As cyberattacks continue to mount in scale and sophistication, application security has never been more critical to enterprise businesses and public-sector agencies. The new Gartner report “Hype Cycle for Application Security, 2023” highlights the need to modernize application security programs with innovative technologies to help organizations develop secure code and guard against supply-chain risks.
The 2023 Gartner Hype Cycle for Application Security notes, ‘Organizations are producing their own applications and are using faster and more agile methodologies to accomplish this. In doing so, they rely on developers to secure code, rather than security practitioners.” Gartner highlights DevSecOps as a driver for security automation and names NowSecure as a sample mobile application security testing vendor.
Gartner analysts recommend adopting application security technologies that enable developers to build apps in their preferred tools and workflows, quickly test them for security and privacy vulnerabilities, and easily remediate security bugs so they can meet release schedules. NowSecure offers the only comprehensive integrated suite of solutions to meet these needs, including automated mobile application security testing, secure coding training, mobile app vetting for supply-chain risk management, and mobile Pen Testing as a Service.
What Is the Gartner Hype Cycle?
The Gartner Hype Cycle is a graphical representation and research methodology from Gartner for tracking the adoption and maturity of emerging technologies and their potential impact on industries. The Hype Cycle provides a framework for understanding the lifecycle of technology trends.
Companies use this important research to assess trends, manage risk, inform strategic planning, innovate, understand market dynamics, make investment decisions, educate stakeholders and track technical evolution.
The Gartner Hype Cycle estimates the expected timeline for technology categories to mature from nascent stages through mainstream adoption. The phases include:
- Innovation Trigger: Occurs when an event, technological breakthrough or product launch generates buzz
- Peak of Inflated Expectations: Product usage increases though there’s still more hype than proof that the innovation can deliver
- Trough of Disillusionment: Original excitement wears off and early adopters encounter challenges
- Slope of Enlightenment: Early adopters realize initial benefits and others start to understand how to adapt the innovation to their organizations
- Plateau of Productivity: More users realize real-world benefits and the featured technology becomes mainstream.
In addition to categorizing maturity levels of each highlighted technology, the Gartner Hype Cycle further classifies technologies by rating the benefits on a scale from low to high.
- Technologies with low benefits slightly improve processes that will be difficult to translate into increased revenue or cost savings.
- Technologies with moderate benefits provide incremental improvements to established processes that will increase revenue or cost savings.
- Technologies with high benefits ratings enable new ways of performing horizontal or vertical processes that will increase revenue or cost savings.
- Transformational technologies enable new ways of doing business across industries that will dramatically shift industry dynamics.
Application Security Modernization
Gartner writes that DevSecOps enables security teams to keep pace with development and operations teams in modern application development. DevSecOps has reached maturity and drives the need for application security.
Among applications, today more than 80% of all digital time online is spent in mobile apps vs the web, generating more than $260 billion in mobile revenue in 2022. Not surprisingly, organizations need robust mobile application security testing (MAST) solutions to find and fix security and privacy vulnerabilities before releasing mobile apps.
Gartner proclaims that mobile app security testing has entered the Hype Cycle Slope of Enlightenment phase where “commercial off-the-shelf methodologies and tools ease the development process” and is approaching the Plateau of Productivity in which “real-world benefits of an innovation are demonstrated and accepted and tools and methodologies are increasingly stable.”
The market penetration for mobile AppSec testing has reached 20% to 50% of the target audience, reports Gartner. “Even though every organization that delivers mobile applications should perform security testing, regulated and other high-security industries such as financial services, healthcare and online retail, have a higher urgency to adopt mobile AST,” Gartner notes.
“Many organizations have less advanced application security programs and are not yet testing mobile app code,” cites Gartner. That means businesses leave their mobile apps exposed to security and privacy vulnerabilities that put company and customer data at risk.
In fact, NowSecure benchmark testing of millions of mobile apps in the App Store and Google Play reveals that 85% contain security and privacy issues. Breaches and data leaks jeopardize revenue, damage customer trust and subject organizations to regulatory fines and penalties.
Web and mobile attack surfaces and architecture differ significantly, making legacy web application security testing tools insufficient for assessing mobile apps. Gartner recommends deploying robust mobile application security automation that can identify client-side code vulnerabilities and includes static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST) and third-party risk assessment capabilities.
NowSecure Platform runs a battery of 600 tests using SAST, DAST, IAST and API security testing for the deepest and broadest risk coverage in the industry, accurately identifying security, privacy, supply chain and app store blocker issues. NowSecure Platform integrates in the DevSecOps pipeline and speeds resolution through developer-friendly issue details such as business impact, evidence, embedded remediation instructions, code samples, vulnerable code locations, links to Apple and Android developer documentation, and just-in-time training videos.
Gartner advises organizations that need a specialized, lightweight or speedy mobile AST solution to look for dedicated mobile offerings. Gartner also recommends using the OWASP Mobile Application Security Verification Standards (MASVS) as a practical reference for evaluating testing solution’s technical capabilities and coverage. NowSecure Platform automated testing and pen testing assessments map to the OWASP MASVS to help aid compliance with the leading industry standard for mobile application security.
Mobile AppSec Software & Services Uses
In addition to using mobile AppSec testing solutions to assess the apps organizations build themselves, the Hype Cycle report notes that enterprises use them for application vetting to determine which ones are safe to use. Many NowSecure customers tap NowSecure Platform to evaluate third-party apps in the public app stores before deploying them in their organizations.
The Gartner report emphasizes the value of Software Bill of Materials (SBOM) to evaluate software development kits, open-source software components and other third-party code to guard against supply-chain attacks. This is particularly important because Gartner estimates that 40% to 80% of code in new software projects comes from third parties such as runtime, libraries, components and SDKs. NowSecure Platform generates a dynamic SBOM with each assessment to help inform developers what third-party libraries they have in their applications. The expert NowSecure penetration testing team also offers SDK pen testing as a service to help developers understand the security risks in the SDKs they use or provide to customers.
Elsewhere in the Hype Cycle report, Gartner tracks the rise of generative artificial intelligence (AI) and rates it as a transformational technology. However, it also documents potential security risks of using AI coding assistants such as GitHub Copilot or Tabnine and emphasizes the need to thoroughly test for security and code quality issues when using AI assistants.
The 2023 Hype Cycle for Application Security highlights secure coding training as another emerging technology. “75% of software engineering leaders surveyed in the 2022 Gartner Software Engineering Leaders Role Survey stated that application security skills are a pain point in their organization,” states the report. Secure coding training raises awareness about the impact of vulnerabilities and upskills developers by teaching them how to build secure mobile apps. NowSecure Platform offers developer remediation assistance and just-in-time training videos while NowSecure Academy offers a wealth of free training and educational videos on secure coding practices.
Finally, the Gartner Hype Cycle highlights Pen Testing as a Service (PTaaS) as an innovative technology poised to plateau in five to 10 years. Delivered via a SaaS model, PTaaS combines automation and manual pen testing to increase efficiency and effectiveness. “PTaaS complements vulnerability scanning and application security testing and provides cost-optimization and quality improvement of pen testing output and validation of vulnerability status,” the researchers state.
Gartner advises clients to seek a PTaaS provider that combines human analysis and automation, aligns with relevant compliance requirements and provides customized guidance throughout the engagement to alleviate the security skills gap. NowSecure Mobile PTaaS combines continuous automated security testing and expert pen testing to deliver the frequency, depth and coverage taking a consultative approach to meeting customer needs.
Request a demo of NowSecure Platform to see why Gartner cited it in the Application Security Hype Cycle and how it solves the DevSecOps and security challenges outlined in the report.
Report Disclaimer: Gartner, Hype Cycle for Application Security, 2023, Dionisio Zumerle, 24 July 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and HYPE CYCLE is a registered trademark of Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.