Application Security Market Analysis

On this page

Security Lexicon

A uniform lexicon is important to distinguish the use of 'security' in various contexts.

  1. GitLab is a Secure Application (used as an adjective like GitLab is scalable, open, etc.) The security team manages people, processes and technology to secure the GitLab software that may include SAST & DAST but also includes security policies (like using Macs), our own Security Controls, configurations, monitoring of GitLab in production, vulnerability management, etc. Learn more about how we secure the GitLab app at If a customer or prospect needs GitLab to respond to a questionnaire about how the GitLab app is secure, follow these instructions.
  2. GitLab helps our customers Secure and Manage all of the phases of the SDLC Create, Plan, etc.). To deliver secure applications, customers use GitLab Security Controls throughout the SDLC and Security Testing in validation. Eventually, GitLab will enable vulnerability prioritization for planning and Security Monitoring in production.

    Security Controls are capabilities of Gitlab that altogether provide GitLab customers auditability of code throughout the SDLC. (This is NOT SAST/DAST.) For example, see GitHub security

    • Enforce security policies without interrupting your workflow
    • Complete change log for auditing
    • Two-factor authentication (2FA) for added access control
    • Automated security scanning during verification

    Security Testing is a capability or feature of GitLab, typically used in the Verify phase. It includes SAST and DAST, container scanning and dependency scanning (@plafoucriere, @bikebilly and team).

Application Security Market Overview

Security is on a dynamic trajectory. It has been traditionally focused on guarding the perimeter in a defensive approach. Enterprises would start with simple endpoint protection and network security and layer on tools for “Defense in Depth”. Today’s security is much more proactive and predictive combining internal and external data from a variety of sources and applying user behavior analytics and machine learning to identify suspicious activity.

Security investments followed a similar trajectory. Traditionally the bulk of the spending has been to protect infrastructure. In 2015, Gartner Analyst, Joseph Feiman, estimated for every $1 spent on application security, $23 was spent in other security. Application Security has only been a mainstream concern for recent years - but that’s changing! There are several dynamics making application security a bigger priority including:

Enterprises with advanced DevOps and/or Application Security programs are looking for remediation advice as the developer types the code as a means of not only reducing vulnerabilities, but also educating developers by teaching them security best practices real-time.  Fortify and a few other advanced app sec vendors provide this.


Compliance is always the lowest common denominator - think of it as the MVC for security. Enterprises that depend upon software and technology to run their business seldom rely on compliance alone to guide their security efforts.

Competitor Scope

Vendor/Scope SAST DAST Dep Scanning Cont Scanning License Mgmt
GitLab X X X X X
BlackDuck     X X X
CA Veracode X X X    
IBM AppScan X X X    
Fortify X X X    
SonarQube     X    
Sonatype     X X X
WhiteSource     X   X
Snyk     X X  
Synopsys X   X X X
Checkmarx X   X    

Who uses GitLab secure capabilities?

Security specialist


Security director

Market Segment Overview

Companies with sophisticated app SEC programs



Value proposition

Companies with established Security Programs



Value Proposition

Companies with minimal security focus (opportunistic target)



Value Proposition