In the future, can you have your appsec cake and eat it as well ?

In my article, A Security Tools Crash Is Coming, I wrote about the fact that people want less tools and not more. The underlying premise is that more tools create more noise, and are more expensive to operate. The perfect storm is that there is a growing trend across infosec that ‘good-enough is good-enough’, a trend better known as pragmatism.

Some people argue that there will always be people that want to buy best-of-breed individual tools, and I can see that. I think those people are becoming fewer and farther between, but I do accept those people will always be there. Even people that have bought good-enough, may need or want to buy best-of-breed to fill a feature gap. A good example in the commercial appsec tools world today, is SAST coverage of modern languages, like Go and Rust. 

Over the holidays I have been thinking alot about the dilemma of best-of-breed versus good-enough, and I think there is a scenario where the developer tools platforms will eventually allow people to have their cake and eat it as well. Good-enough, and ‘best-of-breed’, all operating side-by-side on one platform. Let me explain. 

I built a few visuals a few months back to explain where I think the appsec tools market is headed. They were inspired by a graphic I saw on bionic.ai and before anyone even thinks of suggesting it, they are not bloody magic quadrants.

Diagram one, that isn’t a magic quadrant, is a way to describe appsec tools today. 

In the upper left of the quadrant, that isn't a magic quadrant, you see the classic appsec tools used to scan code in dev / qa. SAST or Static Application Security Testing, DAST or Dynamic Application Security Testing and now SCA or Software Composition Analysis. There are best of breed individual tools in each category like SemGrep, CodeQL and OWASP Zap and established appsec platforms covering all the features in the quadrant, companies like Veracode, Checkmarx, Contrast Security and Snyk. Some of those platform vendors are now dipping their toes in other quadrants (see below).

In the lower left of the quadrant, that isn't a magic quadrant, you see the cloud native infrastructure tools such as container vulnerability scanners and the Infra as Code scanners. This is your Twistlock, Trivvy and BridgeCrew. 

In the upper right hand side of the quadrant, that isn’t a magic quadrant, you see the appsec tools typically deployed to protect production applications such as WAFs and RASPs. This is your Signal Sciences and Contrast Security. 

In the lower right hand side of the quadrant, that isn’t a magic quadrant, you see the cloud native infrastructure tools, the dominant one today being CSPM. This is your Wiz.io, Laceworks and Palo Alto Prisma. An emerging category is DSPM or Data Security Posture Management and for transparency I am a significant shareholder in Open Raven so I likely have a biased view about why that is such an important part of that quadrant, that of course, isn't a quadrant.

If you are a security team, it is not a question of either this quadrant or that quadrant. It's a question of what we do in each quadrant. We have to secure the code we wrote, the code someone else wrote, the cloud accounts we use, the cloud resources we use, the resources like containers that those resources use and we have to try and secure them in dev / qa and we have to accept the real world, and ‘double bag’ it’ all in production. 

When this landscape is viewed as a single pane of glass, it results in what I call Cloud Native Security Platforms, a single platform that offers features across all of the areas of the modern cloud native applications.  This is where I think cloud security and application insecurity companies are going to converge and where the next generation of platforms are headed. 

Diagram 2 is a way to describe a Cloud Native Security Platform

Nothing really changes in terms of features and functionality across the quadrants, it's just that they all come from a single vendor and are all presented in a single pane of glass, or at least that's the way it is meant to work. Most of these types of platforms are created from acquisitions of smaller best-of-breed startups. Sure, each part could itself be best-of-breed, and they could have the potential to work ‘better together’, but if history tells us anything, that's just not how it works in reality. 

Big companies have different cultures, big companies are usually sales driven while early companies are product driven, big companies have different ways of product management and development, and the list goes on. I can’t cite many examples of platforms that have emerged predominantly from acquisitions that people rave about. These are generally the platforms for the world of good-enough.

If you subscribe to the two diagrams above, then you also subscribe to the fact that users are left with a dilemma. You can buy best-of-breed, getting the best individual technical security outcomes and deal with the overhead, or you can buy good-enough and get something that is, well, good-enough. Apart from filling the feature gaps, in practical terms, you can’t have both or at least you can’t justify having both.

The good news is that I think, in the future, we will be able to get the best of both worlds. We will be able to have your appsec cake, and eat it as well. 

There is no doubt that developer tools platforms like GitHub and DataDog are adding features across the board and security is one area they are investing in. This is great for the good-enough camp. I love Github (CodeQL especially), and I love DataDog, and I am not saying their security tools are only good-enough today, but history generally repeats itself, and you would have to be a brave person to bet against their security tools going from best-of-breed today to good-enough over time. 

Here is where I think the magic will happen. The developer tools platforms have a super power and it’s called the Marketplace. All of the major developer tools platforms have marketplaces. Github has one, Gitllab has one, AWS has one, Azure has one. Everyone that’s anyone has one. 

Marketplaces are genius because they fill product gaps and make the underlying platforms sticky. When you wire in a second tool, you wire in two tools to your developer process making it twice as hard to move away from. I would even bet that the math is more exponential than additive. 

Developers love marketplaces because they can discover and try tools. Management loves marketplaces because they get central visibility into tools being used. Admin loves marketplaces because of centralized administration. Procurement loves marketplaces because they can control billing. 

Developer platform vendors love marketplaces because they make their platforms sticky. No one really cares about losing a bit of revenue. It’s mice nuts in the grand scheme of things. I ran MSDN subscriptions at MSFT in the mid 2000’s, a $1B business with a million subscribers. It was not the $1B that mattered, it was the million subscribers building on Windows and making Windows sticky that mattered. Windows was a desktop platform. Platforms vendors make well offer good-enough features but will always support best-of-breed features from partners.  Developers, developers, developers. 

The bright future for appsec professionals, and developers alike, is that developer platform marketplaces allow users to use a good-enough feature in the core platform, or add overlapping tools, or close a feature gap, with a best-of-breed tool, and all at the click of a button. Think of SAST today and languages like Rust and Go. No support from the core platform? Easy, inject this and boom. 

The developer platforms marketplace shelves are not filled with best-of-breed security tools today, but are also not fleshed out with security features in their core platforms yet either. That's changing fast (see the amount of tools in the marketplace links above) and when best-of-breed vendors wake up to a friction free, low cost customer acquisition that enables them to get to the total addressable market, it will happen. Jump the shark. And who will really win?  Consumers. Better competition will mean better tools.

I think that in the next two to three years, the appsec tools space will be won by cloud native security platforms, and that will be a fight that will be fun to watch. Will Palo Alto be able to take on Wiz? Maybe a big acquisition will merge a dev / qa company with a production company? Who knows, but I do know that the security tools crash will accelerate fight night for sure. 

I am convinced that over the next decade, the appsec tools market will be won by the developer platforms and I can wait for it to happen. Developer platforms and developer platform marketplaces will allow us all to have our appsec cake, and eat it as well and who doesn’t like cake ? 

The picture below is the empty plate after a slice of delicious apple pie from a cafe in Amsterdam, where I am sat as I finish this article. 

PS : Shouldn’t the much hyped ‘magic quadrant’ actually be called ‘magic quadrants’ ? A quadrant is by definition a quarter. If true, perhaps them most ironic thing about magic quadrants, is that the very definition, and the content, is consistently wrong.