If you haven’t seen it yet, Gartner just published its “Hype Cycle for Application Security, 2016” written by Gartner Analyst Ayal Tirosh with support from colleague Lawrence Pingree (Gartner clients can view it at https://www.gartner.com/doc/3376617/hype-cycle-application-security-). This is potentially a deeply important step for the application security market because it provides clarity around a set of emerging ideas involving application vulnerabilities that buyers, vendors and analysts had previously struggled to define. I’ll first lay out what Gartner did, and then I’ll explain why it’s so important. (In the interest of full disclosure, Denim Group’s ThreadFix vulnerability resolution platform is one of the technologies mentioned in the report)
The process for adopting new technology areas is anything but straightforward, so let me put it into proper perspective. Sometimes technology sector names are developed by savvy product marketing managers looking to separate their product from previous technologies and enjoy what’s called “first mover” status. Think of “next generation firewalls” versus “firewalls” (you don’t want to be caught with your pants down with just a plain old firewall when attackers come). Other times industry analysts such as Gartner will come up with a term after listening to a stream of vendor pitches and struggling to characterize an emerging technology that they think is different from what they’ve seen in the past. That appears to be the case in this instance.
In a section in Gartner’s 2016 Hype Cycle Report, Ayal and Lawrence characterize Application Vulnerability Correlation, or AVC, as a technology “on the rise.” They define AVC as “application security workflow and process management tools that aim to streamline SDLC application vulnerability remediation by incorporating findings from a variety of security-testing data sources into a centralized tool.” Put another way, AVC tools accelerate the remediation of vulnerable apps by fully automating the flow of app vulnerabilities between testing tools, centralized application security functions, and the many development teams that actually fix security defects. By automating what now remains an all too manual process, AVC tools enable application security teams to have higher level risk discussions with their development colleagues, which in turn will allow the dev teams to focus on the few most critical vulnerabilities at the expense of the many less critical ones. This workflow automation is even more important with increasing adoption of approaches such as DevOps, Continuous Integration (CI), and Continuous Deployment (CD). Without it, development teams are slowed by security best practices and vulnerabilities persist.
Gartner also listed AVC for the first time on the actual Hype Cycle at the “Innovation Trigger” stage. The Hype Cycle helps bring Gartner clients up to speed on various new technologies, and the Innovation Trigger describes that stage as “A potential technology breakthrough kicks things off. Early proof-of-concept stories and media interest trigger significant publicity. Often no usable products exist and commercial viability is unproven.” That’s a pretty conservative definition, and I would beg to differ on the last sentence. (For a good background explanation of the Gartner Hype Cycle and its definitions, visit http://www.gartner.com/technology/research/methodologies/hype-cycle.jsp). Put simply, products in the Innovation Trigger have caught the eye of the analyst and they are worthy of mention to Gartner clients.
There are several reasons why this is important, even if it’s not readily apparent to most. These reasons include:
Settling on a common term (Application Vulnerability Correlation) provides common language between buyers and sellers that drives more efficient adoption of new technologies. Market confusion, on the other hand adds frictions around misunderstanding as buyers and sellers attempt to grapple with agreed upon terms (even today debate still exists around the terms “application security” versus “software security”). Typically developed to address a particular “pain point” that exists in our fast-moving industry, new security products share a common problem – how do you characterize the technology and what do you call it? What do you call the collections of products that protect desktops from attack (endpoint security) or what do you call firewalls that have a certain additional set of capabilities (next generation firewalls)? The best names use the least amount of syllables -NAC is my favorite, which stands for network access control – and are widely adopted and understood.
Finding new products becomes more efficient. As has been widely documented and discussed in the vendor community, buyers are spending more and more time learning about products online prior to engaging vendors. A lack of common terminology hurts an evolving industry most acutely in the Internet search arena. Is the fixing of a vulnerable application post-scan “application vulnerability management” or “application vulnerability resolution?” Regardless of what we want to call it, buyers are using every term under the sun to describe the area, yet are not purchasing from vendors that have products in this area. As a vendor, we look very closely at what Google searches are actually occurring in and around the application security market. We confirmed that no consistent set of search terms have been used over the last several years. Buyers aren’t typing in “application vulnerability management” to find ThreadFix, they are typing in “ThreadFix”, which tells us they didn’t actually find the product via search, but in fact, knew of it prior to conducting a search. With Gartner naming this space, it will help buyers find qualified sellers more efficiently.
New terminology defines what a technology area is not. In the case of AVC, it states unequivocally that it involves applications, not network vulnerability management, not patch management, or anything else not remotely in the application arena. It’s all about the vulnerable applications and how organizations can use multiple technologies (a Gartner recommendation) to get better application testing coverage and to fix vulnerable applications faster. This is particularly important for CISOs or CSOs without a strong application development or security background trying to distinguish AVC from technologies that, although they might share the common term (vulnerability management), could not be more different.
The common denominator of all the reasons listed above involves efficiency and helping define the emerging and fast-moving market that is application security. Perhaps fundamentally more important, though, by naming AVC and putting it for the first time on its Hype Cycle, Gartner will make it harder for its clients to ignore post-scan remediation or to scan only a subset of their application portfolio. It’s been our observation that organizations have become far better at identifying application vulnerabilities than fixing them and we sense this is beginning to change. This small step from Gartner will help swing the focus purely on vulnerability capture, and focus more resources and brainpower on protecting and fixing what most agree is our weakest spot – applications.
Update From Dan Cornell – 6/30/20:
It has been four years since Gartner first coined the term “Application Vulnerability Correlation” (AVC) to describe the class of products that ThreadFix created, and a lot has happened since then:
- There are a lot more players in the space now – each with their own perspective on the problem. But we were first 😊
- We’ve expanded ThreadFix to not just correlate application vulnerabilities, but also to allow you to import network and infrastructure scanners like Nessus, Nexpose, and Qualys and link applications to the infrastructure that runs them.
- The problem has become a lot more pronounced as organizations have broken monolithic applications into microservices – increasing the number of things that needs to be scanned, and “shifted security left” into CI/CD pipelines – increasing the frequency those things get scanned. This makes the need for AVC solutions even more pronounced.
Back then it was good to see Gartner recognizing a problem space that we had been tracking for years. For better or worse, Gartner shapes the way many organizations look at security and drives buying behavior. Having Gartner give a name to the problem has helped us better articulate to some organizations where ThreadFix brings value.