Application security testing (AST) is a complicated $3+ billion market, particularly when it comes to pricing. The three main classifications of testing tools in this security subcategory are dynamic (DAST), static (SAST) and interactive (IAST). The pricing differences between tools and vendors are complicated to analyze – and it’s easy to fall prey to the complexity by spending more than you need to.
While deals and contracts in this sector can have many intricate parts, it’s also an area where vendors often claim they have ‘one-stop shop’ capabilities. In reality, this claim holds limited truth.
This is a competitive landscape where vendor sales teams get creative to maximize the amount of the sale.
Here are some tips to help you avoid overspending on your next AST purchase:
Consider more than one application security testing vendor’s solution stack.
It’s not uncommon for companies to use more than one vendor’s solution covering the same type of testing, as testing tools have different strengths and weaknesses. This is a good approach for implementing DAST/SAST redundancies on key applications. And it can also increase competition and pricing pressure when a vendor knows a competitor is in the environment, even if they have a small footprint.
Group and prioritize applications before seeking solutions.
Enterprises purchase application security testing solutions for a variety of application types: homegrown applications developed in-house, open source applications and packaged commercial off-the-shelf (COTS) applications. The optimal security testing solutions will depend on your unique mixture of application types. NPI recommends identifying a list of target applications by type, and then prioritizing them. Select a few hundred applications for scanning/testing in “phase 1” before rolling out to everything. This also helps determine which tools should be prioritized for spend allocation.
Request vendor pricing metrics.
Many of the leading vendors price their products on a ‘per application’ basis. However, NPI sees a variety of metrics in use in some deals, including ‘per code line’ or ‘per user.’ We recommend asking vendors for all the different ways solutions may be priced to increase transparency.
Expect further vendor consolidation.
Ownership of the leading solutions in this space has seen some disruption (e.g. Veracode being bought by CA only to sell to Thoma Bravo, Fortify going to Micro Focus, etc.), and NPI expects further consolidation in the future. Customers should be aware of how consolidation in the marketplace is impacting overall pricing trends, specific vendor pricing and licensing/subscription programs, and solution stacks.
NPI encourages clients to remain vigilant and carefully weigh options. Pricing for these solutions can be almost as confounding as the technical components of the purchase!