The Forrester Wave™: Static Application Security Testing, Q4 2017 - Forrester Names CAST Among the 10 Top For SAST


CAST is proud to announce that we have been included among the 10 most significant SAST vendors and named a “Strong Performer” in “The Forrester Wave™: Static Application Security Testing, Q4 2017.” Their report, which had an evaluation with 29 pieces of criteria for Static Application Security Testing (SAST), “researched, analyzed, and scored” different companies to show “how each measures up and helps security professionals make the right choice.” See more in their report where you can see why CAST was named a Strong Performer.

Application security tools, or Static Analysis Security Tools (SAST), like CAST help organizations leverage application security standards and automate the identification and remediation of application security vulnerabilities.

According to the Forrester report, “CAST marries security with quality metrics…the CAST Application Intelligence Platform (AIP) offers a dashboard that security pros, development managers, and CIOs can use to capture quality characteristics called health factors. These include robustness, efficiency, changeability, transferability, and overall quality, along with security.”

CAST Received the Highest Score in the Accuracy Criterion for the 2017 The Forrester Wave SAST Report

While you can see the full scores on the Forrester Wave Report, there are a few areas to break down and draw attention to – areas where we think CAST scored exceptionally well:

  • Accuracy: CAST received a 3.80 in the accuracy criterion.
  • Breadth of Source Code Language Support: CAST received a 5.00 in this criterion, the highest score possible.
  • Execution Road Map: CAST received a 4.00 in the execution road map criterion.

To see how CAST scored in the other 26 criteria, see the complete Forrester Wave Report.

CAST’s vendor profile states: “CAST licenses AIP based on the functionality an organization desires and its size (determined by the number of full-time engineers). Customers can choose between a perpetual license on-premises implementation or a SaaS subscription model. CAST AIP offers very strong breadth of source code language support but lacks many of the SDLC integrations it needs to fully support developers.”

Why Are SAST Reports / Tools Important?

SAST reports and tools are important because schools aren’t teaching developers how to write secure code – they are learning application security on the job, sometimes too late. As reported by Forrester, “Only one of the top 36 US computer science programs requires a security course for graduation.[1]

SAST, therefore, helps to automate and deliver repeatable results that allow you to break down the security hazards of websites, mobile applications, and desktop applications. Even more importantly static application security testing does not need additional resources and can actually reduce your overhead thanks to cloud-based SAST.

CAST helps to recognize problems and then use blueprints for threat analysis, modeling, and building security into software. We do this by joining contextual software analysis with industry-leading security standards to help find flaws.  Then, our tools can help to develop code fixes for some vulnerabilities.

Eliminate Proprietary Software Vulnerability Using SAST

The Forrester Wave Report suggests that “[U]sing static application security testing (SAST) as part of prerelease application testing can remove vulnerabilities so attackers can’t exploit them in production. SAST remains the best prerelease testing tool for catching tricky data flow issues and issues such as cross-site request forgery (CSRF) that tools such as dynamic application security testing (DAST) have trouble finding.”

SAST tools help developers in fixing any weaknesses in security throughout development. According to the Forrester report, “because SAST tools evaluate nonexecuting code, developers can run them extremely early in the software delivery life cycle (SDLC) on code that is not complete enough to compile.” In some ways, Forrester states, they act as a spell-checker for the code.

There is a push to use SAST earlier in development, which can help to eliminate vulnerabilities – such as malicious code gaining forbidden access to data, lack of input validation, and backdoors.

With SAST tools from CAST, you can polish and build your applications and the way you work. As you go forward, you’ll be able to implement the changes automatically. Some of the other tools we offer include:

  • web application security testing checklist
  • SAST static application security testing
  • mobile application security testing checklist
  • application security testing checklist
  • android application security testing tools
  • web application security testing tools list
  • static application security testing tools
  • application security standards
  • web application security audit

For more information about SAST, contact us today so that we can provide personalized information about how we can help you.

[1] CloudPassage Study Finds U.S. Universities Failing In Cybersecurity Education,” CloudPassage press release, April 7, 2016 (

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Lev Lesokhin
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item