The world of cybersecurity can sometimes seem bewildering. Especially in terms of the vendor offerings out there, the sheer number of products often is overwhelming.

With that in mind, and in response to some feedback I have received, I decided to put together a list of available offerings in the application security space. I have also heard these described as “DevSecOps tools,” but I would propose (and the founders of the movement would seem to agree) that DevSecOps is less about technologies than it is about processes and culture. Furthermore, DevSecOps covers the gamut from ideation through production deployment, so essentially every security product on the market could theoretically be described as a “DevSecOps tool.”

Check out the Deploy Securely Store!

Thus, my list represents just a sliver of the products on the cybersecurity market today and excludes operations-focused technologies like SIEM, SOAR, XSOAR, EDR, XDR, DLP, and all manner of other acronyms. Additionally, I have focused on commercial ones but would recommend this repository as an excellent resource for those interested in open source options.

Separately, I would note that there are clear market leaders in each category, but not overall, leading organizations to adopt a suite of different offerings rather than just going with a single vendor as a “one-stop-shop.” Furthermore, these companies frequently change their branding and packaging, making the landscape even harder to decipher.

Finally, I view there as being seven categories of tools out there and have attempted to define what each category means below, but can be convinced otherwise and eagerly encourage feedback on this list.

Static Application Security Testing (SAST)

SAST is a category of analytical techniques focused on examining source code prior to compilation. Generally, this can only be done by the vendor of a given application, as most software licenses forbid end-users from decompiling or reverse engineering products. Common tools include:

• Veracode Static Code Analysis

• SonarSource SonarQube

• Oxeye

• Checkmarx SAST

• HCL AppScan Source

• Contrast Security Scan

• Sonatype Lift

• Micro Focus Fortify Static Code Analyzer

• Snyk Code

• Secure Code Warrior Sensei

• Apiiro Code Risk Assessment

• Mend (formerly known as Whitesource): SAST

Dynamic Application Security Testing (DAST)

DAST tools operate on running code in a “black box” fashion (e.g. with no knowledge of its inner working), attempting to identify exploitable vulnerabilities. Both application security and information technology teams use products such as the below to identify vulnerabilities in their applications and networks:

• Micro Focus WebInspect

• Rapid7 InsightAppSec

• Invicti Acunetix

• PortSwigger BurpSuite

• HCL AppScan Standard

• Oxeye

• StackHawk DAST

• Probely Enterprise DAST

Web Application Vulnerability Scanners

These tools have quite a bit of overlap with DAST solutions, as they both approach applications from a “black box” perspective. With that said, I would posit that web application vulnerability scanners primarily focus on discrete publicly-known vulnerabilities (primarily common vulnerabilities and exposures [CVE]) whereas DAST tools try to identify flaws that match patterns of common vulnerabilities (common weakness enumerations [CWE]). Additionally, although the boundaries are blurring as more and more organizations transition to a Software-as-a-Service (SaaS) model, DAST tools are more commonly used by development and applications security teams while the below tools are more frequently employed by operations and information technology (IT) organizations. Commonly-used ones include:

• Tenable Nessus

• Rapid7 InsightVM

• Qualys VMDR

• Intruder.io

• Detectify

• Shodan Small Business

Interactive Application Security Testing (IAST)

A newer category of cybersecurity tooling, IAST is a hybrid approach that combines aspects of both SAST and DAST. Essentially, following the deployment of sensors to a running web application, IAST tools then simulate attacks against it while observing the behavior of the source code. Examples include:

• Contrast Security Assess

• Synopsys Seeker

• Hdiv Detection IAST

• Checkmarx IAST

• Invicti Netsparker

• Oxeye

Software Composition Analysis (SCA)

SCA tools analyze the components of software to determine what components its comprises and whether there are any known vulnerabilities in them. These products use public sources such as the National Vulnerability Database as well as proprietary vulnerability lists to make such determinations. The mere presence of a known vulnerability in a given component, however, does not necessarily mean that it is at risk of being exploited, as much such security bugs are only exploitable in a minority of deployment configurations. The major SCA offerings are:

• Synopsys Black Duck

• Sonatype Nexus Lifecycle

• Mend (formerly known as Whitesource)

• Contrast Security OSS

• Snyk Open Source

• Ion Channel

• Phylum

• Hdiv Detection SCA

Container Security

It could be argued that containers security tools are really just a subset of SCA products, as they offer similar capabilities - identifying the presence of known issues in third-party components, especially operating systems packaged with containerized software. What makes these tools different is the fact that some of them also identify misconfiguration in containers which are not necessarily associated with an inherently vulnerable piece of software. Such misconfigurations include residual default or excess permissions and other anti-patterns that could allow attackers greater freedom of movement. Offerings include:

• Palo Alto Networks Prisma Cloud

• Sonatype Nexus Container

• Snyk Container

• Cisco Portshift

• Aqua Security Container

• Qualys Container Security

• Anchore Enterprise

• NeuVector Container Security

• Red Hat Advanced Cluster Security for Kubernetes

• Sysdig Secure

• Trend Micro CloudOne

• VMware Carbon Black Cloud

• Oxeye

• Lacework Container Security

• Amazon Web Services (AWS) Elastic Container Registry (ECR) Clair

Infrastructure as Code (IaC) Security

An emerging category that is mostly applicable to cloud-hosted environments, IaC security tools help to identify misconfigurations in the deployment infrastructure for software applications, rather than these applications themselves. Some of the industry leaders are listed below.

• Apiiro Inventory & Asset Discovery

• Palo Alto Networks Prisma Cloud

• Oxeye

• Snyk IaC

• Rapid7 InsightCloudSec

• Lacework Terraform modules and CloudFormation templates for AWS

Conclusion

The competitive landscape of application security tooling is constantly shifting, and vendors are sure to evolve over time. With that said, expect a revised list at some point in time, potentially with one or more new categories. Until then, I hope this is useful.