Application security tools and vendors
A pseudo-listicle, by popular request.
The world of cybersecurity can sometimes seem bewildering. Especially in terms of the vendor offerings out there, the sheer number of products often is overwhelming.
With that in mind, and in response to some feedback I have received, I decided to put together a list of available offerings in the application security space. I have also heard these described as “DevSecOps tools,” but I would propose (and the founders of the movement would seem to agree) that DevSecOps is less about technologies than it is about processes and culture. Furthermore, DevSecOps covers the gamut from ideation through production deployment, so essentially every security product on the market could theoretically be described as a “DevSecOps tool.”
Thus, my list represents just a sliver of the products on the cybersecurity market today and excludes operations-focused technologies like SIEM, SOAR, XSOAR, EDR, XDR, DLP, and all manner of other acronyms. Additionally, I have focused on commercial ones but would recommend this repository as an excellent resource for those interested in open source options.
Separately, I would note that there are clear market leaders in each category, but not overall, leading organizations to adopt a suite of different offerings rather than just going with a single vendor as a “one-stop-shop.” Furthermore, these companies frequently change their branding and packaging, making the landscape even harder to decipher.
Finally, I view there as being seven categories of tools out there and have attempted to define what each category means below, but can be convinced otherwise and eagerly encourage feedback on this list.
Static Application Security Testing (SAST)
SAST is a category of analytical techniques focused on examining source code prior to compilation. Generally, this can only be done by the vendor of a given application, as most software licenses forbid end-users from decompiling or reverse engineering products. Common tools include:
Veracode Static Code Analysis
HCL AppScan Source
Contrast Security Scan
Micro Focus Fortify Static Code Analyzer
Secure Code Warrior Sensei
Apiiro Code Risk Assessment
Mend (formerly known as Whitesource): SAST
Dynamic Application Security Testing (DAST)
DAST tools operate on running code in a “black box” fashion (e.g. with no knowledge of its inner working), attempting to identify exploitable vulnerabilities. Both application security and information technology teams use products such as the below to identify vulnerabilities in their applications and networks:
Micro Focus WebInspect
HCL AppScan Standard
Probely Enterprise DAST
Web Application Vulnerability Scanners
These tools have quite a bit of overlap with DAST solutions, as they both approach applications from a “black box” perspective. With that said, I would posit that web application vulnerability scanners primarily focus on discrete publicly-known vulnerabilities (primarily common vulnerabilities and exposures [CVE]) whereas DAST tools try to identify flaws that match patterns of common vulnerabilities (common weakness enumerations [CWE]). Additionally, although the boundaries are blurring as more and more organizations transition to a Software-as-a-Service (SaaS) model, DAST tools are more commonly used by development and applications security teams while the below tools are more frequently employed by operations and information technology (IT) organizations. Commonly-used ones include:
Shodan Small Business
Interactive Application Security Testing (IAST)
A newer category of cybersecurity tooling, IAST is a hybrid approach that combines aspects of both SAST and DAST. Essentially, following the deployment of sensors to a running web application, IAST tools then simulate attacks against it while observing the behavior of the source code. Examples include:
Contrast Security Assess
Hdiv Detection IAST
Software Composition Analysis (SCA)
SCA tools analyze the components of software to determine what components its comprises and whether there are any known vulnerabilities in them. These products use public sources such as the National Vulnerability Database as well as proprietary vulnerability lists to make such determinations. The mere presence of a known vulnerability in a given component, however, does not necessarily mean that it is at risk of being exploited, as much such security bugs are only exploitable in a minority of deployment configurations. The major SCA offerings are:
Synopsys Black Duck
Sonatype Nexus Lifecycle
Mend (formerly known as Whitesource)
Contrast Security OSS
Snyk Open Source
Hdiv Detection SCA
It could be argued that containers security tools are really just a subset of SCA products, as they offer similar capabilities - identifying the presence of known issues in third-party components, especially operating systems packaged with containerized software. What makes these tools different is the fact that some of them also identify misconfiguration in containers which are not necessarily associated with an inherently vulnerable piece of software. Such misconfigurations include residual default or excess permissions and other anti-patterns that could allow attackers greater freedom of movement. Offerings include:
Palo Alto Networks Prisma Cloud
Sonatype Nexus Container
Aqua Security Container
Qualys Container Security
NeuVector Container Security
Trend Micro CloudOne
VMware Carbon Black Cloud
Lacework Container Security
Amazon Web Services (AWS) Elastic Container Registry (ECR) Clair
Infrastructure as Code (IaC) Security
An emerging category that is mostly applicable to cloud-hosted environments, IaC security tools help to identify misconfigurations in the deployment infrastructure for software applications, rather than these applications themselves. Some of the industry leaders are listed below.
Apiiro Inventory & Asset Discovery
Palo Alto Networks Prisma Cloud
Lacework Terraform modules and CloudFormation templates for AWS
The competitive landscape of application security tooling is constantly shifting, and vendors are sure to evolve over time. With that said, expect a revised list at some point in time, potentially with one or more new categories. Until then, I hope this is useful.
Thanks for reading Deploying Securely! Subscribe to receive new posts.