In today’s market “the need for application security is ubiquitous across small, midsize and large organizations. With new data privacy requirements, the consequences of a security breach are no longer limited to reputational damage, but also can involve substantial fines and penalties.”¹ “The 2020 US figure for the software technical debt residing in severe defects that need to be corrected would be $1.31 T”² “For many, if not most, organizations, AST is the first element of an overall application security program where attention is focused.”¹ “Modern application design and the continued adoptions of DevSecOps are expanding the scope of the application security testing market (AST), a $6.2 billion industry.”³ Cost of AST licenses are just 3% of total cost of ownership for ASTs.⁴⁻⁵ In other words, industry-wide, $200 billion is spent annually in manually managing AST results.
The AST market is expected to grow to $13.2 billion by 2025.³ “According to the data presented by the Atlas VPN team, the fastest-growing cybersecurity skill in 2021 is Application Development Security. The demand for this competence is determined to rise by 164% in five years.”⁶ “The major factors driving the growth of the AST are the rising security breaches targeting business applications, increased use of the mobile and cloud-based technologies for commerce, and stringent compliance and regulatory requirements for application security. As a result, security and risk management leaders will need to meet tighter deadlines and test more complex applications by seamlessly integrating and automating AST in the software delivery life cycle”.⁷
Presently, there are a variety of approaches to finding defects in software through AST tools:
Static analysis (SAST)
Dynamic analysis (DAST)
Interactive analysis (IAST)
Software composition analysis (SCA)
Each approach comes with side effects including false positives, irrelevant results, difficult to source issues, and hard or unlikely to exploit defects. Most problematic, however, is that no tool solves the fundamental and universal problem DevSecOps face today. “Traditional application security testing approaches weren’t designed for speed and transparency.”⁸ This is inconsistent with the fact that “a fundamental principle of DevSecOps, and one of its best known, is the goal of moving work through the system as rapidly as possible. Less well-understood, but crucial to DevSecOps and application security, is the principle of providing feedback to developers at an equal pace, and as early in the process as possible.”⁹ It is no wonder that “49% [of applications] contained high risk vulnerabilities.”²