Application Security Testing

W opublikowanym 2 dni temu raporcie Dionisio Zumerle i Ayal Tirosh z Gartner twierdz? ze w ciagu 2 lat 80% dostawców application security testing b?dzie oferowa?o analityk? software composition.

Do 2019, ponad 30% przedsiebiorstw wdro?y IAST. Co to jest ?

Podzia? Technologii wg Gartner :

• Static AST (SAST) technology analyzes an application's source, bytecode or binary code for security vulnerabilities, typically at the programming and/or testing phases of the software development life cycle (SDLC).
• Dynamic AST (DAST) technology analyzes applications in their dynamic running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services) and analyzes the application's reactions to determine whether it is vulnerable.
• Interactive AST (IAST) technology combines inside-out observation of a running application being tested with DAST simultaneously. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks from within the application and identifies vulnerabilities.

Wed?ug najnowszego raportu Gartner HPE Fortify jest liderem pod wzg?dem wizji i wykonania.

• HPE Fortify jest powszechnie znanym brandem na ?wiecie.
• To pierwszy dostawca który oferuje wiele technologii: SAST, DAST and IAST.

HPE's wdra?a "machine learning" z danymi historycznymi klientow i ko?ysta z "crowdsourcingu" aby zredukowa? fa?szywe alarmy.

Porównanie wszystkich dostawców mo?na znale?? w Magic Quadrant for Application Security Testing by Gartner opublikowanym 28 lutego 2017/