DAST Consolidation in Application Security

The last month has seen three big purchases by heavyweight security platforms:

• First, Checkmarx revealed they were “joining forces” with ZAP, the open-source DAST tool, employing the three ZAP project leaders to work on both ZAP and Checkmarx’s ZAP integration.
• Then Snyk acquired Probely.
• Then Wiz bought Dazz.
• …and before that, Github was already partnering with StackHawk.

Checkmarx and Snyk have been predominantly static code analysis solutions, whereas Wiz comes from Cloud security. It’s not at all surprising that we’re seeing players on both sides of the aisle moving towards full-spectrum AppSec plays – Codacy has been working on this path for the last year. And, in fact, you can already send ZAP reports into Codacy if you’re running ZAP in your CI/CD).

Market consolidation is inevitable in a landscape that’s maturing – lots of bleeding-edge startups have been focussed on solving individual problems in the AppSec space.

But, frankly, the overheads of supporting so many tools for buyers has become crippling, never mind the coordination effort to pool the results into a single place.

The problem for these large acquirers is that while they will surely realize some cost savings from their acquisitions in shared finance, HR, and so on.

Each of these individual tools is supported by their own engineering organizations that need to be fed by huge, spendy sales and marketing organizations to make their growth targets.

Those individual scanners have all been charging $50+ a seat, and being consumed by a large organization that already prices highly will just add to the cost burden for customers. Don’t tell me Snyk, Wiz, and Checkmarx won’t all simply add a line item for DAST to their already complex and large invoices.

Codacy has been pursuing our “360-degree view of security” project utilizing open-source tools from the start. We’re proud to leverage open-source quality and security scanning tools because they are transparent in operation, already widely used, and obviously free at the point of use.

So, while Wiz and Snyk spend a year or so integrating complex, proprietary DAST scans into their already overpriced solutions, you can already get started with DAST in Codacy.

And soon we will launch our own DAST execution engine so that you won’t have to bear the configuration and CI/CD costs of running these tools either.

Finally, AppSec consolidation is all good, but security is only one column of code health that developers need to care about. 

How long will it be before Wiz looks at code quality? Before Checkmarx scans for unit test coverage? Will Snyk ever care about accessibility scanning?

Codacy already offers all of these features at a great price point.

Try us free for 14 days, or book a demo to see for yourselves.