113 app sec vendors: A guide to commercial application security products
Read the updated version of this list: 95+ app sec tool vendors: A comprehensive list for developers, Ops, and QA
Any company developing software as a product or service or for internal use should be investing in software security. But there are many security products to choose from, and before you can begin selecting products, you have to first understand the various types of application security that may be required.
This guide is designed to help you make the right choices for your organization’s application security needs. It briefly covers the two basic categories of app sec protection—application security testing and runtime security—then it explains the criteria we used to create the list of products. The guide concludes with the list itself.
Types of application security
Information about application security can be confusing because websites in the commercial space typically present the advantages of products for sale without helping decision-makers understand the class of solution being offered. This makes it difficult to compare one vendor or product to the next.
To help with some of this confusion, we start with two simple categories, which 95 percent of all tools for application security fall into:
- Testing tools, commonly referred to as application security testing (AST) tools. These are designed for software development teams (and their testing and ops colleagues working in a DevOps fashion) who need to ensure that security is built into applications prior to deployment.
- Runtime protection tools, which are designed to protect applications running in their target, operational environments. Runtime tools protect against a variety of incoming threats after an application is delivered and deployed.
Within both of these categories, there are several classes of tools to consider, as described below.
Testing tools: SAST, DAST, and IAST
The three most common classes of app sec testing tools are as follows:
- Static application security testing (SAST), sometimes referred to as white-box testing, offers developers a detailed review of their source code and often involves use of a compiler to analyze data flow through an application. The goal is to catch vulnerabilities in applications early in the development cycle. Examples: code scanning tools, vulnerability assessment, and subroutine analysis.
- Dynamic application security testing (DAST) test web applications while they are running, which means DAST provides an assessment from the perspective of a user. Examples: penetration test tools, fuzz testing, web app security scanners, and proxy scanners.
- Interactive application security testing (IAST) is a hybrid of SAST and DAST that can check for vulnerabilities in the code itself as well as after development is complete. This method of testing uses agents and additional software libraries to collect data from running applications that can then reveal vulnerabilities. Examples: instrumentation agent used in the production environment, and customer combination of SAST and DAST tools.
Runtime protection tools: WAF, RASP, and more
Runtime protection tools are designed to guard web applications at runtime in the production environments after development and testing are complete. There are several classes of runtime protection tools:
- Web application firewall (WAF) tools, designed to protect the security perimeter against intrusion. Known intrusion patterns are programmed into the tool and periodically updated as new threats are discovered and analyzed.
- Runtime application security protection (RASP) tools, designed to detect intrusion from inside the running application, or inside the security perimeter.
At a high level, you can understand the difference between WAF (and other secure perimeter solutions) and RASP in terms of conventional surveillance techniques. Using WAF is like putting up a security fence around your grocery store, along with guards taught to spot likely intruders. Using RASP, on the other hand, is like putting lots of cameras on every aisle inside the store. They don’t keep potential thieves from getting in, but they are good at detecting any theft that occurs.
WAF technologies are widely used, while RASP is a recent concept, offered by relatively few companies as of this writing.
There are several other forms of runtime protection that can be used along with WAF and RASP technologies, including:
- Endpoint protection tools, designed to guard PCs, mobile devices, workstations, servers, and other endpoints against attack.
- Cloud access security brokers, cloud-based or on-prem software that supports cloud services by offering continuous visibility, compliance, threat protection, and security. Analyst firm Gartner believes that by 2020, 85 percent of large enterprises will be using them.
Criteria for our app sec vendor list
This comprehensive list of application security vendors includes every commercial vendor we could find that makes a product designed to help software development teams design, code, and deliver more secure applications. This includes QA/testing teams working with coding teams in a DevOps or more traditional style, and operations teams that play a critical role in application security.
But with so many security-related products and open-source projects available, the question was where to draw the line? Do we include technology for security research, such as password cracking, brute-force intrusion, wardriving, and exploitation tools? All of these technologies, and many more, are of potential interest to security enthusiasts and practitioners.
We decided to list only those products that directly affect the application and delivery processes commonly owned by developers, testers, and security teams focused on applications. So, for example: penetration test tools? Yes: Developers may not use them, but QA teams in concert with security will. SIEM products? No: Enterprise-wide tools are simply beyond the scope of our application security focus here. DDoS sec tools? Yes. Encryption tools? No. We trust you’ll see the logic of our choices.
This list will guide you to the online sites where much more information is provided for your consumption. Given our criteria for this app sec vendor list, please let us know if you think we’ve left out any tools that can help software development teams improve in their application security efforts. We look forward to helping you on your journey.
List of commercial app sec vendors
Abbreviations used
- CDN - Content delivery (or distribution) network
- DAST - dynamic application security testing
- DDoS - distributed denial of service
- IAST - integrated application security testing
- SAST - static application security testing
- WAF - web application firewall
Acunetix
Web Vulnerability Scanner
Type: DAST
Web: acunetix.com/vulnerability-scanner
Adallom
Cloud Access Security Broker (acquired by Microsoft)
Type: Cloud app security
Web: https://blogs.microsoft.com/cybertrust/2016/04/06/microsoft-cloud-app-security-is-generally-available/
AdNovum
Nevis Security and Compliance Suite by AdNovum
Type: WAF, authentication, identity management
Web: adnovum.ch
Airlock
Airlock Suite by Ergon Informatik
Type: WAF, authentication, identity management
Web: airlock.com
Akamai
Kona Site Defender by Akamai
CDN, DDoS protection, WAF
Web: akamai.com
Alert Logic
Alert Logic
Security-as-a-service intrusion-prevention system, cloud access security broker, WAF
Web: alertlogic.com
Amazon
AWS WAF, Amazon CloudFront
CDN, DDoS protection
Web: aws.amazon.com, aws.amazon.com/cloudfront
AppMobi
AppMobi Security Kit Apache Cordova
App encryption and authentication
Web: appmobi.com
Arbor Networks
Arbor Networks
DDoS protection
Web: arbornetworks.com
Armor
Armor Complete
Cloud security platform
Web: armor.com
Arxan
Arxan Application Protection
Anti-tamper software via white-box cryptography
Web: arxan.com
AuditMyApps
AuditMyApps by Pradeo
Mobile AST
Web: auditmyapps.com
Avecto
Defendpoint by Avecto
Endpoint security via whitelisting and sandboxing
Web: avecto.com
Barracuda
Barracuda firewalls
WAF
Web: barracuda.com
Bay Dynamics
Risk Fabric by Bay Dynamics
Predictive security analytics
Web: baydynamics.com
BeyondSecurity
AVDS
Vulnerability assessment
Web: beyondsecurity.com/avds
BeyondTrust
Retina Web
Security scanning, DAST
Web: beyondtrust.com
Bit9
Acquired by Carbon Black
Endpoint security
Web: carbonblack.com
Black Duck
Black Duck Hub
Open-source scanning
Web: blackducksoftware.com
Blue Coat
Blue Coat Cloud Security Platform
Cloud access security broker, WAF
Web: bluecoat.com
Bluebox
Bluebox Mobile Access Security Broker (now part of Lookout)
Mobile security
Web: bluebox.com
Bricata
ProAccel by Bricata
Intrusion-prevention system
Web: bricata.com
BrightCloud
BrightCloud Threat Intelligence by Webroot
DAST
Web: brightcloud.com
Bromium
Bromium Advanced Endpoint Security
Endpoint security
Web: bromium.com
Buguroo
bugThreats Cyberthreat Intelligence Platform
Threat intelligence
Web: buguroo.com
CD Networks
CD Protection by CD Networks
CDN, WAF, DDoS protection
Web: cdnetworks.com
Carbon Black
Carbon Black security platform
Endpoint security
Web: carbonblack.com
Cenzic
Hailstorm by Cenzic (now Trustwave)
See Trustwave
Checkmarx
Cx SAST
SAST
Web: checkmarx.com/technology/static-code-analysis-sca
Cigital
Cigital Static Application Security Testing
SAST
Web: cigital.com/resources/datasheets/static-application-security-testing
Cigital
Codiscope SecureAssist
SAST
Web: cigital.com/services/secure-development/secureassist
Cigital
Cigital Dynamic Application Security Testing
DAST
Web: cigital.com/services/application-security-testing/dynamic-analysis-dast
Cigital
Mobile Application Security Testing
SAST, DAST
Web: cigital.com/services/application-security-testing/mobile-security
CipherCloud
CipherCloud
Cloud access security broker
Web: ciphercloud.com
Cisco
Cisco ACE (end-of-life product)
WAF
Web: cisco.com
Citrix
NetScaler AppFirewall by Citrix
WAF
Web: citrix.com
CloudFlare
CloudFlare
CDN, DDoS protection, WAF
Web: cloudflare.com
CloudLock
CloudLock Security Fabric
Cloud access security broker
Web: cloudlock.com
CloudPassage
CloudPassage Halo
Cloud access security broker
Web: cloudpassage.com
Codenomicon
Defensics
Fuzz testing
Web: codenomicon.com/products/defensics
Contrast Security
Contrast Enterprise
IAST, runtime protection
Web: contrastsecurity.com/overview
Coverity
Coverity Code Advisor, acquired by Synopsis 2015
DAST
Web: coverity.com/products/code-advisor
CrowdStrike
Falcon Host by CrowdStrike
Endpoint security
Web: crowdstrike.com
DenyAll
Mulitple products for vulnerability, app security management
WAF
Web: denyall.com
eEye Digital Security
Retina Web Security
See BeyondTrust
Elastica
CloudSOC by Elastica Cloud
Security testing/scanning
Web: elastica.net
EMC
RSA ECAT by EMC
DAST
Web: rsa.com/en-us/products-services/security-operations/enterprise-compromise-assessment-ecat
F5
F5 Big IP Platform
WAF, DDoS protection
Web: f5.com
FireEye
FireEye NX
Web server scanner, WAF
Web: fireeye.com
Fortinet
FortiWeb WAF
Runtime protection
Web: fortinet.com/products/fortiweb
GamaSec
GamaScan
Web vulnerability assessment service
Web: gamasec.com/Gamascan.aspx
GFI
GFI LanGuard and other security solutions
Network security, monitoring, and management tools
Web: gfi.com/products-and-solutions/network-security-solutions/gfi-languard
GNUCITIZEN
See Websecurify
Hillstone Networks
Intelligent Next-Gen T-Series Firewall
WAF
Web: hillstonenet.com
IBM
AppScan Source/Standard/Enterprise, Application Security Analyzer
SAST, DAST
Web: www-03.ibm.com/software/products/en/category/application-security, www.ibm.com/marketplace/cloud/application-security-on-cloud/us/en-us
Imperva
SecureSphere , Incapsula
Runtime protection
Web: imperva.com/Products/WebApplicationFirewall, imperva.com/Products/ImpervaIncapsula
IndusFace
IndusWeb; IndusGuard
Web app scanning, mobile penetration test
Web: www.indusface.com
InfoBlox
InfoBlox DNS Firewall
WAF
Web: infoblox.com
ITrust
IKare
Vulnerability management
Web: ikare-monitoring.com
Juniper Networks
SRX Series Firewall by Juniper Networks
WAF
Web: juniper.net
Klocwork
Klocwork by Rogue Wave Software
Code-quality scanning
Web: klocwork.com
Level 3
Level 3 Content Delivery Network
CDN, DDoS protection
Web: level3.com
LogRhythm
Security Intelligence Platform
Predictive security analytics
Web: logrhythm.com
Lookout
Lookout Security Platform
Mobile threat protection, predictive analytics
Web: lookout.com/uk/mobile-security-technology
MetaFlows
MetaFlows
Cloud security scanning
Web: metaflows.com
Micro Focus
Fortify, WebInspect, WebInspect Agent, App Defender
SAST, DAST, IAST, RASP
Web: www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html, www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html , www8.hp.com/us/en/software-solutions/appdefender-application-self-protection
N-Stalker
Web Application Security Scanner X
DAST
Web: nstalker.com/products/editions
nCircle
WebApp360
See TripWire
Netsparker
Netsparker
Web app scanning
Web: netsparker.com
Neustar
Neustar
DDoS protection
Web: neustar.biz
NSFocus
Web Applications Firewall
DAST, runtime protection
Web: nsfocusglobal.com/waf-series
Onapsis
Onapsis Security Platform
Near real-time preventative, detective, and corrective for SAP
Web: onapsis.com
OPSWAT
Metadefender product family
SAST
Web: opswat.com
Palo Alto Networks
PA-7000 Series Firewall & Enterprise Security Platform
WAF, RASP
Web: paloaltonetworks.com
Parasoft
Parasoft Application Security Testing
Static, unit testing, req. traceability, coverage, func/load testing, etc.
Web: parasoft.com
Peach Fuzzer
Peach Fuzzer
Penetration testing
Web: peachfuzzer.com
PortSwigger
BurpSuite
DAST
Web: portswigger.net/burp
Pradeo
Trust Revealing
Mobile threat protection
Web: www.pradeo.com/en-US/trust-revealing-technology
Prevoty
Prevoty
Runtime protection
Web: prevoty.com
ProtectWise
ProtectWise
Cloud Network DVR CDN, App Sec Scanning
Web: protectwise.com
Qualys
Web Application Scanning, Web Application Firewall
DAST, Runtime protection
Web: qualys.com/enterprises/qualysguard/web-application-scannin, qualys.com/enterprises/qualysguard/web-application-firewall
Radware
AppWall by Radware
WAF, DDoS protection
Web: radware.com
Rapid7
AppSpider
DAST
Web: rapid7.com/products/appspider
Rapid7
Nexpose, AppSpider Pro (formerly NTOSider) by Rapid7
DAST
Web: rapid7.com/products/nexpose
SAINT
SAINT Security Suite; SAINT Cloud solutions
Vulnerability scanner, pen testing
Web: saintcorporation.com
Security Compass
DDoS Strike by Security Compass
DDoS protection
Web: securitycompass.com
SiteLock
TrueCode SAST
SAST
Web: sitelock.com/truecode.php
SiteLock
Website Scanning
DAST
Web: sitelock.com/website-scanning.php
Sophos
Sophos Next-Gen Firewall
WAF
Web: sophos.com/en-us/lp/enduser.aspx#
Spirent
Avalanche NEXT
Application security testing
Web: spirent.com/~/media/Brochures/AvNEXT_Brochure.pdf
Sucuri
Sucuri Website Firewall
WAF, DDoS protection, app security scanning
Web: sucuri.net
Symantec
Symantec Advanced Threat Protection
IAST, RASP
Web: symantec.com
Synopsis
Quotium Seeker, Coverity Code Advisor
SAST
Web: coverity.com
Tanium
Tanium Endpoint Platform
Endpoint security, app security scanning
Web: tanium.com
Tenable
Tenable Security Center & Nessus by Tenable
Network security
Web: tenable.com
Trend Micro
Trend Micro Deep Security Platform
SAST, DAST
Web: trendmicro.com
Tripwire
Tripwire Enterprise, WebApp360
IAST, RASP
Web: tripwire.com
Trustwave
Trustwave Suite of AppSec Solutions (formerly Cenzic)
Application, endpoint, and network security
Web: trustwave.com/Solutions/By-Challenge/Secure-My-Applications
Virtual Forge
CodeProfiler by Virtual Forge, Virtual Forge CodeProfiler
SAST, ABAP code protection for SAP-based systems
Web: virtualforge.com
vThreat
vThreat Platform
Adversary simulation
Web: vthreat.com
Waratek
Application security, RASP
Web: waratek.com
Websecurify
Webreaver, ProxyApp Web ap
plication security
Web: websecurify.com
WhiteHat Security
Sentinel product line
SAST, DAST, mobile testing
Web: whitehatsec.com
Yottaa
ContextIntelligence by Yottaa
CDN, DDoS protection, WAF
Web: yottaa.com
Ziften
Ziften Endpoint Security
Type: Time user, device, and behavior monitoring analytics
Web: ziften.com