Key Criteria for Evaluating Application Security Testing Solutionsv1.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. Application Security Testing Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Don MacVittie

1. Summary

Testing has always been seen as a cost center. While everyone agrees that, in general, testing improves product quality and security testing improves the overall security posture of the organization, the overhead involved causes many to treat testing more as an optional insurance policy than as an important part of the production process.

However, increasing security threats have made application security testing more critical, while expansive automation has put all testing more within reach. The result is a collection of compelling tools that can increase security posture without the heavy and ongoing investment that application security testing has historically required.

Modern application security testing solutions ease every aspect of testing finished applications, with automated or AI-assisted test development, automated test runners, the creation of test suites that can be run automatically from within the build process, and results that can be filtered in many different ways. This massive automation means IT spends less time developing tests, nearly no time running tests, and far less time looking through results to find whatever needs an urgent fix.

Automation has placed broad application testing within reach of nearly every organization. At the same time, however, testing needs have been growing. This makes for a scenario where changes to application testing must apply to a larger swath of architectures and environments.

False positives and false negatives both play a critical role in application security testing, impacting trust in the testing tool and processes. False negatives also leave a security flaw in place for attackers to exploit. Vendors have taken steps to reduce the number of false positives that are generated, and they use prioritization to further reduce the negative impact of remaining false positives. False negatives are harder to detect, but vendors have taken steps to double-check in many situations. Adding new tests is essentially an attempt to stop more false results, and vendors do so regularly.

The GigaOm Key Criteria and Radar reports provide an overview of the application security testing market, identify capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an application security testing solution, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision-makers evaluate solutions and decide where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Full content available to GigaOm Subscribers.

Sign Up For Free