AST, ASOC, ??? – where does Sken fit?
Application security scanners are nothing new. Gartner just released the latest magic quadrant for Application Security Testing (AST). The market is crowded with a lot of mature vendors. So what is Sken.ai doing in this seemingly red ocean market?
The simple answer is that Sken.ai is not an app security scanner by itself. It probably is closer to what Gartner calls Application Security Orchestration and Correlation, which according to them is at the peak of the hype cycle. But even this new category defined by Gartner does not adequately define Sken. To understand Sken and why it exists, we need to get to the basics of the market and its dynamics.
Mid-market adoption of app-security
Market research says that the DevSecOps market is expected to explode 10 times in the next 6 years, and the primary driver for this explosion is the rising adoption of security by small and medium enterprises. This is the mass mid-market, which hitherto have not worried so much about app security, but because of the explosion in web and mobile apps, and increased awareness of security in general, are beginning to realize the need to keep their apps secure. So, there is an increasing demand for app security from this mass mid-market. These are enterprises that have IT organizations of more than 300 people and are developing or beginning to develop custom apps, mostly in the new cloud-native paradigm. They could also include large enterprises that have a smaller IT footprint.
Mid-markers are grossly underserved
However, the current vendors underserve them because the mid-market has unique characteristics and requirements:
1. No App Security Expertise: Most of the mid-market customers have no app security expertise. They do have some security personnel, but most of their expertise and responsibility is limited to basic network and infrastructure security – firewalls, etc. Cybersecurity professionals are in such short supply that mid-markets have trouble hiring or building an app security team. There are, of course, app security consulting companies, but using them comes with its own set of issues and is not scalable, and that option is little used.
The problem is that almost all the app security products available on the market now, need app security experts to operate. This includes all the products that currently show on Gartner’s AST and ASOC lists. They are really designed for large customers with big and mature AppSec teams, not for mid-markets with very minimal app-security knowledge.
2. Commercial Scanners are expensive: Most commercial app security scanners are awfully expensive, and their license costs can run into millions of dollars per year. On top of that, you need to hire an app-security team to operate those scanners, so the net cost can run remarkably high. Large enterprises allot a huge security budget, which could go as high as 10% of their IT spend. Mid-markets however can allocate only a small budget for security, inadequate for most of these commercial scanners.
3. Open source scanners are unmanageable: These mid-markets can decide to use open-source scanners. There is a robust ecosystem of free open-source scanners available and by some measures, their raw scanning ability is even better than some of their commercial counterparts. But as explained in one of our earlier blogs, open-source scanners are extremely unmanageable. There are too many of them, so it is confusing to select what you need. They are a big pain to set up, maintain, and upgrade. It is difficult to understand their scan results, aggregate and normalize them across scanners. They lack vulnerability management capabilities and so on. Mid-markets customers sometimes try to use one or more of them, but most get bogged down in the issues and stop using them after some time.
4. Many types of scanners needed: As explained in our other blog, an application needs to be scanned by many types of scanners. This includes Code level scanners like SAST, SCA, Secrets, License, Test/Deploy level scanners like DAST, Containers, API, Serverless, etc. It is extremely difficult for mid-markets to operationalize scanning with these multiple types of scanners. Most of the scanners have an incomplete approach and even if the mid-markets try to use multiple scanners, the scanners are siloed. They do not talk to each other, so their results are not aggregated or normalized, creating unmanageable levels of noise and becoming a hassle to manage.
What mid-markets need:
The mid-markets need a product that:
a. Provides app security with no required app-security expertise.
b. Is affordable yet manageable.
c. Supports comprehensive scanning across the application, yet simple to understand and use.
Sken’s unique approach:
Sken tackles each one of the requirements of the mid-markets. There are three pillars in Sken and they correspond and tackle these three core requirements of the mid-markets.
a. DevOps first Security:
Sken provides a product that can be used by DevOps with no app security experience. Read our DevOps-first AppSec blog to understand why we think DevOps is the starting point in App Security.
b. Open Source Scanners + SaaS:
Sken packages open-source scanners in a SaaS orchestration layer and automates them in CI/CD. This SaaS orchestration does a bunch of the heavy lifting, but it makes it so simple for the end-user to operate. The result is that they get an easy scanning tool that they can use without any security expertise, is 100x more affordable (yes, really !), and can be adopted in a viral grassroots manner, without the need for any top-down sales. This makes Sken affordable and manageable.
Read our Open-Source + SaaS blog to understand why we think the combination of open-source scanners + SaaS is a killer combination and is the future for AppSec.
c. All scan types:
Sken does all scan types. There includes
- Code-level scanners like
- SAST (Static Application Security Testing) for scanning source code across multiple languages.
- SCA (Software Composition Analysis) for scanning open source libraries that are included in your application.
- Secrets for scanning open passwords
- License for scanning license files
- Test level scanners like
- DAST (Dynamic Application Security Testing)
- Deployment level scanners
-
- Containers
- API, etc.
-
Read our “If you are relying on one type of scanner – dump it” blog to understand the diverse types of scanning and why they are all needed.
What does the competition do?
There are lots of players in this space. So, to keep things simple and internalize it, one way to think about the competition is to categorize them in terms of who they sell to and what they sell.
Who they Sell to:
Sken does DevOps first Security. DevOps adopt Sken in a grassroots manner. At their comfort-level, and without any top-down sales process breathing down their neck, DevOps can register on Sken and try it out for themselves. If they like the product, they usually showcase it to the security, engineering, and other folks in the organization. Sken offers up to 1,000 free app-scans per month. This is a super-freemium model and the next best thing in the market offers 100 or so limited number of scans per lifetime.
Traditionally security products are sold only to security teams. We call this a Security-first approach. These products need a team with deep AppSec expertise to operate. They are also expensive and out of reach of mid-markets. They require a top-down sale and cannot be adopted quickly in a grassroots approach.
In the past three years, we have seen the rise of Dev-first AppSec. They sell to developers instead of security, and so they can be adopted in a grassroots manner. There are a few companies in this space that have been successful, but there are substantial differences between DevOps-first and Dev-first. Dev first deals with the scanners that are dependent on the source code or the source code repo. So only code level scans like SAST and SCA can be done with a Dev-first approach. Test and Deploy level scans can be automated only with integration into CI/CD. DevOps owns the CI/CD, and you need to target DevOps to cover the entire gamut of scanners and automation. Sken is a first mover in this DevOps-first approach, but ultimately the entire market will move this direction.
What they sell:
Sken is not a scanner. It packages multiple existing open-source scanners and adds a SaaS orchestration layer. So, it is more of an orchestrator than a scanner. Because of this, Sken can easily perform scans across all types using the best of the scanners. Sken also uses advanced machine learning to correlate results coming out of different scan types to reduce the overall false positives and noise. This gives Sken a data based defensibility.
Most other products are scanners themselves. They are limited to performing only one type of scan. It is exceedingly difficult for one vendor to build and provide the best of the scanners across all categories of scanners. All the Dev-first and Security-first products are scanners and they do not orchestrate.
There are also some aggregators. They are not scanners, but they can talk to multiple scanners, receive their scan results, aggregate them, and do analysis on them. Aggregators assume that you already have commercial scanners that you have paid for and deployed. Due to this, they are useful primarily for large enterprises that are already using expensive commercial scanners. Mid-markers do not use these commercial scanners, and for them, Sken, not only functions as an intelligent aggregator but also orchestrates and takes care of the lifecycle of the scanners. Sken automatically figures out which scanners are needed for each app, and at runtime it downloads a temporary docker image of those scanners and performs the scan in these images. This way the customer does not even have to set up, deploy, maintain, or pay for these scanners.
Conclusion:
What makes Sken unique is that it is the only DevOps first App Security SaaS orchestrator. It is laser-focused on mid-markets, as it is extremely affordable, yet manageable for them. There is no security expertise needed to operate Sken. It also covers all scan types and hence is comprehensive. It uses advance machine learning to reduce noise and filter out false positives.