Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. The market comprises tools offering core testing capabilities — e.g., static, dynamic and interactive testing; software composition analysis (SCA); and various optional, specialized capabilities. AST tools are offered either as on-premises software or, more often, as software as a service (SaaS)-based subscription offerings. Many vendors offer both options. Core capabilities offer foundational testing functionality, with most organizations using one or more types, which include: - Static AST (SAST) analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC). - Dynamic AST (DAST) analyzes applications in their running (i.e., dynamic) state during testing or operational phases. DAST simulates attacks against an application (typically web-enabled applications, but, increasingly, application programming interfaces [APIs] as well), analyzes the application’s reactions and, thus, determines whether it is vulnerable. - Interactive AST (IAST) instruments a running application (e.g., via the Java Virtual Machine [JVM] or the .NET Common Language Runtime [CLR]), and examines its operation to identify vulnerabilities. Most implementations are considered passive, in that they rely on other application testing to create activity. IAST tools then evaluate. - SCA is used to identify open-source and, less frequently, commercial components in use in an application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.