alex_aldo - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Readers' top picks for application security tools

The top companies and application security products that organizations consider when they seek to reduce their application vulnerabilities.

This article can also be found in the Premium Editorial Download: Information Security magazine: Swiss Army knife security? How to vet cybersecurity tools suites

Application security products may not yet be on the radar for many of our surveyed readers, as most (55%) had no plans to invest in application security tools for their organizations in any form. But application security is certainly on the minds of attackers, who find great success by taking advantage of application vulnerabilities including cross-site scripting, SQL injection, LDAP injection, cross-site request forgery and insecure cryptographic storage.

Only 17% of readers said they planned to invest in application security tools to uncover application security vulnerabilities for both their software development process as well as for software they have already developed (or bought from third parties), but the application security field is still developing, which may explain the lack, so far, of clear industry leaders.

Application security tools cover a lot of ground, with many different technologies vying for enterprise dollars, including application hardening, Web application scanning, Web application firewalls, software composition analysis, and dynamic, interactive or static application security testing (DAST, IAST, SAST). Other products that fall under the app security tent include fuzz testing, hybrid analysis, manual application penetration testing, secure design tools and software composition analysis (SCA). As the field matures, new approaches, like runtime application security protection (RASP), are also popping up.

As far as innovation in application security goes, according to Tyler Shields, principal analyst for mobile, application and IoT security at Forrester Research, two areas are currently leaping ahead: the software composition analysis market and the runtime application security protection players. "These are two areas where application security is finally going beyond just finding vulnerabilities and helping us to understand management of discovered vulnerabilities and protecting our applications in real time," he says.

The shortlist

Which vendors ranked on top in the hunt for better defenses against application attacks? IBM came in first among the 19 vendors named in the survey, with 28%, followed by HP’s second-place score of 26%.

IBM Security’s AppScan product line includes components that do interactive, dynamic and static testing, code scanning for known application vulnerabilities, application hardening and automating security testing of applications, among other capabilities such as program management and compliance.

Readers’ Top Five: Application Security Tools

Runner-up HP Fortify likewise offers a range of application security tools, including static and dynamic testing, application self-protection as well as services that leverage HP’s resources to do testing, analysis and evaluation.

Qualys, a longtime favorite among readers, ranked third in this survey, with 17%. But the company’s state of flux may be contributing to some uncertainty, as well as big changes in the state of application security tools themselves.

Part of the challenge, according to Shields, is that network security is a commodity: "Qualys recognized the commoditization of the network security market and has attempted to move up stack into application security in the last couple of years. They have done a decent job of it and are leveraging their huge customer base to get inroads into these new markets."

The top five companies chosen by readers—IBM, HP, Qualys, WhiteHat and Veracode—have been around a long time, according to Shields. "Long for the application security world anyhow," he says. "The best of these vendors have diversified their product portfolios into areas beyond their original core. Because of this, the application security market is starting to see a few vendors jump into the lead with strong offerings that cover the entire application security space, instead of just offering static analysis or dynamic analysis. The best vendors have those [tools] and other application security offerings that all work together on a single platform," he continued. "These are the guys that are going to win long term."

 Application security strategies

Of those 45% who do plan to implement application security tools this year, only the top two most-targeted application vulnerabilities, SQL injection (61%) and cross-site scripting (57%), concerned a majority of readers surveyed.

Readers were also strongly interested in detecting information leakage (47%), cross-site request forgery (45%) and buffer overflow (43%). These filled out the top five reader concerns, though even the least-cited vulnerability, detecting improper implementation of cryptographic functions, still garnered a strong 38% share.

What Kinds of Attack Vulnerabilities Do You Want to Detect?

Application security product capabilities were similarly spread across a wide spectrum of functions, each of which many readers thought were important, but there were no overwhelming majorities. Most in demand is the ability to do policy enforcement within the development process (55%), closely followed by remediation guidance for developers (53%), detection of potential source code compliance issues (50%), and tools for analyzing the impact of software library and related project dependencies (48%).

Given that applications often act as the transfer point for different kinds of data, for use by so many end users, it’s no surprise that readers had preferences for so many different capabilities and vulnerabilities to target.

Readers’ Top Five: Application Security Tools

"Vulnerability management and network security assessment are merging," says Shields. "Application security is still the harder problem to solve, leaving a lot more space for vendor differentiation."

Given that applications often act as the transfer point for different kinds of data, for use by so many end users, it’s no surprise that readers had preferences for so many different capabilities and vulnerabilities to target.

"Vulnerability management and network security assessment are merging," says Shields. "Application security is still the harder problem to solve, leaving a lot more space for vendor differentiation."

About the author:
Peter Loshin is a site editor for at TechTarget. He was previously a technical editor for software reviews at BYTE Magazine, as well as a TCP/IP network engineer at a research laboratory in Cambridge, Mass. He has written several books, including TCP/IP Clearly Explained and Simple Steps to Data Encryption: A Practical Guide to Secure Computing. Follow him on Twitter @PeterLoshin.

Next Steps

Learn how to avoid mobile application security risks

Readers' Choice 2014 picks for application security products

Find out if application vulnerabilities are impacting application performance

This was last published in December 2015

Dig Deeper on Web application and API security best practices

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Have you deployed any application security products in your development life cycle? What tips would you share with others who are evaluating those technologies?
Qualys is a top AppSec provider?  Your list of choices must have been far too limited.  Perhaps AppScan and Fortify really are the best, but many other options exist and those would easily outpace Qualys in this space.
It's nice to get real world  feedback from the user side and not the vendor side of things.