Cybersecurity Market Perspectives

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
Competition is heating up in the AppSec market
Copy link
Facebook
Email
Notes
More

Competition is heating up in the AppSec market

And the drivers behind it | Reading time: 5-6 minutes

David Vance
Aug 18, 2023
3

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
Competition is heating up in the AppSec market
Copy link
Facebook
Email
Notes
More
1
Share

Over the past 5 years, the Application Security (aka AppSec) market, has become increasingly competitive with more and more vendors jumping into the category. Unless you’re an incumbent vendor (or an investor) in the category, increased competition is expected and not very interesting. What is more interesting, however, are the types of vendors moving into the AppSec market and the drivers behind this recent trend.

Context

But first, it’s important to understand what the AppSec market is and its composition. According to Gartner, the AppSec market is composed of three subcategories:

  1. Web App Firewalls (WAFs)

  2. Vulnerability Management / Assessment

  3. AppSec Testing (i.e.: SAST, DAST, IAST, SCA, etc…)

In terms of size, Gartner has forecasted the overall AppSec market to be $7.5B for 20231.

Established AppSec vendors

When analyzing the AppSec market as a whole, the large majority of vendors have been in the market with AppSec capabilities for at least 7 years or more. These are established AppSec vendors who largely competed against each other in their respective market subcategory without much outside competition.

Some vendors may have recently changed hands (i.e.: Signal Science now Fastly, IBM AppScan now HCL AppScan, etc…) or have changed names (i.e.: Mend formerly WhiteSource, etc…), but essentially the same “legacy” vendors operating and competed in the same market subcategories.

New vendors entering the AppSec market

Starting around 2018, additional vendors gradually started to enter the market with AppSec capabilities. These vendors range from large DevOps platforms such as Microsoft/GitHub/Azure to small AppSec startups founded a couple years ago. The trend has only increased over time with literally dozens of new vendors, large and small, that have entered the AppSec market in the past 5 years. And, this trend has been especially prevalent in the AppSec testing subcategory illustrated in the slide below.

When you look at the vendors coming in to the AppSec market, there are essentially 4 distinct types of vendors:

  1. DevOps Platforms (i.e.: Microsoft/GitHub/Azure, GitLab, etc…) that have incorporated AppSec testing capabilities

  2. Monitoring / Observability (i.e.: Dynatrace, Datadog, etc…) that have added WAF/RASP or other AppSec capabilities

  3. Cloud Native Application Protection Platforms (CNAPPs) that have added artifact scanning

  4. “Next Gen” AppSec Startups that are building a better AppSec testing mousetrap with artifact scanning, software supply chain security or other AppSec capabilities

The impact

Not surprisingly, the increased number of AppSec vendors/solutions has resulted in increased competition across the most of the AppSec market. Legacy AppSec vendors that were seeing 30%+ growth 5-6 years ago are being negatively impacted, and their growth is being chipped away by this increased competition.

The next question is: WHY. Why are all these new vendors adding AppSec capabilities into an already crowded market???

Below are 4 drivers for this trend in no particular order…

Driver 1: Material growth

Expanding on Gartner’s market forecast (referenced above), the overall AppSec market is estimated to be $7.5B in 2023 and growing at 23%. In fact, out of the 11 security markets in Gartner’s forecast, only Cloud Security is estimated to slightly outpace the growth of the Application Security market.

Driver 2: More security vendors are “shifting left”

Unless you’ve been living under a rock in the security world for the past few years, you’ve probably heard industry messaging around “shift left” or perhaps less prevalent, “shift everywhere”.

Shifting left is the practice of moving testing, quality and performance evaluation early in the development process. Shift left testing has become increasingly more important as teams face pressure to deliver software faster and more frequently with higher quality and less software defects.

End result: More and more vendors in adjacent categories are adding AppSec “shift left” capabilities such as artifact scanning or application protection capabilities - either organically by building it themselves or inorganically via acquisition.

Notable examples: GitLab acquired two fuzz testing vendors; Peach Tech and Fuzzit in June 20202. CrowdStrike, added container image scanning and SCA capabilities to their CNAPP solution in July 20223.

Driver 3: Reduce developer friction

Historically, a lot of commercial AppSec testing tools have not been the easiest tools to deploy and use - especially for developers. Full disclosure, I spent the last several years working for a large AppSec testing vendor, so I’m aware of the pain these tools can present for developers.

Without naming names, some of these tools require heavy vendor support for installation, customization and training. Support for additional programming languages or new features may take a very long time for vendors to add. Also, the time required for some of these tools to run a scan could take many hours to complete. Not ideal, to say the least.

End result: New startups are coming in and doing what established AppSec testing vendors are not doing. These new startups are building a better AppSec testing mousetrap that reduce/eliminate the pain of legacy tools and are specifically catered to developers, development environments and DevOps processes.

Notable examples: New AppSec testing startups have emerged such as StackHawk and Bearer in 2019, Semgrep in 2020 and Oxeye in 2021.

Driver 4: Software supply chain risk

In light of the recent uptick in software supply chain-related security breaches and Executive Order 14208 issued by President Biden in May 2021, there are a number of new AppSec startups as well as established vendors that are addressing software supply chain security.

End result: Vendors are finding opportunities to build new, innovative solutions that specifically address software supply chain security in various ways.

Notable examples: New software supply chain security startups have emerged such as Rezilion in 2018, Apiiro in 2019 and Chainguard in 2021.

Takeaway/Summary

  1. Overall AppSec market is $7.5B in 2023 growing at 23% per Gartner’s forecast

  2. Increased competition in the last 5 years with dozens of new vendors that have entered the AppSec market especially into the AppSec testing category

  3. Negative growth impact to legacy AppSec vendors due to increased competition

  4. Multiple drivers include material market opportunity, recent security trend of “shifting left” in order to deliver higher quality software faster, better AppSec solutions catered to developers and software supply chain risk

If you liked this post, please subscribe and share it with others.

If you think my insight would add value to your organization, please email or DM me on LinkedIn to engage. Thank you!

1

Gartner, Inc., Gartner Identifies Three Factors Influencing Growth in Security Spending, 13 October 2022

2

GitLab, Inc., GitLab Acquires Peach Tech and Fuzzit to Expand its DevSecOps Offering, 11 June 2020

3

CrowdStrike, Inc., CrowdStrike Expands CNAPP Capabilities to Secure Containers and Help Developers Rapidly Identify and Remediate Cloud Vulnerabilities, 26 July 2022

3

Share this post

Cybersecurity Market Perspectives
Cybersecurity Market Perspectives
Competition is heating up in the AppSec market
Copy link
Facebook
Email
Notes
More
1
Share

No posts

Ready for more?

© 2024 David Vance
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More