Magic Quadrant for Dynamic Application Security Testing Published: 27 December 2011
Total Page:16
File Type:pdf, Size:1020Kb
G00225672 Magic Quadrant for Dynamic Application Security Testing Published: 27 December 2011 Analyst(s): Neil MacDonald, Joseph Feiman Dynamic application security testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers. The market is maturing, with a large number of established providers of products and services. Strategic Planning Assumption(s) By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service. Market Definition/Description Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications, and many also test Web services using protocols and formats, such as Simple Object Access Protocol (SOAP), representational state transfer (REST), Extensible Markup Language (XML) and JavaScript Object Notation (JSON). However, some solutions evaluated in this Magic Quadrant are designed specifically to expand well beyond Web protocols to include non-Web protocols (for example, remote procedure calls, Server Message Block, Session Initiation Protocol [SIP] and so on) as well as data input malformation. This is especially critical for the dynamic security testing of applications used within embedded devices, such as storage appliances, telecommunications and networking equipment, directories, automated teller machines, medical devices and so on. DAST technology is the focus of this Magic Quadrant. Static application security testing (SAST) solutions are explored in detail in "Magic Quadrant for Static Application Security Testing." DAST technology has matured and has advanced well into the "Slope of Enlightenment," in contrast to SAST, which is still emerging out of the "Trough of Disillusionment" (see Gartner's "Hype Cycle for Application Security, 2011"). We estimate market penetration of DAST solutions at 60% to 70% of enterprises. However, the percentage of applications tested within a given enterprise varies broadly. Enterprises typically apply DAST first to external-facing, Web-enabled applications and then expand its usage over time. Magic Quadrant Figure 1. Magic Quadrant for Dynamic Application Security Testing Source: Gartner (December 2011) Vendor Strengths and Cautions Acunetix Acunetix is an established vendor with a strong focus on application security that has offered its stand-alone DAST Web vulnerability scanner since 2002. Acunetix is a smaller, privately held startup vendor, and its smaller size and lack of enterprise-class features could be an inhibiting factor for some users. Acunetix should be considered by information security specialists and penetration testing professionals looking for a lower and straightforwardly priced, commercially supported Web application security testing tool. Strengths ■ Acunetix provides interactive application security testing (IAST) capabilities with its AcuSensor implementation for applications written in .NET and PHP. ■ Acunetix products are among the most inexpensive in the market. Page 2 of 32 Gartner, Inc. | G00225672 ■ Acunetix has a straightforward pricing model, an advantage compared to many vendors' convoluted models. ■ Customers indicate that the solution is easy to use and that it can be configured for advanced and deep scanning. Cautions ■ Acunetix does not have DAST as a service offering. ■ Its IAST offering doesn't support Java-based Web application platforms. ■ Acunetix does not offer out-of-the-box capabilities for integration with development/testing platforms typically requested for enterprise-class implementations. ■ 24/7 support is not available. ■ Testing of rich Internet applications (RIAs) based on Flash/Flex is not supported. ■ There is no Web application firewall (WAF) integration. Cenzic Cenzic is an established, dedicated DAST solution provider with a strong focus on application security, offering DAST products (Hailstorm), testing as a service (ClickToSecure Managed) and cloud-based testing (ClickToSecure Cloud). Cenzic has demonstrated vision by providing a DAST product, and was an early provider of DAST testing services. Cenzic also offers enterprise-class features, such as software life cycle (SLC) integration and enterprisewide visibility and reporting across multiple DAST scanners. Cenzic should be considered by information security specialists, penetration testing professionals and development managers looking for enterprise-class DAST testing capabilities across multiple users (including pen testers) and those considering expanding DAST testing from information security into development. Strengths ■ Cenzic offers out-of-the-box integration into the SLC, with integration for HP's Quality Center, IBM Rational ClearQuest and Bugzilla. Other integration can be performed via its XML APIs. ■ Generic XML-based vulnerability protection information is exposed for Barracuda, Citrix, F5, Imperva and Trustwave WAFs. Specific integration with several providers is planned for 2012. ■ The ability to pause a test in process, modify the test and resume it, as well as the ability to step through an assessment and set specific breakpoints (for example, at particular events and URLs) appeals to information security professionals and pen testers. ■ An interactive scanning feature provides the ability to have a user navigate an application and have the Cenzic engine simultaneously attack the application in real time for vulnerabilities, such as cross-site scripting, SQL injection and buffer overflows. Gartner, Inc. | G00225672 Page 3 of 32 ■ There are a large number of out-of-the-box Smart Attack libraries for testing that are updated weekly and directly modifiable, if needed, by customers. ■ Hailstorm provides XML-based protocol fuzzing for generic RESTful API testing, as well as JSON-based application testing. ■ Cenzic partners with cloud service providers for testing services. For example, Cenzic has announced relationships with OpSource, Engine Yard and Microsoft's Azure cloud platforms. ■ Customers cite high levels of satisfaction with Cenzic's user interface and ease of use. Cautions ■ Cenzic is a lesser known DAST provider that infrequently appears on the shortlists of Gartner clients. ■ Cenzic doesn't have the captive development installed base of IBM or HP for which to sell its SLC-integrated capabilities. ■ It has no SAST or IAST capabilities that other DAST market leaders and visionaries offer. ■ Premium support is required for 24/7 support coverage. Codenomicon Codenomicon is a smaller dynamic testing vendor that has focused on comprehensive dynamic fuzz testing of any application and in all ways the application consumes data (network, wireless, file, programming interfaces, interprocess communication and so on), including comprehensive protocol testing. Fuzz testing of applications appeals to operations (to test for performance, health monitoring and bugs) and security professionals (to test for vulnerabilities) as well. Although not designed specifically to test Web-enabled applications, Codenomicon should be considered by information security, operational testing and penetration testing professionals looking for an application fuzz testing solution with broad protocol support and multiple options for deployment, and that complements traditional Web application scanning tools. Strengths ■ Broad protocol test coverage with stated coverage for 190 protocol fuzzing models is available. For protocols not covered by the base test modules, Defensics offers capture-based fuzzing capabilities. ■ Licensing is available for internal information security specialists and consultants to use Defensics as an audit/pen-testing tool. ■ As a software-based model, it can be deployed on enterprise stand-alone, blade or virtualized servers, as well as stand-alone workstation/laptops support. Physical testing appliances are available if requested by the customer. ■ It provides integration with test automation frameworks, such as HP Quality Center, and direct integration to debuggers and analyzers, such as WinDbg, the GNU Project Debugger and Page 4 of 32 Gartner, Inc. | G00225672 Valgrind, to provide more-detailed information as a part of the bug tracking and remediation process. ■ A command-line interface and RESTful HTTP API for integration with third-party test harnesses, test automation and bug-tracking systems are available. ■ Testing as a service capabilities are available, with an automated cloud-based fuzzing service planned for 2012. ■ Customers cite high levels of satisfaction with Codenomicon's customer service and support. Cautions ■ Although not designed for general-purpose DAST of Web-enabled applications, it has capabilities here — Codenomicon was the first to support testing of XML-based Web services applications, and SQL injection attacks are part of the tests Defensics performs. ■ Even without the cost of a hardware appliance, there is potentially higher licensing costs based on the number of fuzz testing modules and the number of concurrent users for organizations with extensive testing requirements. ■ Customers indicate that customization beyond out-of-the-box defaults requires significant technical expertise, a desire for increased automation capabilities and simplified integration into the build process. ■ For extensive XML SOAP testing, WS-Security and WS-Authentication are