issues —

margin, speed, growth — first, technology second.

FOR MORE INFORMATION

o find out how Forrester Research can help you be successul every day, please

contact the office nearest you, or visit us at www.orrester.com. For a complete list

o worldwide locations, visit www.orrester.com/about.

CLIENT SUPPORT

For inormation on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected] . We offer

quantity discounts and special pricing or academic and nonprofit institutions.
mailto:[email protected]://www.forrester.com/mailto:[email protected]