3 min read time

Gartner Names Fortify a Leader in Critical Capabilities

by   in Cybersecurity

It’s that time of year when the new Gartner Magic Quadrant for Application Security Testing is published. And it should come as no surprise that Fortify is a LEADER, yet again. Fortify ranks as a top Leader for pure SAST and DAST capabilities and was one of the only vendors in the quadrant to make moves up and to the right due to our expanded capabilities in DAST, Cloud Native AppSec and Software Composition Analysis. Fortify is also a Leader in the Forrester SAST WAVE, G2 and IDC Landscape reports as well.

But we’re here to talk about the 2023 Gartner® Critical Capabilities for Application Security Testing. This report complements the Magic Quadrant, ranking the same 12 vendors in their ability to provide 12 capabilities across five common use cases.

CTA download Gartner Critical Capabilities Report

But first, let’s look at how 2023’s critical capabilities changed from 2022:

As we can see by these changes, the software supply chain is a hot topic with Gartner. High-profile supply chain attacks are more common now that code bases rely heavily on open-source components. Below are some findings from our joint State of the Code Security report with Dark Reading that support these findings.

Application Security Posture Management also made its debut on the critical capabilities list. As an organization’s AppSec posture matures and tools increase, the need to aggregate and normalize vulnerabilities into a single pane of glass will continue to grow. Security professionals, executive management and developers need an integrated approach to make meaningful improvements in their application security posture. 

How did OpenText FortifyTm Rank?

Awesome, actually! To get all the juicy details, you can download and read the whole report here for free.

But here is a sneak peek at what Gartner had to say about Fortify.

OpenText offers the Fortify AST product by virtue of it acquiring Micro Focus in January 2023. Fortify AST delivers strong functionality across all critical capabilities examined in this research. In its original form, Fortify was one of the very first vendors to deliver commercial AST tools. The portfolio includes Static Code Analyzer, Webinspect (DAST), Debricked (SCA), Fortify Software Security Center and Fortify Insight (finding assessment and management tools), and Fortify on Demand (a SaaS-based offering encompassing most elements of the company’s portfolio). On-premises SCA capabilities are delivered through a long-standing OEM arrangement with Sonatype, where OpenText both sells and provides basic support for the Sonatype SCA products.

Fortify has introduced a variety of changes to its product set. The acquisition of Debricked provides a number of software supply chain capabilities, including Open Source Select. That product provides insights into data that can be leveraged to assess open-source software risks (frequency of updates, size of maintenance team, etc.) and helps guide teams to packages with the least potential for downstream risks. Fortify Insight is a portfolio addition that addresses ASPM, incorporating data from both Fortify’s own tooling as well as third-party solutions. Fortify has expanded its API security testing and discovery capabilities, adding support for GraphQL and gRPC APIs, along with support for traditional formats such as REST. In addition, the company notes a variety of enhancements leveraging machine learning, addressing such tasks as improving the quality and reliability of Audit Assistant ML models for Fortify findings (a long-standing complaint about Fortify SAST offerings).

These product enhancements and improvements have led OpenText to a much stronger product portfolio than in past years (when evaluated as Micro Focus), enabling the vendor to score near the top in each formal use case considered. OpenText placed high and scored well across all use cases.

What do you think? Do agree with this year's findings for the Gartner® Critical Capabilities for Application Security Testing report? Are there areas you think are more critical than their list? Are there particular capabilities or use cases you would like us to dig into more?

Let us know in the comments below.


Application security