113 app sec vendors: A guide to commercial application security products

Read the updated version of this list: 95+ app sec tool vendors: A comprehensive list for developers, Ops, and QA

Any company developing software as a product or service or for internal use should be investing in software security. But there are many security products to choose from, and before you can begin selecting products, you have to first understand the various types of application security that may be required.

This guide is designed to help you make the right choices for your organization’s application security needs. It briefly covers the two basic categories of app sec protection—application security testing and runtime security—then it explains the criteria we used to create the list of products. The guide concludes with the list itself.

Types of application security

Information about application security can be confusing because websites in the commercial space typically present the advantages of products for sale without helping decision-makers understand the class of solution being offered. This makes it difficult to compare one vendor or product to the next.

To help with some of this confusion, we start with two simple categories, which 95 percent of all tools for application security fall into:

1. Testing tools, commonly referred to as application security testing (AST) tools. These are designed for software development teams (and their testing and ops colleagues working in a DevOps fashion) who need to ensure that security is built into applications prior to deployment.
2. Runtime protection tools, which are designed to protect applications running in their target, operational environments. Runtime tools protect against a variety of incoming threats after an application is delivered and deployed.

Within both of these categories, there are several classes of tools to consider, as described below.

Testing tools: SAST, DAST, and IAST

The three most common classes of app sec testing tools are as follows:

• Static application security testing (SAST), sometimes referred to as white-box testing, offers developers a detailed review of their source code and often involves use of a compiler to analyze data flow through an application. The goal is to catch vulnerabilities in applications early in the development cycle. Examples: code scanning tools, vulnerability assessment, and subroutine analysis.
• Dynamic application security testing (DAST) test web applications while they are running, which means DAST provides an assessment from the perspective of a user. Examples: penetration test tools, fuzz testing, web app security scanners, and proxy scanners.
• Interactive application security testing (IAST) is a hybrid of SAST and DAST that can check for vulnerabilities in the code itself as well as after development is complete. This method of testing uses agents and additional software libraries to collect data from running applications that can then reveal vulnerabilities. Examples: instrumentation agent used in the production environment, and customer combination of SAST and DAST tools.

Runtime protection tools: WAF, RASP, and more

Runtime protection tools are designed to guard web applications at runtime in the production environments after development and testing are complete. There are several classes of runtime protection tools:

• Web application firewall (WAF) tools, designed to protect the security perimeter against intrusion. Known intrusion patterns are programmed into the tool and periodically updated as new threats are discovered and analyzed.
• Runtime application security protection (RASP) tools, designed to detect intrusion from inside the running application, or inside the security perimeter.

At a high level, you can understand the difference between WAF (and other secure perimeter solutions) and RASP in terms of conventional surveillance techniques. Using WAF is like putting up a security fence around your grocery store, along with guards taught to spot likely intruders. Using RASP, on the other hand, is like putting lots of cameras on every aisle inside the store. They don’t keep potential thieves from getting in, but they are good at detecting any theft that occurs.

WAF technologies are widely used, while RASP is a recent concept, offered by relatively few companies as of this writing.

There are several other forms of runtime protection that can be used along with WAF and RASP technologies, including:

• Endpoint protection tools, designed to guard PCs, mobile devices, workstations, servers, and other endpoints against attack.
• Cloud access security brokers, cloud-based or on-prem software that supports cloud services by offering continuous visibility, compliance, threat protection, and security. Analyst firm Gartner believes that by 2020, 85 percent of large enterprises will be using them.

Criteria for our app sec vendor list

This comprehensive list of application security vendors includes every commercial vendor we could find that makes a product designed to help software development teams design, code, and deliver more secure applications. This includes QA/testing teams working with coding teams in a DevOps or more traditional style, and operations teams that play a critical role in application security.

But with so many security-related products and open-source projects available, the question was where to draw the line? Do we include technology for security research, such as password cracking, brute-force intrusion, wardriving, and exploitation tools? All of these technologies, and many more, are of potential interest to security enthusiasts and practitioners.

We decided to list only those products that directly affect the application and delivery processes commonly owned by developers, testers, and security teams focused on applications. So, for example: penetration test tools? Yes: Developers may not use them, but QA teams in concert with security will. SIEM products? No: Enterprise-wide tools are simply beyond the scope of our application security focus here. DDoS sec tools? Yes. Encryption tools? No. We trust you’ll see the logic of our choices.

This list will guide you to the online sites where much more information is provided for your consumption. Given our criteria for this app sec vendor list, please let us know if you think we’ve left out any tools that can help software development teams improve in their application security efforts. We look forward to helping you on your journey.

List of commercial app sec vendors 

Abbreviations used

• CDN - Content delivery (or distribution) network
• DAST - dynamic application security testing
• DDoS - distributed denial of service
• IAST - integrated application security testing
• SAST - static application security testing
• WAF - web application firewall

Acunetix

Web Vulnerability Scanner
Type: DAST
Web: acunetix.com/vulnerability-scanner

Adallom

Cloud Access Security Broker (acquired by Microsoft)
Type: Cloud app security
Web: https://blogs.microsoft.com/cybertrust/2016/04/06/microsoft-cloud-app-security-is-generally-available/

AdNovum

Nevis Security and Compliance Suite by AdNovum
Type: WAF, authentication, identity management
Web: adnovum.ch

Airlock

Airlock Suite by Ergon Informatik
Type: WAF, authentication, identity management
Web: airlock.com

Akamai

Kona Site Defender by Akamai
CDN, DDoS protection, WAF
Web: akamai.com

Alert Logic

Alert Logic
Security-as-a-service intrusion-prevention system, cloud access security broker, WAF
Web: alertlogic.com

Amazon

AWS WAF, Amazon CloudFront
CDN, DDoS protection
Web: aws.amazon.com, aws.amazon.com/cloudfront

AppMobi

AppMobi Security Kit Apache Cordova
App encryption and authentication
Web: appmobi.com

Arbor Networks

Arbor Networks
DDoS protection
Web: arbornetworks.com

Armor

Armor Complete
Cloud security platform
Web: armor.com

Arxan

Arxan Application Protection
Anti-tamper software via white-box cryptography
Web: arxan.com

AuditMyApps

AuditMyApps by Pradeo
Mobile AST
Web: auditmyapps.com

Avecto

Defendpoint by Avecto
Endpoint security via whitelisting and sandboxing
Web: avecto.com

Barracuda

Barracuda firewalls
WAF
Web: barracuda.com

Bay Dynamics

Risk Fabric by Bay Dynamics
Predictive security analytics
Web: baydynamics.com

BeyondSecurity

AVDS
Vulnerability assessment
Web: beyondsecurity.com/avds

BeyondTrust

Retina Web
Security scanning, DAST
Web: beyondtrust.com

Bit9

Acquired by Carbon Black
Endpoint security
Web: carbonblack.com

Black Duck

Black Duck Hub
Open-source scanning
Web: blackducksoftware.com

Blue Coat

Blue Coat Cloud Security Platform
Cloud access security broker, WAF
Web: bluecoat.com

Bluebox

Bluebox Mobile Access Security Broker (now part of Lookout)
Mobile security
Web: bluebox.com

Bricata

ProAccel by Bricata
Intrusion-prevention system
Web: bricata.com

BrightCloud

BrightCloud Threat Intelligence by Webroot
DAST
Web: brightcloud.com

Bromium

Bromium Advanced Endpoint Security
Endpoint security
Web: bromium.com

Buguroo

bugThreats Cyberthreat Intelligence Platform
Threat intelligence
Web: buguroo.com

CD Networks

CD Protection by CD Networks
CDN, WAF, DDoS protection
Web: cdnetworks.com

Carbon Black

Carbon Black security platform
Endpoint security
Web: carbonblack.com

Cenzic

Hailstorm by Cenzic (now Trustwave)
See Trustwave

Checkmarx

Cx SAST
SAST
Web: checkmarx.com/technology/static-code-analysis-sca

Cigital

Cigital Static Application Security Testing
SAST
Web: cigital.com/resources/datasheets/static-application-security-testing

Cigital

Codiscope SecureAssist
SAST
Web: cigital.com/services/secure-development/secureassist

Cigital 

Cigital Dynamic Application Security Testing 
DAST
Web: cigital.com/services/application-security-testing/dynamic-analysis-dast

Cigital 

Mobile Application Security Testing
SAST, DAST
Web: cigital.com/services/application-security-testing/mobile-security

CipherCloud

CipherCloud
Cloud access security broker
Web: ciphercloud.com

Cisco

Cisco ACE (end-of-life product)
WAF
Web: cisco.com

Citrix

NetScaler AppFirewall by Citrix
WAF
Web: citrix.com

CloudFlare

CloudFlare
CDN, DDoS protection, WAF
Web: cloudflare.com

CloudLock

CloudLock Security Fabric
Cloud access security broker
Web: cloudlock.com

CloudPassage

CloudPassage Halo
Cloud access security broker
Web: cloudpassage.com

Codenomicon

Defensics
Fuzz testing
Web: codenomicon.com/products/defensics

Contrast Security

Contrast Enterprise
IAST, runtime protection
Web: contrastsecurity.com/overview

Coverity

Coverity Code Advisor, acquired by Synopsis 2015
DAST
Web: coverity.com/products/code-advisor

CrowdStrike

Falcon Host by CrowdStrike
Endpoint security
Web: crowdstrike.com

DenyAll

Mulitple products for vulnerability, app security management
WAF
Web: denyall.com

eEye Digital Security

Retina Web Security
See BeyondTrust

Elastica

CloudSOC by Elastica Cloud
Security testing/scanning
Web: elastica.net

EMC

RSA ECAT by EMC
DAST
Web: rsa.com/en-us/products-services/security-operations/enterprise-compromise-assessment-ecat

F5

F5 Big IP Platform
WAF, DDoS protection
Web: f5.com

FireEye

FireEye NX
Web server scanner, WAF
Web: fireeye.com

Fortinet

FortiWeb WAF
Runtime protection
Web: fortinet.com/products/fortiweb

GamaSec

GamaScan
Web vulnerability assessment service
Web: gamasec.com/Gamascan.aspx

GFI

GFI LanGuard and other security solutions
Network security, monitoring, and management tools
Web: gfi.com/products-and-solutions/network-security-solutions/gfi-languard

GNUCITIZEN

See Websecurify

Hillstone Networks

Intelligent Next-Gen T-Series Firewall
WAF
Web: hillstonenet.com

IBM

AppScan Source/Standard/Enterprise, Application Security Analyzer
SAST, DAST
Web: www-03.ibm.com/software/products/en/category/application-security, www.ibm.com/marketplace/cloud/application-security-on-cloud/us/en-us

Imperva

SecureSphere , Incapsula
Runtime protection
Web: imperva.com/Products/WebApplicationFirewall, imperva.com/Products/ImpervaIncapsula

IndusFace

IndusWeb; IndusGuard
Web app scanning, mobile penetration test
Web: www.indusface.com

InfoBlox

InfoBlox DNS Firewall
WAF
Web: infoblox.com

ITrust

IKare
Vulnerability management
Web: ikare-monitoring.com

Juniper Networks

SRX Series Firewall by Juniper Networks
WAF
Web: juniper.net

Klocwork

Klocwork by Rogue Wave Software
Code-quality scanning
Web: klocwork.com

Level 3

Level 3 Content Delivery Network
CDN, DDoS protection
Web: level3.com

LogRhythm

Security Intelligence Platform
Predictive security analytics
Web: logrhythm.com

Lookout

Lookout Security Platform
Mobile threat protection, predictive analytics
Web: lookout.com/uk/mobile-security-technology

MetaFlows

MetaFlows
Cloud security scanning
Web: metaflows.com

Micro Focus

Fortify, WebInspect, WebInspect Agent, App Defender
SAST, DAST, IAST, RASP
Web: www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html, www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html , www8.hp.com/us/en/software-solutions/appdefender-application-self-protection

N-Stalker

Web Application Security Scanner X
DAST
Web: nstalker.com/products/editions

nCircle

WebApp360
See TripWire

Netsparker

Netsparker
Web app scanning
Web: netsparker.com

Neustar

Neustar
DDoS protection
Web: neustar.biz

NSFocus

Web Applications Firewall
DAST, runtime protection
Web: nsfocusglobal.com/waf-series

Onapsis

Onapsis Security Platform
Near real-time preventative, detective, and corrective for SAP
Web: onapsis.com

OPSWAT

Metadefender product family
SAST
Web: opswat.com

Palo Alto Networks

PA-7000 Series Firewall & Enterprise Security Platform
WAF, RASP
Web: paloaltonetworks.com

Parasoft

Parasoft Application Security Testing
Static, unit testing, req. traceability, coverage, func/load testing, etc.
Web: parasoft.com

Peach Fuzzer

Peach Fuzzer
Penetration testing
Web: peachfuzzer.com

PortSwigger

BurpSuite
DAST
Web: portswigger.net/burp

Pradeo

Trust Revealing
Mobile threat protection
Web: www.pradeo.com/en-US/trust-revealing-technology

Prevoty

Prevoty
Runtime protection
Web: prevoty.com

ProtectWise

ProtectWise
Cloud Network DVR CDN, App Sec Scanning
Web: protectwise.com

Qualys

Web Application Scanning, Web Application Firewall
DAST, Runtime protection
Web: qualys.com/enterprises/qualysguard/web-application-scannin, qualys.com/enterprises/qualysguard/web-application-firewall

Radware

AppWall by Radware
WAF, DDoS protection
Web: radware.com

Rapid7

AppSpider
DAST
Web: rapid7.com/products/appspider

Rapid7 

Nexpose, AppSpider Pro (formerly NTOSider) by Rapid7
DAST
Web: rapid7.com/products/nexpose

SAINT

SAINT Security Suite; SAINT Cloud solutions
Vulnerability scanner, pen testing
Web: saintcorporation.com

Security Compass

DDoS Strike by Security Compass
DDoS protection
Web: securitycompass.com

SiteLock

TrueCode SAST
SAST
Web: sitelock.com/truecode.php

SiteLock 

Website Scanning
DAST
Web: sitelock.com/website-scanning.php

Sophos

Sophos Next-Gen Firewall
WAF
Web: sophos.com/en-us/lp/enduser.aspx#

Spirent

Avalanche NEXT
Application security testing
Web: spirent.com/~/media/Brochures/AvNEXT_Brochure.pdf

Sucuri

Sucuri Website Firewall
WAF, DDoS protection, app security scanning
Web: sucuri.net

Symantec

Symantec Advanced Threat Protection
IAST, RASP
Web: symantec.com

Synopsis

Quotium Seeker, Coverity Code Advisor
SAST
Web: coverity.com

Tanium

Tanium Endpoint Platform
Endpoint security, app security scanning
Web: tanium.com

Tenable

Tenable Security Center & Nessus by Tenable
Network security
Web: tenable.com

Trend Micro

Trend Micro Deep Security Platform
SAST, DAST
Web: trendmicro.com

Tripwire

Tripwire Enterprise, WebApp360
IAST, RASP
Web: tripwire.com

Trustwave

Trustwave Suite of AppSec Solutions (formerly Cenzic)
Application, endpoint, and network security
Web: trustwave.com/Solutions/By-Challenge/Secure-My-Applications

Virtual Forge

CodeProfiler by Virtual Forge, Virtual Forge CodeProfiler
SAST, ABAP code protection for SAP-based systems
Web: virtualforge.com

vThreat

vThreat Platform
Adversary simulation
Web: vthreat.com

Waratek

Application security, RASP
Web: waratek.com

Websecurify

Webreaver, ProxyApp Web ap
plication security
Web: websecurify.com

WhiteHat Security

Sentinel product line
SAST, DAST, mobile testing
Web: whitehatsec.com

Yottaa

ContextIntelligence by Yottaa
CDN, DDoS protection, WAF
Web: yottaa.com

Ziften

Ziften Endpoint Security
Type: Time user, device, and behavior monitoring analytics
Web: ziften.com

Keep learning

• Take a deep dive into the state of quality with TechBeacon's Guide. Plus: Download the free World Quality Report 2022-23.

• Put performance engineering into practice with these top 10 performance engineering techniques that work.

• Find to tools you need with TechBeacon's Buyer's Guide for Selecting Software Test Automation Tools.

• Discover best practices for reducing software defects with TechBeacon's Guide. 

• Take your testing career to the next level. TechBeacon's Careers Topic Center provides expert advice to prepare you for your next move.