June 1, 20210 mins read
We have more than a few reasons to be thrilled with the results of the 2021 Gartner Magic Quadrant for Application Security Testing. In our debut on the report, Snyk has been recognized as a Visionary. Additionally, we are placed furthest in the Visionaries quadrant for both Completeness of Vision and Ability to Execute, and second-furthest for Completeness of Vision in the overall Magic Quadrant. It is clear the vision of application security is expanding due to the relative momentum of the participants in the market over the past three years. We believe, Snyk’s position is a clear indication of our alignment with the future of application security testing.
According to the associated Critical Capabilities report, Snyk also finished with the highest score overall in three critical capabilities: Software Composition Analysis (SCA), Container Security, and Developer Enablement.
But the reason we’re most thrilled is that this placement, for us, reaffirms our mission of empowering developers to be key security stakeholders in this time of digital transformation. Traditional siloed security workflows are becoming antiquated, adding bottlenecks, friction, and knowledge gaps. The future we see — the future that landed us at the front of the Visionary Quadrant — is one where security starts with developers.
Modern application design and the continued adoption of DevSecOps are expanding the scope of the AST market. Security and risk management leaders can meet tighter deadlines and test more complex applications by seamlessly integrating and automating AST in the software delivery life cycle.
When security starts with developers, vulnerabilities get caught earlier in the development lifecycle, creating the least impact (time and money) on the overall SDLC. This is why we offer products like Snyk Open Source and Snyk Code that integrate directly into existing workflows and tools (IDE, CLI, Git, etc.), adding security expertise to the toolbox of any developer. By making it easy for developers to find and remediate bugs in their code and dependencies — in real time within their preferred tools — Snyk decreases the overall security workload in the SDLC.
DevSecOps is integral to Cloud Native Application Security
More companies are becoming software companies, and those companies are moving to the cloud. And the rush to the cloud has created new security challenges. The future we see is also one of increased cloud native applications, deployed in containers and configured with infrastructure as code such as Kubernetes and Terraform. These are now components of the application, living side-by-side in repositories, created or customized by developers, and must be included in the scope of application security. Traditional security outlooks don’t take into account these environment changes we’ve seen with digital transformation.
Gartner has observed the major driver in the evolution of the AST market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high assurance, high-value findings, while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier into the development process, with testing often driven by developers rather than security specialists. As a result, this market evaluation focuses more heavily on the buyer’s needs when it comes to supporting rapid and accurate testing capable of being integrated in an increasingly automated fashion throughout the software development life cycle (SDLC).
A misconfiguration within infrastructure as code can be just as dangerous as a security vulnerability within application code — a fact that was confirmed in our recent State of Cloud Native Application Security report. In our survey results, we found that misconfiguration and known unpatched vulnerabilities were responsible for the greatest number of security incidents in cloud native environments. Adjusting for non-responses due to sensitivity around the question, nearly 70% of respondents experienced these types of security issues.
While these security challenges can’t be solved by traditional security platforms, we offer Snyk Container and Snyk Infrastructure as Code to equip your team for the cloud native future we’re heading towards. And by using the whole Snyk platform, teams are able to prioritize all of their vulnerabilities — in code, dependencies, base images, and configurations — based on severity, reachability, maturity, and more. This holistic, contextualized approach to vulnerabilities is something that may seem Visionary now, but we know needs to be standard.
Over the last three years, Gartner has seen clients request additional services and tools to round out their AST coverage and include new development methods and artifacts.
DevOps adoption has increased, and organizations are experiencing both faster development and better operations as a result of the shared ownership culture between Dev and Ops. However, security has not always come along for the ride. Traditional application security solutions still try to provide security teams with tools to secure applications at the end of the development process, rather than adding it into the infinite loop of lightning fast iterations that DevOps creates. Snyk, at its core, is founded on the premise that security, like Ops, must be a shared responsibility, with developers securing what they build while they build, and security and operations empowering and governing the process.
We’re excited to see the future we’re working towards is being embraced by the larger application security testing community. To help us realize this future, in the past year alone we’ve:
Acquired Deepcode, Manifold, and FossID to accelerate our product roadmap.
And on top of that, we also released over 40 features and enhancements so the platform can be more developer-friendly and support more languages. But with all that said, we know we still have a lot more to do to grow our vision and our platform, so we aren’t slowing down.
In 2021 alone, we’ve already added Snyk Code to our Free plan, built integrations into multiple popular IDEs, and added Terraform support to Snyk IaC. And now that we have twice as many employees (we call ourselves Snykers) as we did this time last year, we’re well positioned to build, execute, and lead in the application security testing space.
Gartner, Magic Quadrant for Application Security Testing, Dale Gardner, Mark Horvath, Dionisio Zumerle, 27 May 2021.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Snyk.