Static Application Security Testing (SAST) has gained renewed popularity as pre-release security testing takes advantage of continuous integration automation early in the software delivery life cycle (SDLC). Because SAST does not require running code; it can be integrated into development tools such as IDEs to give developers information about how to remediate a security weakness, cutting down development time and effort for remediation. This requirement to tightly integrate into developer tools and processes leaves many vendors struggling.

Another big change in the market is that more buyers now say they prefer to buy best-of-breed tools rather than working with just one application security portfolio vendor. These and other market changes yielded dramatically different results from Forrester’s 2014 Application Security Wave, in which we evaluated the testing market as a whole.

Here are the most notable findings in The Forrester Wave™: Static Application Security Testing, Q4 2017, published earlier today:

  • Product documentation levels the playing field. Documentation shows what a vendor is willing to support, removes any miscommunication that may happen in a demo, and avoids any misleading custom work. Documentation may take the traditional form of product manuals as well as quick videos and whitepapers, but in any case, as SAST shifts to the developer as a consumer, it’s more important than ever that vendors document their product to enable quick and effective adoption.
  • Total cost of ownership matters. Another reason for strong documentation is that without it, it’s too easy to find supported and unsupported workarounds or have the customer pay for additional training or services. Like the old adage, “If a tree falls in a forest and no one is around to hear it, does it make a sound?” If a feature is not documented, does it really exist and if so, how much investment does it take to make it useful?
  • Strategy is forward looking. What it takes to be a leader today is very different than just a few years ago. For example, new advances in machine learning have, in some cases, changed the ability for SAST solutions to eliminate false positives, which has plagued them in the past. But it could do more. Machine learning in SAST could be applied to automatically support new languages and frameworks, create new ways to prioritize remediation efforts, or even create the remediation (especially important for those organizations with large backlogs of weaknesses), or generate adaptive integrations into developer tools. As the application security testing market changes, vendors must adapt their vision, road map, and people to create new value.
  • The developer as a consumer is a stumbling block for some. Many of the requirements in this new wave focus on the ability of products to seamlessly integrate into popular developer tools such as the IDE, Jira, Microsoft Team Foundation Server (TFS)/Visual Studio Team Services (VSTS), and Git. Without integration with these tools, security pros must complete the work as a do-it-yourself project along with any support of the integration as the SAST tools and developer tools evolve.

If you’d like to learn more about the SAST market, check out the Vendor Landscape: Application Security Testing and the newly released The Forrester Wave™: Static Application Security Testing, Q4 2017.