The 2023 edition of the Gartner Magic Quadrant (MQ) for Application Security Testing is out! But is anyone paying attention anymore? Many vendors now have a portfolio of SAST, SCA, and DAST tools, and they all check for vulnerabilities. That's important, but would all of those tests prevented the SolarWinds or the 3CX supply chain attacks where thousands of organizations were affected in each incident?
The answer is no.
Russian, North Korean, and other advanced threat actors are surgically targeting software suppliers and they aren't necessarily exploiting known vulnerabilities (CVEs) or vulns in custom code that AST tools are designed to find.
AST tools are on the verge of becoming a commodity anyway. Testing for vulnerabilities still must be done of course. What's missing is the ability to detect advanced attacks on software supply chains.
I recently joined ReversingLabs. We have technology to detect malicious software and prevent it from being released like happened at SolarWinds and 3CX. Not many people have heard of ReversingLabs, but it's not a startup. They've been around for almost 15 years, but just recently started applying their core technology of malware detection to the software supply chain.
Software publishers and software consumers alike can benefit from ReversingLabs' tools. Our binary analysis will decompose ("unpack") hundreds of different types of files. No source code is required. It will find known malware and secrets embedded in the software, but even more importantly can detect novel attacks by analyzing subtle changes in behaviors or altered digital signatures.
Don't stop testing for vulnerabilities, but also realize you probably have gaps similar to SolarWinds and 3CX. I outlined some of the reasons these gaps exist in my post Software Supply Chains and Security Challenges.
Let's also see if Gartner considers expanding the Application Security Testing MQ to be the Software Supply Chain Security MQ. The current report focuses on vulnerabilities only, and it's proving to be insufficient.