Application Security Testing Reviews and Ratings
What is Application Security Testing ?
Gartner defines the application security testing (AST) market as consisting of providers of products that enable organizations to assess applications for the presence and management of risk. These products identify risk by evaluating source code, performing runtime tests and inspecting supply chain components. AST products can be integrated throughout development workflows for continuous assessment or be used to perform ad hoc evaluations. They enable organizations to manage application risks by providing an integrated set of capabilities for risk identification, prioritization and triage, policy evaluation and enforcement, and remediation assistance. Market offerings are available in on-premises, SaaS and hybrid delivery models.
Organizations leverage AST products to assess applications for the presence of security vulnerabilities and other risks (e.g., legal and operational) throughout their life cycle. These assessments are used to measure and manage the risks within individual applications, application components or groups of applications in the context of their business criticality and other key attributes (e.g., environment, sensitive data handling, etc.). AST products further enable organizations to evaluate software for compliance with internal policies as well as regulatory requirements established by governments or authoritative industry groups.
Product Listings
Filter by
Veracode is a software security firm focused on identifying flaws and vulnerabilities across all stages of the software development lifecycle. The foundation of Veracode's approach lies in its Software Security Platform, which uses advanced AI algorithms trained on vast datasets of code. This allows for faster and more precise identification and rectification of security flaws. Veracode's mission is to evolve the concept of software security, ensuring it stays aligned with the dynamic needs of today's software development processes.
Checkmarx helps the world’s largest enterprises get ahead of application risk without slowing down development. We end the guesswork by identifying the most critical issues to fix and give AppSec the tools they need, all while letting developers work the way they want. From DevSecOps to developer experience, security and development teams can now work better together.
Appknox is a mobile application security firm utilized by different companies globally. It provides a platform for facilitating immediate threat detection within these applications. Appknox has developed a user-friendly system where an app can be uploaded, run through various test procedures, and then receive a comprehensive security diagnostic report. This report highlights any detected threats and provides suggestions for patching them. Appknox is designed to easily integrate with existing security protocols.
PortSwigger is a company that specializes in developing software tools used for security testing of web applications. The company's primary focus lies in the web security industry, and it's known for the creation of the Burp Suite, a tool commonly utilized by professionals in this field. The company is based near Manchester, UK and has a steady team of Java and .NET developers who contribute to maintaining and advancing the capabilities of the tools developed by the company.
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.
The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices.
Rapid7, Inc. aims to create a safer digital world by simplifying and making cybersecurity simpler and more accessible. Rapid7 empowers security professionals worldwide to manage a modern attack surface through its technology, research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help over 11,000 customers unite cloud risk management with threat detection and response to reduce attack surfaces and eliminate threats quickly and precisely.
HCLSoftware is an integral arm of HCLTech and is primarily engaged in the development, marketing, sale, and support of software solutions. The company's main sector focus includes AI and Automation, Data, Analytics and Insights, Digital Transformation, and Enterprise Security. As a provider of cloud-native solutions for enterprise software, HCLSoftware is responsible for powering an extensive number of applications at numerous organizations globally. The fundamental mission of HCLSoftware revolves around ensuring customer success through continuous product innovation.
GitLab is a comprehensive AI-powered DevSecOps platform for software innovation. As a software delivery platform for development, security, and operations teams, GitLab brings security and compliance to AI-powered workflows throughout the software delivery lifecycle, helping customers deliver secure software faster. GitLab Duo, the company’s suite of AI capabilities, improves team collaboration and reduces the security and compliance risks of AI adoption by bringing the entire software development lifecycle into a single AI-powered application that is privacy-first.
With GitLab, customers can visualize their end-to-end value streams, boost developer productivity with out-of-the-box analytics, and secure their software supply chain with SAST, DAST, secret detection, container scanning, and API testing. It enables organizations to increase developer productivity, improve operational efficiency, and accelerate cloud transformations to maximize the overall return on software development.
Fluid Attacks helps companies to develop secure software without delays. We are an all-in-one solution that helps you accurately find and remediate vulnerabilities throughout the SDLC. Our solution combines automation, AI and pentesters to perform SAST, DAST, SCA, CSPM, SCR, PTaaS and RE. This way, we provide you with accurate knowledge of the security status of your application. We enable your DevSecOps implementation. This means security goes alongside innovation without hindering your speed. Fluid Attacks provides you with expert knowledge about vulnerabilities and support options that enable you to remediate the security issues in your application.
Formed through the combination of Netsparker, Acunetix, and Kondukto, Invicti Security provides an application security platform that unifies DAST, SAST, IAST, SCA, API security, secrets scanning, container security, and application security posture management (ASPM) to help enterprise organizations identify, prioritize, and remediate vulnerabilities across their application portfolio.
The platform's proof-based scanning validates runtime vulnerabilities while ASPM capabilities correlate findings across security tools to eliminate false positives. AI-powered remediation provides contextual fix recommendations within developer workflows. Key capabilities include automated vulnerability discovery, intelligent risk prioritization, unified dashboard management, and CI/CD pipeline integration.
Contrast Security's Runtime Application Security solutions embed code analysis and attack prevention directly into the software development lifecycle. Patented instrumentation provides integrated and comprehensive security observability that delivers accurate assessment and continuous protection. The Contrast Runtime Security Platform enables powerful Application Security Testing and Application Detection and Response, allowing developers, AppSec teams, and SecOps teams to protect and defend their applications against an evolving threat landscape.
Black Duck builds trust in software by enabling organizations to manage application security, quality, and compliance risks at the speed their business demands. Black Duck solutions help developers to secure code as fast as they write it; development and DevSecOps teams to automate testing within development pipelines without compromising velocity; and security teams to proactively manage risk and focus remediation efforts on what matters most. With Black Duck, organizations can transform the way they build and deliver software, aligning people, processes, and technology to intelligently address software risks across their portfolio and at all stages of the application lifecycle.
Black Duck builds trust in software by enabling organizations to manage application security, quality, and compliance risks at the speed their business demands. Black Duck solutions help developers to secure code as fast as they write it; development and DevSecOps teams to automate testing within development pipelines without compromising velocity; and security teams to proactively manage risk and focus remediation efforts on what matters most. With Black Duck, organizations can transform the way they build and deliver software, aligning people, processes, and technology to intelligently address software risks across their portfolio and at all stages of the application lifecycle.
Formed through the combination of Netsparker, Acunetix, and Kondukto, Invicti Security provides an application security platform that unifies DAST, SAST, IAST, SCA, API security, secrets scanning, container security, and application security posture management (ASPM) to help enterprise organizations identify, prioritize, and remediate vulnerabilities across their application portfolio.
The platform's proof-based scanning validates runtime vulnerabilities while ASPM capabilities correlate findings across security tools to eliminate false positives. AI-powered remediation provides contextual fix recommendations within developer workflows. Key capabilities include automated vulnerability discovery, intelligent risk prioritization, unified dashboard management, and CI/CD pipeline integration.
OpenText powers and protects information. As a global information management provider for businesses, OpenText tools span content management, Artificial Intelligence (AI), cybersecurity, cloud, and business networks. For over 30 years, OpenText has helped organizations manage and protect their data and documents while modernizing their information architecture. Its integrated hub connects information across departments and applications to enhance employee experience, productivity, and collaboration, while making information structured and searchable through AI, machine learning, and semantic search. In addition, OpenText delivers endpoint security and digital life protection solutions to safeguard businesses against cyberattacks and data breaches.
Snyk specializes in providing security solutions that enable security teams and developers to work together to reduce application risk and speed software delivery. By integrating application security into developers' workflows, Snyk aims to help organizations secure their applications from code creation to cloud deployment. The end-to-end view of applications gives developers and security the shared perspective to improve security posture, while enhancing developers' productivity, preventing issues early in the development cycle, and allowing for the fastest response when security events like zero days occur.
Sonar helps prevent code quality and security issues from reaching production, amplifies developers' productivity in concert with AI assistants, and improves the developer experience with streamlined workflows. Sonar analyzes all code, regardless of who writes it—your internal team or genAI—resulting in more secure, reliable, and maintainable software.
Rooted in the open-source community, Sonar’s solutions support over 30 programming languages, frameworks, and infrastructure technologies. Today, Sonar is used by 7M+ developers and 400K organizations worldwide.
OpenText powers and protects information. As a global information management provider for businesses, OpenText tools span content management, Artificial Intelligence (AI), cybersecurity, cloud, and business networks. For over 30 years, OpenText has helped organizations manage and protect their data and documents while modernizing their information architecture. Its integrated hub connects information across departments and applications to enhance employee experience, productivity, and collaboration, while making information structured and searchable through AI, machine learning, and semantic search. In addition, OpenText delivers endpoint security and digital life protection solutions to safeguard businesses against cyberattacks and data breaches.
GitHub is a platform where developers, businesses, and organizations collaborate to create and innovate. Offering tools for version control, CI/CD, security, and code review, GitHub helps teams build software efficiently and securely.
With GitHub Copilot, developers can leverage AI to receive real-time coding assistance, streamlining their workflows and enabling them to focus on solving complex challenges. The platform supports a wide range of projects, from open source to enterprise, while integrating seamlessly into development processes to foster collaboration and security.
As part of Microsoft, GitHub is committed to empowering developers and organizations to bring their ideas to life, working toward the goal of supporting 1 billion developers worldwide.
Black Duck builds trust in software by enabling organizations to manage application security, quality, and compliance risks at the speed their business demands. Black Duck solutions help developers to secure code as fast as they write it; development and DevSecOps teams to automate testing within development pipelines without compromising velocity; and security teams to proactively manage risk and focus remediation efforts on what matters most. With Black Duck, organizations can transform the way they build and deliver software, aligning people, processes, and technology to intelligently address software risks across their portfolio and at all stages of the application lifecycle.
Features of Application Security Testing
Updated October 2025Mandatory Features:
Vulnerability identification: 1.Static AST (SAST): Assesses, using a variety of analytical techniques, an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC). 2. Software composition analysis (SCA): Identifies third-party components, open-source or commercial, included in the development of an application. In addition to dependency details, provides information regarding known vulnerabilities, potential licensing concerns, operational risks, and malicious package identification.
Developer enablement: Developer education: Includes just-in-time training and/or remediation guidance for individual scan findings as well on-demand training material for secure software development.
Application security posture management: 1. Policy evaluation: Evaluates assessment results and applications against predefined, or customer-defined criteria for the introduction, or acceptable duration of risk presence. 2. Prioritization and triage: Recommends and allows for the adjustment of remediation priorities based on publicly available and proprietary information related to scanned artifacts, scan findings and risk considerations. 3. Posture and performance reporting: Provides measurements at the application and application portfolio level to quantify and measure adherence to expectations for introducing and addressing risk.
Software supply chain security: Software bill of materials (SBOM) life cycle management: Supports the ingestion, creation, and sharing of SBOMs for the purposes of identifying and communicating an inventory of third-party components, commercial or open-source, contained within an application and the risks therein.