Upload
pallavi-reddy
View
226
Download
0
Embed Size (px)
Citation preview
8/18/2019 The Forrester Wave Application Security Q4 2014
1/14
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com
The Forrester Wave™: ApplicationSecurity, Q4 2014by Tyler Shields, December 23,2014
For: Security &
Risk Professionals
KEY TAKEAWAYS
HP, IBM, Veracode, WhiteHat, Contrast Security, Quotium, And
Checkmarx Lead
Forrester analyzed the application security testing market (static analysis, dynamicanalysis, and instrumented/interactive technologies). Te results o the analysis find
that HP Fortiy, IBM, Veracode, WhiteHat Security, Contrast Security, Quotium, and
Checkmarx lead the field. Beyond Security, Coverity, Qualys, and Virtual Forge offer
competitive options, while rend Micro lags behind.
S&R Pros Look For Solutions That Emphasize Accuracy, Integration, And
Scalability
Te application security testing market is steadily growing because S&R pros increasingly
trust application security testing providers to act as strategic partners, advising them on
top app security decisions. Solutions with the highest accuracy o results, best integration
points, and the capability to grow and scale will continue to find success.
Combining Assessment Methods Provides Differentiation In The Market
By combining static, dynamic, and instrumented assessment technologies, vendors
are creating a platorm-based application security assessment model. Each individual
assessment technology contains delivery weaknesses when compared with the others.
Access The Forrester Wave Model For Deeper Insight
Use the detailed Forrester Wave model to view every piece o data used to score
participating vendors and create a custom vendor shortlist. Access the report online and
download the Excel tool using the link in the right-hand column under “ools & emplates.”Alter Forrester’s weightings to tailor the Forrester Wave model to your specifications.
http://www.forrester.com/
8/18/2019 The Forrester Wave Application Security Q4 2014
2/14
© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester ®, Technographics®, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.
FOR SECURITY & RISK PROFESSIONALS
WHY READ THIS REPORT
In Forrester’s 82-criteria evaluation o application security vendors, we identified the 12 most significant
service providers in the category — Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortiy,
IBM, Qualys, Quotium, rend Micro, Veracode, Virtual Forge, and WhiteHat Security — and researched,
analyzed, and scored them. Tis report details our findings about how well each vendor ulfills our criteria
and where they stand in relation to each other to help security and risk proessionals select the right
partner or their application security requirements.
Table Of Contents
S&R Pros Must Build Security Into The
Application Layer
Selection Criteria Target Functional Security
Capabilities And Strategy
Vendors Offer Application Assessment Using
Multiple Technologies
The Application Security Market Uncovered
Vendor Profiles
Leaders
Strong Performers
Contenders
Supplemental Material
Notes & Resources
Forrester conducted product evaluations
in April 2014 and interviewed 12 vendor
and user companies: Beyond Security,
Checkmarx, Contrast Security, Coverity, HP
Fortify, IBM, Qualys, Quotium, Trend Micro,
Veracode, Virtual Forge, and WhiteHat
Security.
Related Research Documents
TechRadar™: Enterprise Mobile Security, Q4
2014
November 3, 2014
It’s Time To Level Up Your Mobile Application
Security Program
August 26, 2014
Address The Top 10 Nontechnical Security
Issues In Mobile App Development
April 30, 2014
The Forrester Wave™: Application Security, Q42014Tools And Technology: The Security Architecture And OperationsPlaybook
by Tyler Shields
with Stephanie Balaouras and Jennie Duong
2
2
5
7
11
DECEMBER 23, 2014
http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=BIO6764http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO6764http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES112801http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES104281http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/go?objectid=RES119061http://www.forrester.com/
8/18/2019 The Forrester Wave Application Security Q4 2014
3/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 2
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
S&R PROS MUST BUILD SECURITY INTO THE APPLICATION LAYER
Application security remains a crucial component in keeping enterprise servers and data secure.
Many firms have rushed to bring applications online, building out consumer-acing websites, buying
commercial off-the-shel (COS) products, and developing mobile applications to enable and
engage with their customers and partners without thinking about the security o the application
itsel. As a consequence, businesses are exposing their most sensitive corporate and customer data
to possible external threats and breaches.
Selection Criteria Target Functional Security Capabilities And Strategy
S&R pros are looking to work with vendors to detect vulnerabilities more efficiently and effectively,
to avoid exposing business-critical security issues, as well as to improve overall business and
development efficiency. Te vendors assessed meet the growing demand across all businesses
without compromising the security needs o their clients’ operations. Afer examining the currenttrends in the market, user needs assessments, and vendor and expert interviews, we developed a
comprehensive set o evaluation criteria or application security. We evaluated vendors against 82
criteria, grouped into three high-level categories:
■ Current offering. Te vertical axis o the Forrester Wave graphic reflects the strength o each vendor’s product offering, including its capabilities in general eatures (e.g., deployment model,
scalability, targeted scanning), static application security testing eatures, dynamic applications
security testing eatures, instrumented analysis eatures, reporting eatures and workflows (e.g.,
flaw descriptions, centralized policies, and workflow and remediation tracking), developer
education and training, integrations (e.g., IDE integration, API access, patches, WAFs, and
MDMs), remediation instructions, and customer reerences.
■ Strategy. Te horizontal axis measures the viability and execution o each vendor’s strategy,which includes planned enhancements, key technology partners, product ocus, target market,
cost, average sales prices, maintenance costs, and pricing structure.
■ Market presence. Te size o each vendor’s bubble on the Forrester Wave graphic represents each vendor’s presence in the application security market, based on its installed customer and product
base, revenue, systems integrators, services, number o employees, and key technology partners.
VENDORS OFFER APPLICATION ASSESSMENT USING MULTIPLE TECHNOLOGIES
Forrester included 12 vendors in the assessment: Beyond Security, Checkmarx, Contrast Security,
Coverity, HP Fortiy, IBM, Qualys, Quotium, rend Micro, Veracode, Virtual Forge, and WhiteHat
Security. Each o these vendors has (see Figure 1):
8/18/2019 The Forrester Wave Application Security Q4 2014
4/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 3
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
■ Mindshare with Forrester’s clients. Vendors included are requently mentioned in Forresterclient inquiries and other orms o client engagement relating to application security.
■ Ability to offer SAST, DAST, and/or IAST capabilities. Te vendors evaluated offercomprehensive approaches in static analysis (SAS), dynamic analysis (DAS), and instrumented/
interactive technologies (IAS) techniques in order to detect weaknesses and vulnerabilities in
general code, web applications, mobile applications, and COS product offerings.
■ Ability to provide easy deployment and integration for its customers. All vendors evaluatedcould deploy either a scalable on-premises or cloud-based service to their customers. Vendors
were ocused on improving the security development lie cycle or the enterprise buyer by creating
a solution that integrated into existing models o analysis and third-party development tools.
■ Relevance to the application security market. Inclusion in this Forrester Wave means that the vendor actively competes in the application security market, showing up in competitive usecases and discussions among experts and Forrester clients.
8/18/2019 The Forrester Wave Application Security Q4 2014
5/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 4
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
Figure 1 Evaluated Vendors: Product Inormation And Selection Criteria
Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.
Product evaluatedEvaluated vendors Product version
Beyond Security AVDS 4.00 build 307
CxSuite 7.1.4
Contrast Enterprise* 3.1
Code Advisor 7.5
HP Applications Security Portfolio(includes: HP Fortify Software Security
Center, HP Fortify Static Code Analyzer,HP WebInspect, HP Fortify on Demand,
and HP Application Defender)*
IBM Security AppScanStandard, Enterprise, andSource
N/A
9.0.0
Qualys Web Application Scanning 3.2
Seeker 3.0
Deep Security for Web Apps* N/A
Veracode Platform* N/A
CodeProfiler 3.5
N/A
Checkmarx
Contrast Security
Coverity
HP Fortify
IBM
Qualys
Quotium
Trend Micro
Veracode
Virtual Forge
WhiteHat Security
Vendor selection criteria
Mindshare with Forrester’s clients. Vendors included are frequently mentioned in Forrester clientinquiries and other forms of client engagement relating to application security.
Ability to offer SAST, DAST, and/or IAST capabilities. The vendors evaluated, offer comprehensiveapproaches in SAST, DAST, or IAST techniques in order to detect weakness and vulnerabilities ingeneral code, web applications, mobile applications, and COTS product offerings.
Ability to provide easy deployment and integration for its customers. All vendors evaluated coulddeploy either a scalable on-premises or cloud-based service to their customers. Vendors were focused
on improving the security development life cycle for the enterprise buyer by creating a solution thatintegrated into existing models of analysis and third party development tools.
Relevance to the application security market. Inclusion in this Forrester Wave™ means that thevendor actively competes in the application security market, showing up in competitive use cases anddiscussions among experts and Forrester clients.
WhiteHat Sentinel
WhiteHat Sentinel Source*
8/18/2019 The Forrester Wave Application Security Q4 2014
6/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 5
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
THE APPLICATION SECURITY MARKET UNCOVERED
Te evaluation uncovered a market in which a platorm approach strengthens the limitations o
each assessment model, raising the importance o a multitechnology approach. Vendors that built a
platorm leveraging DAS, SAS, and even IAS saw higher marks than those vendors that ocus on
one or two technology sets (see Figure 2):
■ HP, IBM, Veracode, WhiteHat, Contrast Security, Quotium, and Checkmarx lead. Whileeach vendor designed and built its original solution rom a different technology starting
point, the end result or each o these vendors is a cross-technology solution. When sorted by
technology cut, each vendor in this section excels at more than one solution, giving it the ability
to increase the accuracy o its results.
■ Beyond Security, Coverity, Qualys, and Virtual Forge offer competitive options. Competitive
offerings rom these vendors tended to ocus on one specific area (DAS, SAS, or IAS) othe cross-platorm solution. Tese vendors are working toward building an integrated platorm
but have yet to improve their nondominant offerings to the strength level that puts them in the
upper echelon. Tese vendors should be chosen specifically i their dominant technology area is
o a stronger concern to the buyer than the nondominant technologies.
■ Trend Micro is building up momentum from a late market entry. As a late market entry, rendMicro is lagging behind the other vendors in the space. Focused predominantly on DAS
assessments rom the cloud, rend Micro must expand beyond a single technology-based solution
in order to remain relevant to the enterprise buyer. Te level o resources available or continued
innovation keeps rend Micro in the picture i it can maintain its current pace o advancement.
Tis evaluation o the application security market is intended to be a starting point only. We
encourage clients to view detailed product evaluations and adapt criteria weightings to fit their
individual needs through the Forrester Wave Excel-based vendor comparison tool.
8/18/2019 The Forrester Wave Application Security Q4 2014
7/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 6
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
Figure 2 Forrester Wave™: Application Security, Q4 2014
Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.
Risky
bets Contenders Leaders
Strong
performers
StrategyWeak Strong
Current
offering
Weak
Strong
Go to Forrester.com to
download the Forrester
Wave tool for more
detailed product
evaluations, feature
comparisons, and
customizable rankings.
HP Fortify
IBM
VeracodeWhiteHat Security
Contrast Security
Quotium
CheckmarxBeyond
Security
Coverity
Qualys
Virtual Forge
Trend Micro
Market presence
8/18/2019 The Forrester Wave Application Security Q4 2014
8/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 7
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
Figure 2 Forrester Wave™: Application Security, Q4 2014 (Cont.)
Source: Forrester Research, Inc. Unauthorized reproduction or distribution prohibited.
CURRENT OFFERING
General features
Static analysis features
Dynamic analysis features
Instrumented analysis features
Reporting features and workflow
Developer education and training
Integrations
Remediation instructions
Customer references
STRATEGY
Product strategy
Corporate strategy
Cost
MARKET PRESENCE
Installed base
Revenue growth quarter over
quarter Revenue growth year over year
Systems integrators
Services
Employees
Technology partners
F o r r e s t e r ’ s
w e i g h t i n g
50%
21%
22%
22%
5%
10%
5%
5%
10%
0%
50%
50%
50%
0%
0%
40%
0%
0%
15%
15%
15%
15%
W h i t e H a t S e c u r i t y
3.60
4.25
3.25
4.70
0.00
4.20
5.00
2.85
1.50
3.00
4.65
4.30
5.00
0.00
3.70
4.12
0.00
0.00
1.00
5.00
3.67
4.00
V i r t u a l F o r g e
2.93
4.00
2.40
2.19
3.00
4.40
1.00
2.90
3.00
5.00
3.35
2.90
3.80
0.00
2.57
3.24
0.00
0.00
1.00
1.66
2.33
3.50
T r e n d M i c r o
1.82
3.70
0.00
2.38
0.00
3.10
0.50
0.75
1.50
5.00
3.30
3.60
3.00
0.00
3.12
3.68
0.00
0.00
1.00
3.35
3.65
3.00
Q u a l y s
2.49
3.65
0.00
3.98
0.00
4.20
0.00
2.55
3.00
5.00
3.95
4.30
3.60
0.00
4.31
4.78
0.00
0.00
5.00
2.34
3.65
5.00
V e r a c o d e
3.92
3.80
4.00
4.38
3.50
4.80
5.00
4.50
1.50
5.00
4.65
4.30
5.00
0.00
4.26
3.90
0.00
0.00
5.00
4.34
3.67
5.00
Q u o t i u m
3.21
4.40
2.80
2.59
5.00
4.60
0.00
4.90
1.50
5.00
4.65
4.30
5.00
0.00
1.96
2.58
0.00
0.00
0.00
1.00
2.66
2.50
H P F o r t i f y
4.42
4.68
4.80
4.48
5.00
5.00
5.00
4.90
1.50
5.00
4.65
4.30
5.00
0.00
4.15
4.56
0.00
0.00
1.00
5.00
5.00
4.50
C o n t r a s t S e c u r
i t y
3.97
4.25
4.50
3.82
5.00
4.00
5.00
3.85
1.50
5.00
4.00
3.00
5.00
0.00
1.37
2.36
0.00
0.00
0.00
1.00
1.34
0.50
I B M
4.62
4.55
4.60
4.56
3.50
4.80
5.00
4.85
5.00
5.00
4.35
3.70
5.00
0.00
4.60
4.76
0.00
0.00
3.00
5.00
5.00
5.00
C o v e r i t y
2.36
3.95
3.20
0.00
0.00
4.50
1.00
3.55
1.50
4.00
4.30
3.60
5.00
0.00
2.57
3.24
0.00
0.00
0.00
3.66
3.33
1.50
C h e c k m a r x
3.12
4.25
3.55
0.89
3.00
4.80
5.00
4.45
1.50
5.00
4.30
3.60
5.00
0.00
3.34
3.24
0.00
0.00
3.00
2.32
3.32
5.00
B e y o n d S e c u r i t y
2.46
4.55
0.00
3.68
0.00
3.60
1.25
2.35
1.50
3.00
4.30
3.60
5.00
0.00
4.50
5.00
0.00
0.00
5.00
3.68
2.99
5.00
All scores are based on a scale of 0 (weak) to 5 (strong).
VENDOR PROFILES
Leaders
■ HP Fortify offers an extensive application security solution. HP Fortiy displayed strongcapabilities across the majority o our criteria in both static and dynamic analysis. Its product
combines comprehensive static and dynamic testing and management across a multitude
o languages and rameworks that allow customers to deploy and scale quickly. Customer
8/18/2019 The Forrester Wave Application Security Q4 2014
9/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 8
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
reerences were satisfied with the vendor’s ease o installation, ease o use, configurable scans,
and administration; one customer reerence was “very happy with the SDLC-based dynamic
application security program built around HP WebInspect and would recommend it to any
other organization, even those with rapid development/agile lie cycles.” Although HP Fortiyhas more than 4,000 customers o its application security products (on-premises and cloud-
based), we noted that ewer than 500 customers were added in the past year.
■ IBM’s focus on the developer integration leads to exceptional results. Te IBM productoffering provides extensive general eatures on both on-premises and on-demand application
security solutions, depending on customer needs. Te solution offers limited static analysis
eatures, or data identification, and runtime data tracking. Te DAS offering is well-
positioned or web application discovery, Internet-sourced scanning, internal network scanning,
and large-scale assessment. IBM has a long lineage in development and has one o the strongest
integrations with other product lines and third-party development tools and services. IBM
approaches the security market with a developer-centric message and product strategy ocus.
■ Veracode unifies the SAST and DAST platform with accurate and timely results. Veracodeoffers a unified cloud-based security SAS and DAS platorm that includes capabilities or
developer workflow integration, central policy management, security analytics and
benchmarking, compliance reporting, and workflow management; differentiators include mobile
behavioral analysis and third-party assessments. Veracode has the capability to simultaneously
scan thousands o websites through its web perimeter monitoring scanning service while
providing high scalability or static binary assessments. With strong results in both SAS and
DAS segments, Veracode delivers a high level o accuracy in its technical findings while
embracing a customer-centric approach to integration into the greater development workflow
■ WhiteHat Security, although smaller than its competitors, innovates well. Although this vendor’s dedicated research team is somewhat smaller than those o the other Leaders, the
vendor’s overall SAS and DAS capabilities, coupled with its unified SaaS platorm, has gained
a large customer base ranging rom startups to large enterprise companies. WhiteHat Security
provides efficient deployment and scalability, requent scanning updates, and configurable rules
and scanning capabilities. While WhiteHat Security offers both SAS and DAS services, its
DAS capabilities are more comprehensive and can conduct continuous concurrent scanning o
tens o thousands o web applications.
■ Contrast Security is a small vendor making big advancements in application security. Although this vendor doesn’t neatly all into either the static or dynamic categories, as outlined in
our application security evaluation, Contrast Security provides an up-and-coming offering that
makes it a new and innovative contender (since 2012) to the application security space. Te
Contrast Security solution is instrumented via HP requests and responses like a dynamic tool;
contains source code and binary code analysis like a static tool; and has an on-server agent like an
8/18/2019 The Forrester Wave Application Security Q4 2014
10/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 9
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
interactive tool. Te vendor uses a combination o techniques to provide an effective and detailed
analysis or its customers. Contrast Security can autodiscover applications located on a specific
server and continually assess the security o these applications in real time. Since the technology is
young, there are a ew minor configuration options that are lacking; however, the assessmenttechnique is unique enough to warrant interest rom orward-thinking enterprise buyers.
■ Quotium innovating in the area of instrumented assessment results in a unique approach. Another vendor innovating in the space o application security, Quotium has created a solution
that doesn’t cleanly fit into the SAS and DAS models o assessment, instead targeting a
runtime continuous assessment model by using instrumented analysis. Te product’s runtime
analysis technology hooks into the application processes and monitors all code execution,
while simulating user, and hacker, traffic to the application. Quotium is an ideal product or
enterprises looking or simultaneous testing across a multitude o users and servers, with
a centralized repository in various test environments (e.g., AWS, Microsof Azure, and
Rackspace). Customers looking into this solution should note that while Quotium’s Seeker is not
a DAS or SAS solution, it does have several unique capabilities that accomplish reasonable
dynamic and static results using a unique methodology.
■ Checkmarx delivers SAST directly while offering DAST through partners. Checkmarx’ssolution has strong unctional capabilities in deployment, concurrent use, scanning automation,
configurable rules and scans, targeted scanning, and multiple user support. General eatures
that the vendor must continue to improve upon include scalability, alse positive elimination,
and flexible scanning unctionality. Te Checkmarx offering has strong static analysis eatures
around source code scanning, varied language and ramework support, analysis levels, and
custom static analysis rules. However, the solution is limited due to an inability to deliverdynamic assessment directly. Instead, Checkmarx looks to partners to deliver the DAS section
o its product suite.
Strong Performers
■ Beyond Security offers a competitive hybrid option/deployment for its customers. Customers that require easy deployment across multiple environments should consider
looking into Beyond Security as a viable dynamic assessment option. Not only is Beyond
Security’s solution available as a sel-contained appliance and hosted (cloud) solution, but it
also has a hybrid offering (on-site scanner managed by a cloud-based management system)
or its customers. Beyond Security’s solution offers competitive dynamic analysis eatures that
support application discovery, Internet-sourced scanning, and internal scanning with either
an appliance or VM. However, the solution does not support custom dynamic analysis rules or
private data identification. Beyond Security does not offer SAS capabilities in its product suite.
8/18/2019 The Forrester Wave Application Security Q4 2014
11/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 10
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
■ Coverity has a general platform for SAST code analysis but lacks dynamic capabilities. Coverity’s strength lies in its general eatures including scanning automation, targeted scanning,
multiclass administration, and alse positive elimination. Coverity static analysis can analyze
byte code or data analysis in Java applications but has little to no unctionality in binary
scanning and static interactive testing (e.g., code behavior testing and runtime data tracking).
Coverity does not support any eatures to run dynamic analysis.
■ Qualys gets aggressive in product strategy and expands into application security market. Qualys has traditionally been considered a strong vulnerability assessment vendor, providing
continuous security assessment or network-based attacks. Qualys has augmented its technology
by moving up the stack into the application assessment realm. Te solution offers dynamic
analysis eatures such as application discovery, Internet-sourced scanning, high scalability,
and appliance/virtual machine support. Although Qualys’ solution does not support static
code analysis, its solution is ideal or customers looking to automate continuous dynamicassessments o target environments. Qualys is gaining in market share and was one o the
ew vendors to show a significant amount o new enterprise customer growth in the past year.
Forrester expects that with new enhancements in its security portolio, Qualys may become a
more direct orce in the DAS space in 2015.1
■ Virtual Forge extensively secures SAP-specific content but is limited in other features. VirtualForge’s application security solution contains both a cloud-based and on-premises deployment
model that has capabilities including concurrent use and configurable rules or source code
scanning. Virtual Forge’s solution has limited eatures available or static analysis testing. Te
solution analyzes the source code o SAP applications only, limiting the product’s marketability.
Te offering is unable to ully support static binary scanning, business logic flaws, and interactivetesting. Virtual Forge’s product uses open penetration testing rameworks (Metasploit) to do
dynamic analysis and scanning, and SAP-specific content is layered on top o these open source
tools. Virtual Forge has the most comprehensive product in the space or securing SAP source
code; however, you will have to look elsewhere or other languages and eatures.
Contenders
■ Trend Micro is a new entrant to the market and has some catching up to do. rend Microis a new vendor to the application security market. In Forrester’s evaluation, rend Micro
was one o a ew vendors that did not support any SAS capabilities whatsoever, instead
ocusing only on DAS support rom a cloud-only offering. rend Micro is still developing its
product capabilities and strategies and has a robust team with over 1,000 dedicated researchers
(including global application security experts) ocused on emerging threats and vulnerabilities.
Te rend Micro offering is a cloud-based service that can dynamically scale to meet enterprise-
level demands but requires some more time in the market beore it gains significant traction.
8/18/2019 The Forrester Wave Application Security Q4 2014
12/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 11
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
SUPPLEMENTAL MATERIAL
Online Resource
Te online version o Figure 2 is an Excel-based vendor comparison tool that provides detailed
product evaluations and customizable rankings.
Data Sources Used In This Forrester Wave
Forrester used a combination o three data sources to assess the strengths and weaknesses o each
solution:
■ Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluationcriteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where
necessary to gather details o vendor qualifications.
■ Product demos. We asked vendors to conduct demonstrations o their product’s unctionality.We used findings rom these product demos to validate details o each vendor’s product
capabilities.
■ Customer reference calls. o validate product and vendor qualifications, Forrester alsoconducted reerence calls with three o each vendor’s current customers.
The Forrester Wave Methodology
We conduct primary research to develop a list o vendors that meet our criteria to be evaluatedin this market. From that initial pool o vendors, we then narrow our final list. We choose these
vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate
vendors that have limited customer reerences and products that don’t fit the scope o our evaluation.
Afer examining past research, user need assessments, and vendor and expert interviews, we develop
the initial evaluation criteria. o evaluate the vendors and their products against our set o criteria, we
gather details o product qualifications through a combination o lab evaluations, questionnaires,
demos, and/or discussions with client reerences. We send evaluations to the vendors or their review,
and we adjust the evaluations to provide the most accurate view o vendor offerings and strategies.
We set deault weightings to reflect our analysis o the needs o large user companies — and/or
other scenarios as outlined in the Forrester Wave document — and then score the vendors based
on a clearly defined scale. Tese deault weightings are intended only as a starting point, and we
encourage readers to adapt the weightings to fit their individual needs through the Excel-based
tool. Te final scores generate the graphical depiction o the market based on current offering,
strategy, and market presence. Forrester intends to update vendor evaluations regularly as product
8/18/2019 The Forrester Wave Application Security Q4 2014
13/14
FOR SECURITY & RISK PROFESSIONALS
The Forrester Wave™: Application Security, Q4 2014 12
© 2014, Forrester Research, Inc. Reproduction Prohibited December 23,2014
capabilities and vendor strategies evolve. For more inormation on the methodology that every
Forrester Wave ollows, go to http://www.orrester.com/marketing/policies/orrester-wave-
methodology.html.
Integrity Policy
All o Forrester’s research, including Waves, is conducted according to our Integrity Policy. For more
inormation, go to http://www.orrester.com/marketing/policies/integrity-policy.html.
ENDNOTES
1 Source: “Qualys Announces Tird Quarter 2014 Financial Results,” Qualys press release, November 3,
2014 (http://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-
nasdaq-qlys-1963889.htm).
http://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htmhttp://www.marketwired.com/press-release/qualys-announces-third-quarter-2014-financial-results-nasdaq-qlys-1963889.htm
8/18/2019 The Forrester Wave Application Security Q4 2014
14/14
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client
segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and ac
upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and
«
Forrester Focuses OnSecurity & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forrester’s subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
SEAN RHODES, client persona representing Security & Risk Professionals
About Forrester
A global research and advisory firm, Forrester inspires leaders,informs better decisions, and helps the world’s top companies turn
the complexity of change into business advantage. Our research-
based insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues —
margin, speed, growth — first, technology second.
FOR MORE INFORMATION
o find out how Forrester Research can help you be successul every day, please
contact the office nearest you, or visit us at www.orrester.com. For a complete list
o worldwide locations, visit www.orrester.com/about.
CLIENT SUPPORT
For inormation on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or [email protected] . We offer
quantity discounts and special pricing or academic and nonprofit institutions.
mailto:[email protected]://www.forrester.com/mailto:[email protected]