How "Next Gen" AppSec startups are innovating
Reading time: 7-8 minutes
This post builds on my previous blog post, Competition is heating up in the AppSec market. If you haven’t already, I’d encourage you to read it first since it provides a lot of contextual information.
As I previously wrote, there are 4 types of vendors that have entered the AppSec market in the past 5 years. This post elaborates further on that trend and specifically on “Next Gen” AppSec startups.
A situation ripe for innovation
Without naming names, a number of established AppSec vendors have had existing products in the market for many years. These are well-known products in the security industry embraced by large enterprise companies. And frankly, a number of these vendors are languishing. These vendors are guilty of adding new product capabilities for the top 5% of their largest customers and have been overly consumed with trying to compete against competitors in an effort to just stay ahead.
The result:
Vendors that are distracted with a lack of market awareness of the broader developer ecosystem, open source alternatives and real world customer needs
Increasingly complex and bloated security products that are difficult to install, configure, support and use
Increasing costs and decreasing value for both the product itself and customer effort required compared to alternative solutions
Product innovation has slowed or has come to a complete standstill
Loss of vendor growth and marketshare relative to the overall market
One of the first AppSec innovators: Snyk
AppSec testing vendor, Snyk, was fully aware of the above situation and was one of the first significant innovators in the AppSec testing market. Founded in 2015 with a small seed round of funding, Snyk initially addressed open source security with an easier to use Software Composition Analysis (SCA) product specifically tailored for developers.
Three years later, in 2018, Snyk landed a $7M Series A round of funding1 which kicked off an aggressive string of fund raising over the past few years. As of August 2023, they’ve raised a staggering $1.2B in funding over 13 rounds (per Crunchbase) with the aspiration of going public2. Snyk has also been a serial acquirer putting some of that funding to work. To date, Snyk has acquired 8 companies since 2019 including DeepCode in September 2020 giving them Static Application Security Testing (SAST) capabilities and most recently Application Security Posture Management (ASPM) startup Enso Security in June 2023. Snyk has also been busy building out their partner ecosystem with dozens of technical partners and product integrations.
End result: Since 2018 Snyk has grown from a small AppSec startup initially focused on SCA to a sizable 1,100+ employee multi-product AppSec vendor. Snyk is slowly and methodically chipping away at the AppSec testing market by simultaneously winning over developers and going after competitors such as Veracode, Synopsys, Checkmarx and others.
The wave of “Next Gen” AppSec innovators
While Snyk is an early and notable example of innovating and shaking up the market, there are literally dozens of new startups (and a few late stage startups) that have jumped into the AppSec market focused on innovating around the following use cases:
Application Security Posture Management (ASPM) /
Application Security Orchestration & Correlation (ASOC) - Tools that ingest, normalize, dedupe and prioritize AppSec testing tool scan results and/or orchestrate AppSec testing toolsAppSec testing / artifact scanning - Tools such as SAST, DAST, IAST, SCA, etc…
Software supply chain security - Tools that ensure the software developed is what is actually released by producing software bill of materials (SBOMs), hardened SDLC pipelines, etc…
Runtime AppSec - Tools such as Web App Firewalls (WAFs), Runtime Application Self Protection (RASP), etc…
Blurred categories; more focused on addressing market gaps
An interesting observation with these new “Next Gen” AppSec startups is they don’t all precisely fit into one market category like legacy AppSec vendors. Some do, but the large majority of these startups are more focused on addressing specific use cases where there are gaps in the market rather than fitting in to a market category “bucket”.
For example, Start Left Security, founded in 2019, has an ASPM platform. However, Start Left Security also has Software Composition Analysis (SCA) capabilities and can produce SBOMs to support software supply chain security - so they are really a hybrid platform across three areas: ASPM + AppSec testing + software supply chain security. And Start Left Security is not the only vendor that has multiple capabilities. Rezilion, Endor Labs, Apiiro, Deepfactor, Oxeye Security, and others provide multiple complementary capabilities as well.
A second observation with these startups is they cater to developers, fitting into existing development environments and DevOps processes. It’s well known that legacy AppSec tools can be painful to use - developers and security teams are forced to adapt to them, and not the other way around. However, these new startups prioritize ease of use, technical integrations and a strong partner ecosystem in order to integrate with existing development environments and processes making them much easier to use over legacy AppSec tools. This is can be said for all the aforementioned startups above.
Why “good enough” might be BETTER than “perfect”
Most of the “Next Gen” AppSec testing startups are taking a markedly different approach with their products compared to legacy AppSec testing vendors by addressing:
Developer ease of use
Easier product integration
Hardcoded secrets in source code
Automating/orchestrating security tooling in the SDLC
Providing greater visibility into application source code risk
Assisting with vulnerability remediation
Materially addressing software supply chain risk
That said, let me elaborate on one example: It’s common for legacy AppSec testing products to be notoriously slow since they commonly scan all application source code or binaries regardless if the codebase or binaries are being used. And as a result, these products can generate a tremendous amount (aka overload) of results - which is a double-edged sword for the end user. However, some “Next Gen” AppSec testing startups are utilizing a more efficient method of scanning by only scanning the application codebase or binaries that are actually used. Or perhaps they have awareness if a discovered vulnerability is reachable rather than just reporting additional vulnerabilities, thus greatly reducing scan result “noise”.
Unless a customer has a requirement to discover and remediate ALL application vulnerabilities or a mandate to comply with industry standards such as MISRA, ISO 26262, etc… one of these more innovative, faster, less complex “Next Gen” AppSec testing startups might be a better and more efficient option compared to a legacy AppSec testing vendor that is attempting to provide perfect results.
As well known AppSec industry expert, Tanya Janca, pointed out in a July 2023 IANS blog post3, “In my estimation, 95% of companies do not need to be perfect, they just need to be very expensive for malicious actors to attempt to exploit. In which case, second generation SAST is most likely the right choice for you.”
So, the question to ask regarding legacy AppSec tools: Is the juice worth the squeeze? For a few customers, yes they are absolutely necessary, but for most, legacy AppSec tools are likely overkill, expensive and burdensome.
“Next Gen” AppSec startup are being picked up
A notable trend that has been taking place recently is that larger security and observability vendors are acquiring AppSec startups to bolster existing products or give them net new AppSec capabilities (and perhaps an additional source of revenue).
Below is a list of recent AppSec startup acquisitions since 2021:
Jul 2023 - Rumor: CrowdStrike to acquire Bionic.AI4
Jun 2023 - BluBracket acquired by HashiCorp
Jun 2023 - Enso Security acquired by Snyk
May 2023 - Ion Channel acquired by Exiger
Nov 2022 - Cider Security acquired by Palo Alto Networks
May 2022 - Hdiv Security acquired by Datadog
Feb 2022 - Spectral acquired by Check Point Software
Jul 2021 - Sken.ai acquired by Fortinet
Jun 2021 - Code Dx acquired by Synopsys
May 2021 - FossID (assets) acquired by Snyk
Feb 2021 – Sqreen acquired by Datadog
What’s next for “Next Gen” AppSec startups?
As long as AppSec startups continue to innovate in key areas where there’s a gap in the market, there will be a demand for these products and their capabilities. I predict the following vendor categories will continue to acquire AppSec startups for the foreseeable future:
Legacy AppSec testing (e.g.: Veracode, Synopsys, Checkmarx, etc…)
Observability / Monitoring (e.g.: New Relic, Dynatrace, etc…)
DevOps Platforms (e.g.: GitHub, GitLab, etc…)
Cloud Native Application Protection Platforms (CNAPPs) (e.g.: CrowdStrike, Sysdig, etc…)
If you liked this post, please subscribe and share it with others.
If you think my insight would add value to your organization, please email or DM me on LinkedIn to engage. Thank you!
Newswire, Snyk Secures $7M in Series A Round, 06 March 2018
Reuters, Cybersecurity startup Snyk taps Morgan Stanley, Goldman for IPO, 07 March 2022
Janca, T. (2023, July 13). How to Select the Right DAST and SAST Tools. IANS. https://www.iansresearch.com/resources/all-blogs/post/security-blog/2023/07/13/how-to-select-the-right-dast-and-sast-tools
TechCrunch, Source: CrowdStrike is close to acquiring Bionic.AI for between $200M and $300M, 26 July 2023