Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum

Cycode has announced what it called the first marketplace devoted to the application security posture management (ASPM) space, touting the availability of more than 100 connectors and integrations to link its ASPM platform with other tools.

But some analysts said the move was unimpressive, labeling it as merely “table stakes” for the ASPM space.

“Cycode now enables customers to seamlessly integrate and ingest findings from relevant third-party security tools, complement and contextualize those findings with native scanners and eliminate gaps within supply chain security,” Cycode said in its news release. “This is a significant milestone that delivers economic optionality for businesses and reinforces Cycode’s position as the industry’s only complete ASPM.”

Sandra Carielli, a Forrester Research principal analyst, said that she thought it was a fine move that would likely make sense for Cycode’s installed base, but was otherwise unimpressed. 

“For any stand-alone ASPM vendor to get traction, it’s going to have to integrate easily with a large number of third-party scanning tools. There are some application security testing vendors like Synopsys and Snyk that have also added an ASPM component. They can focus first on working with their own testing tools, but even they may eventually benefit from integrations with some of their competitors,” Carielli said. “So announcing a lot of out-of-the-box integrations seems like a table-stakes, necessary feature. Having them in a marketplace may help customers with ease of integration, speed of deployment and overall time to value — maybe. But a quick Google search shows that ArmorCode has more than 200 integrations and Legit Security has around 75. Just because there isn’t a marketplace doesn’t mean the integrations aren’t easily accessible. So I’m inclined to say this isn’t that interesting an announcement.”

Carielli questioned whether Cycode currently has the marketplace to make enough of an impact with its own marketplace. “Cycode is still pretty small. Are people going to be flocking to the Cycode marketplace?”

The move is still good news for CSOs looking to better manage application security, she stressed, just not necessarily industry-moving. “They are absolutely solving a problem but I don’t think the marketplace aspect of it is that interesting. I think they wanted to highlight 100 integrations out of the box. That is solid and it is what a vendor like that needs to do to go out to market. But the interesting thing about integration is that (enterprise IT managers) don’t care about the number. They only care if they have the ones they want and need.”

A core feature

Dale Gardner, a Gartner senior director analyst who tracks application and software supply chain security, reacted similarly to Carielli.

“This type of integration is considered a core, required feature for an ASPM solution,” he said. “One of the primary reasons organizations look at these tools is to help integrate information from a variety of application security tools across the SDLC to gain visibility into the security status of an application, help with prioritization, and better understand risks posed by an application,” Gardner said. “In the space, I see a couple of different types of vendors: those who focus on integration of existing tools, and those who also incorporate their own tooling as either a replacement for someone’s existing tools or to augment gaps. Cycode falls into the latter category and in looking at the product, their third-party integrations have been quite broad, covering many different aspects of the lifecycle. But not necessarily deep, with an emphasis on more popular products.”

Gardner added that Cycode “is trying to expand the scope of their integrations to better address the needs of buyers who are not looking to replace their existing tools. I don’t think this breaks new ground. Competitively, they talk about more than one hundred integrations, which is average, while some vendors support more than 200 tools. This is more of a way to improve their competitive standing.”

Cycode’s statement characterized the marketplace as quite significant. “The launch of our ASPM marketplace is a major leap in building a comprehensive security ecosystem and we’re proud to be first,” said Seth Robbins, chief revenue officer at Cycode. “Unlike competitors, Cycode’s singular focus on application security and our integrated Risk Intelligence Graph give customers unparalleled precision in their threat prioritization — table stakes for any effective ASPM.”