Research
Report
Abstract:
Web Application Security Testing Tools
and Services
By Jon Oltsik, Senior Principal Analyst, and Jane Wright, Senior Research Analyst
With Jennifer Gahm
April 2013
Introduction
The number of web applications being developed by or for organizations continues to grow as organizations roll applications out to internal employees and external customers, suppliers, and business partners. In addition, organizations are opening up applications (or portions of applications) that were previously for internal use only to customers and partners in the interest of both transparency and productivity.
Accordingly, application security testing is becoming a growing priority at organizations across all industries.
Software developers and security professionals are working hard to test the security of all these applications before releasing them to production, to stave off attacks, and protect their organizations’ reputations.
The growing number of mobile applications is also adding to the application security testing workload. It’s no longer enough to offer standard web applications for PC browsers; developers often need to develop completely
independent mobile versions which must be run through the same, and perhaps more, security tests.
This report looks at web application development and assesses organizations’ security testing skills, processes, and tools. It also examines the growing market for web application security testing products and services.
Voice of the customer: “Clients are requiring that we conduct security testing on our apps if we are
going to be an extension of their business. We have to be as or more secure than they are.”
Research Objectives
In order to assess the market for web application security testing tools and services, including static application security testing (SAST) and dynamic application security testing (DAST) tools, processes, policies, and services, ESG surveyed 200 information security professionals working at midmarket (100 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America. In addition, ESG conducted ten qualitative interviews with IT and security professionals on the topic of web application development and security, and quotes from these qualitative interviews are captured in sidebars
throughout this report. All respondents to the quantitative survey or qualitative interviews were directly involved in evaluating, purchasing, and managing web application security testing technology in their organizations. These individuals were all also familiar with their organizations’ web application security
requirements and testing procedures. In order to qualify for this survey, respondents’ organizations had to currently be performing DAST on at least some of their web applications.
Respondents were asked to respond to questions in areas such as:
The volume of their websites and web applications, and the importance of those web applications to their businesses
Their confidence in the security of their web applications, and their perspective on the web application threat landscape
The application security testing activities they currently perform, including the use of static application security testing (SAST) and dynamic application security testing (DAST) products and services
The relationship between developers and security staff in their organizations
The challenges they’ve encountered with their SAST and DAST activities
Their most important criteria for evaluating web application security testing tools
Static application security
testing (SAST) is often
referred to as testing from
the inside out. SAST tools
and processes evaluate the
application code for possible
vulnerabilities. SAST is
typically performed before
the application is released to
production.
Dynamic application
security testing (DAST) is
often referred to as testing
from the outside in. (It is
sometimes called “black box
testing”.) DAST tools and
processes are applied to
applications that are nearly
ready for production, or are
already in production. DAST
tools and services apply
different attack scenarios to
see how well the
Research Report: Web Application Security Testing Tools and Services
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
How and when they choose to use open-source tools, commercial products, or services for application security testing
Survey participants and interviewees represented a wide range of industries including manufacturing, financial services, communications and media, retail, government, and business services. For more details, please see the
To gather data for this report, ESG conducted a comprehensive online survey of IT and information security professionals from private- and public-sector organizations in North America over November and December 2012. To qualify for this survey, respondents were required to be familiar with/responsible for their organization’s web application security requirements and testing procedures. Respondents were also required to have some level of involvement with the evaluation, selection, and purchasing of security testing tools for their organizations’ web applications. All respondent organizations were also currently using dynamic application security testing. All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.
After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left with a final total sample of 200 IT and
information security professionals.
In addition to the quantitative study, ESG also conducted ten in-depth telephone interviews with IT and information security professionals directly involved or familiar with the processes, skills, and tools their organizations use to test the security of their web applications at enterprise-class organizations in North America across a variety of vertical industries.
Please see the Respondent Demographics section of this report for more information on these respondents. Note: Totals in figures and tables throughout this report may not add up to 100% due to rounding.
Research Report: Web Application Security Testing Tools and Services
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Respondent Demographics
The data presented in this report is based on a survey of 200 qualified respondents. The figures below detail the demographics of the respondent base, including individual respondents’ current job responsibility, respondent organizations’ total number of employees, primary industry, and annual revenue.
Respondents by Current Responsibility
Respondents’ current responsibility within their organizations is shown in Figure 1.
Figure 1. Survey Respondents by Current Responsibility
Source: Enterprise Strategy Group, 2013.
Respondents by Number of Employees
The number of employees in respondents’ organizations is shown in Figure 2.
Figure 2. Survey Respondents by Number of Employees
Source: Enterprise Strategy Group, 2013.
Senior IT management (e.g.,
CIO, VP of IT, Director of IT, etc.),
23% Servers/systems administration, 12% Information security management, 19% Information security staff, 6% General IT staff, 21% Other, 20%
Which of the following best describes your current area(s) of responsibility within your organization? (Percent of respondents, N=200)
100 to 249, 10% 250 to 499, 17% 500 to 999, 15% 1,000 to 3,000, 18% 3,001 to 4,999, 6% 5,000 to 9,999, 9% 10,000 to 19,999, 6% 20,000 or more, 21%
How many total employees does your organization have worldwide? (Percent of respondents, N=200)
Respondents by Industry
Respondents were asked to identify their organization’s primary industry. In total, ESG received completed, qualified respondents from individuals in 19 distinct vertical industries, plus an “Other” category. Respondents were then grouped into the broader categories shown in Figure 3.
Figure 3. Survey Respondents by Industry
Source: Enterprise Strategy Group, 2013.
Respondents by Annual Revenue
Respondent organizations’ annual revenue is shown in Figure 4.
Figure 4. Survey Respondents by Annual Revenue
Source: Enterprise Strategy Group, 2013.
Manufacturing, 16% Financial (banking, securities, insurance), 15% Government (Federal/National, State/Province/Local), 11% Information Technology, 9% Communications & Media, 9% Business Services (accounting, consulting, legal, etc.),
8% Health Care, 8% Retail/Wholesale, 7%
Other, 20%
What is your organization’s primary industry? (Percent of respondents, N=200)
14% 9% 6% 10% 9% 10% 10% 7% 7% 13% 8% 0% 2% 4% 6% 8% 10% 12% 14% 16% Less than $50 million $50 million to $74.999 million $75 million to $99.999 million $100 million to $249.999 million $250 million to $499.999 million $500 million to $999.999 million $1 billion to $4.999 billion $5 billion to $9.999 billion $10 billion to $19.999 billion $20 billion or more Not applicable
Research Report: Web Application Security Testing Tools and Services
© 2013 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Contents
List of Figures ... 3
Executive Summary ... 4
Report Conclusions ... 4Introduction ... 6
Research Objectives ... 6Research Findings ... 8
Web Application Development Environments ... 8
Web Applications In Production ... 10
The State of Web Application Security ... 12
Web Application Software Development Processes ... 14
Web Application Security Status ... 17
Application Security Testing ... 19
Static Application Security Testing (SAST) ... 23
Dynamic Application Security Testing (DAST) ... 28
Purchasing Considerations ... 32
Conclusion ... 35
Research Implications for Technology Vendors ... 35
Research Implications for IT Professionals ... 36
Research Methodology ... 38
Respondent Demographics... 39
Respondents by Current Responsibility... 39
Respondents by Number of Employees ... 39
Respondents by Industry ... 40
List of Figures
Figure 1. How Organizations Use Web Application Developers ... 8
Figure 2. Web Application Development Processes ... 9
Figure 3. Technologies Used for Web Applications ... 10
Figure 4. Number of Websites in Production ... 10
Figure 5. Number of Web Applications in Production ... 11
Figure 6. Web Application Development Processes, by Number of Web Applications in Production ... 11
Figure 7. Percent of Websites Classified as Business-Critical ... 12
Figure 8. Confidence in Security of Internally Developed Software ... 13
Figure 9. Knowledge Level of Software Developers ... 13
Figure 10. Security Activities in Software Development Process... 14
Figure 11. Web Application Security Technologies Used ... 15
Figure 12. Most Important Reasons for Using a Web Application Firewall ... 16
Figure 13. Most Important Reasons for Using Penetration Testing ... 16
Figure 14. Web Application Threat Landscape ... 17
Figure 15. Web Application Security Attacks Experienced ... 18
Figure 16. Frequency of Web Application Security Attacks ... 18
Figure 17. Percent of Web Applications in Production Protected by Testing Tool(s) ... 19
Figure 18. Percent of Web Applications Protected by Testing, by Number of Web Applications in Production ... 20
Figure 19. Top Five Web Application Security Challenges ... 21
Figure 20. Use of SAST and DAST ... 21
Figure 21. Importance of SAST and DAST ... 22
Figure 22. SAST and DAST Organizational Strategy... 23
Figure 23. Use of SAST ... 24
Figure 24. Length of Time Organizations Have Been Conducting SAST and DAST... 24
Figure 25. Why Organizations Conduct SAST ... 25
Figure 26. Testing Methods Employed for SAST ... 26
Figure 27. Most Important Considerations When Selecting SAST Product(s)/Service(s) ... 27
Figure 28. Use of DAST ... 28
Figure 29. Frequency of Conducting DAST ... 28
Figure 30. Why Organizations Conduct DAST ... 29
Figure 31. Testing Methods Employed for DAST ... 30
Figure 32. Most Important Considerations When Selecting DAST Product(s)/Service(s) ... 31
Figure 33. Purchasing Preferences for SAST and DAST Product(s)/Service(s) ... 32
Figure 34. Expected Changes in Organizations’ DAST and SAST Investment/Efforts ... 33
Figure 35. Likelihood of Considering an Alternative Vendor’s Testing Product/Service ... 34
Figure 36. Survey Respondents by Current Responsibility ... 39
Figure 37. Survey Respondents by Number of Employees ... 39
Figure 38. Survey Respondents by Industry ... 40
Figure 39. Survey Respondents by Annual Revenue ... 40
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.