10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Licensed for Distribution

This research note is restricted to the personal use of Pham Tung Duong
([email protected]).

Reference Architecture Brief: Application Security

15 February 2024 - ID G00802488 - 20 min read

By Greg Harris

Initiatives: Security Technology and Infrastructure for Technical Professionals

Related Resources: Reference Architecture Resource Center

Application security is fundamental to protecting an organization by creating resilient

systems. This architecture brief provides guidance for security and risk management
professionals to ensure that security is pervasive throughout the application life cycle.

Architecture Brief
A strong application security program starts with people and processes. Organizations must
enable security and engineering professionals to develop and update policies and practices as
technologies and threats change. Foundational security concepts, such as secure coding
practices, have always existed. However, organizations must continue to adapt to changing
deployment models and attack surfaces.

Advanced security concepts are always maturing. As attack methods evolve, security vendors
introduce new technologies to protect applications. Security teams must evaluate new
technologies and implement advanced controls that are suitable for their use cases. Finally, a
well-planned application security architecture can reduce the likelihood of attack, with secure
design based on the results of threat modeling.

Architecture Use Cases

Application security architecture is typically applied for the following use cases:

In-house software development: Organizations that design and develop their systems can
use this architecture to build secure applications by incorporating relevant capabilities from
each of the components pictured in Figure 1, and described throughout this document.

Outsourced software development: Organizations that outsource aspects of the

development process can incorporate the capabilities that are within their control. These

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 1/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

organizations should look for opportunities to require outsourced development partners to

perform corresponding capabilities.
Application hosting: Once an application is developed and deployed, organizations need to
implement security controls to protect the application and data. These protections can be on
the network, application server, or on the user device itself.

Architecture Diagram
The application security architecture shown in Figure 1 depicts components and capabilities of
an application security program from ideation to deployment and operation.

Figure 1: Reference Architecture for Application Security

The application life cycle begins with development teams applying the capabilities included in
application security processes. This increases the effectiveness of capabilities within the
security by design component. From there, development teams can validate the results by
implementing appropriate application security testing tools. Once the application has been

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 2/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

verified and deployed, organizations need to incorporate appropriate controls from the
advanced security and workload groupings.

Architecture Capabilities and Components

The following subsections provide an overview of each component of the reference
architecture.

The capabilities of an applications security architecture are:

Application Security Processes

Security by Design

Application Security Testing

Web Application and API Protection

In-App Protection

API Gateway

Runtime Application Security

Cloud-Native Application Protection Platforms

Application Security Processes

Back to top

Defining and following appropriate and repeatable processes is fundamental to effective

application security. Implementing the following capabilities within the software development
life cycle will help an organization improve its maturity, which in turn will improve the resilience
and security of its applications.

Key Component Characteristics

Application security program: Application security requires a holistic program to address the
complexity of new development technologies and the continuously changing threat landscape.
Security and risk management staff must work with development teams to ensure that
application security is effectively enabled within the development culture, and adjusts as
development practices and threats evolve. Application security programs must take advantage
of existing automation and deployment capabilities to enable development teams without
restricting innovation. Security professionals must also educate project teams and business
leaders on the importance of application security so that goals and processes are better
aligned for secure application delivery.

DevSecOps practices: DevOps practices combine application development, infrastructure and

operations activities with a heavy push toward automation to shorten delivery times while
https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 3/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

improving quality. A main goal of DevSecOps is to integrate security processes and tooling into
engineering workflows and supporting technology stacks. Four patterns of application security
concentration emerge as organizations embrace DevSecOps practices: secure design,
development verification, externalized security and production security monitoring. All are
critical to an overall application security program and DevSecOps approach. But organizations
may put heavier emphasis on a particular area due to a variety of factors, including
organizational politics or structure, budgets for staffing or tooling, and the presence of
preexisting tooling that may be repurposed.

Security coaches and champions: Because dedicated application security resources will
always be at a premium, organizations must seek to scale by designating security champions or
coaches within respective application teams to partner and collaborate with. This concept
shares similarities with security-focused communities of practice within the Scaled Agile
Framework (SAFe), or with security guilds within the Spotify model. “Security champions” may
also refer to those who engage in general security awareness efforts, such as raising
awareness of ransomware or phishing.

Secure continuous delivery: Continuous delivery is supported by multiple integrated systems

and processes. There is no single solution or product for securing the resulting technology and
artifacts. Organizations will adopt a variety of development and delivery tools, both proprietary
and open source. Secure continuous delivery requires a diverse set of development, operations
and security tooling and skill sets. Secure continuous delivery is also a discipline under the
larger umbrella of DevSecOps. As such, Gartner observes that organizations with higher-
maturity DevOps practices are often best equipped to run with these security strategies.
However, all organizations can benefit from adopting at least a subset of these practices. The
tooling that enables continuous delivery practices greatly enhances security through increased
visibility, consistency and governance.

Related Research

Guide to Application Security Concepts

Essential Skills for Security in Modern Application Development

Security by Design

Back to top
Following the principles of security by design forces development teams to think about what
they are creating, and how it can be abused. By considering the opportunity, means and motive
for an attacker to abuse the application, development teams can include appropriate controls to
reduce the likelihood of a successful attack.

Key Component Characteristics

Threat modeling: Threat modeling is an architecture-level process for reviewing a system

design, enumerating threats and mitigations, validating controls and mapping out the attack
https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 4/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

surface of a system. This can be for an application, a network, a device, containers, or any
system or element of software or hardware. It is a core part of the secure-by-design approach to
system development.

Security requirements: Security requirements are generated based on regulatory requirements,

enterprise security policies, the organization’s risk appetite, expectations of the customer, and
other stakeholders that can influence the level of protection.

Secure coding practices: Secure coding practices and technical guidance come from a variety
of sources, including the Software Engineering Institute (SEI) Cert Division, the Open Web
Application Security Project (OWASP), and each respective vendor for a given technology.
Others can be adapted from application security testing (AST) tools such as static application
security testing (SAST). In some cases, particularly with modern languages or frameworks,
specific resources may be sparse. You must account for the potentially numerous languages
and technology stacks in use at your organization. Seek to standardize as much as possible to
ease secure DevOps efforts overall.

Software supply chain security: Software supply chain security is the set of processes and
tools used to curate, create and consume software in ways that mitigate attacks against
software or its use as an attack vector. Curation focuses on assessing risks of third-party
software and assessing its acceptability. Creation focuses on secure development and the
protection of software artifacts and the development pipeline. Consumption validates integrity
of software through verification, provenance and traceability.

Related Research

The Art of Threat Modeling

Application Security Testing

Back to top

AST can be applied throughout the application life cycle. Conduct security testing during
development to increase the quality of the code with SAST and software composition analysis
(SCA) tools. Next, verify the code prior to deployment with dynamic (DAST) or interactive
application security testing (IAST) tools to provide an opportunity to remediate or document
vulnerabilities. If the team is developing mobile applications, deploy specific tools that
specialize in mobile application security testing (MAST).

Key Component Characteristics

Software composition analysis: In modern application development, a significant portion or

usually the majority of a codebase consists of external dependencies, such as open-source
components, libraries and frameworks. This holds true for both in-house-developed applications
and off-the-shelf software. Open-source libraries can carry significant vulnerabilities. SCA tools
analyze an application package to provide an inventory of the publicly available open-source
https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 5/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

software components contained within, sometimes referred to as a bill of materials. This

includes identification of license type as well as known vulnerabilities that map to common
vulnerabilities and exposures (CVEs).

Static application security testing: SAST tools analyze application code in various ways, such
as expression matching, execution flow analysis and data flow analysis. SAST uses the
presence or absence of specific code and data handling as evidence of possible exploitability.
SAST tools tend to have lower false-negative rates but higher false-positive rates than DAST.
Additionally, support for languages and versions of those languages can be a limiting factor,
depending on the vendor. Expect delays as vendors adapt their scan engines and rules as new
languages or new versions of languages are introduced.

Dynamic application security testing: DAST tools test for vulnerabilities by interacting with
software in real time and looking for evidence that the attempted exploit is successful. DAST
scan engines often include some SAST functionality to enhance effectiveness, such as to
evaluate discovered JavaScript dependencies. DAST tools tend to have lower false-positive
rates but higher false-negative rates than SAST. The latter is largely due to the challenge of
achieving adequate code coverage with DAST, which involves exercising all functionality — or
functionality in the right sequence — in the underlying application code.

Interactive application security testing: IAST tools test for vulnerabilities by blending static and
dynamic analysis techniques through instrumentation of the running code. Some vendor
approaches also involve the use of software development kits (SDKs) or libraries embedded in
code. IAST products claim higher accuracy as well as lower false-positive and false-negative
rates due to deeper insight into the running code. However, they can be weak in the area of
client-side vulnerability detection, such as with document object model (DOM)-based cross-site
scripting (XSS), if they rely solely on server-side agents.

Mobile application security testing: MAST addresses the specialized requirements associated
with testing mobile applications, such as those that run on devices using iOS, Android or other
operating systems. These tools generally use traditional testing approaches (e.g., SAST and
DAST) that have been optimized to support languages and frameworks commonly used to
develop mobile and Internet of things (IoT) applications. They also test for vulnerabilities and
security issues unique to those environments.

Related Research

Structure Application Security Tools and Practices for DevSecOps

Web Application and API Protection

Back to top

Web application and API protection platforms (WAAPs) mitigate a broad range of runtime
attacks, notably the OWASP Top 10 for web application threats, automated threats and

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 6/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

specialized attacks on APIs. WAAPs are primarily used to protect internet-facing web
applications and APIs, and the majority are delivered as cloud services.

Key Component Characteristics

Denial of service (DoS) mitigation: This is a specific type of attack where the attacker’s goal is
to disrupt the availability of web applications or services. In particular, this attack category
covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow”
attacks, which overwhelm application or service resources. DoS attacks may be orchestrated in
a distributed manner (also called DDoS) to increase the impact on availability and mitigation
complexity. An important aspect of DDoS protection solutions is their capacity to handle
volumetric attacks. Volumetric attack protection is available as part of many solutions,
including content delivery networks (CDNs), cloud-based and appliance web application
firewalls (WAFs), and cloud scrubbing center (CSC) platforms. For application layer DoS attacks,
hardware or cloud-based WAFs with DoS capabilities can be an appropriate solution. Once the
attack ramps up to become volumetric and begins to overwhelm network links, a CDN or
external CSC is required.

Web application firewall: A solution for exploit protection and, in some cases, mitigation of
Layer 7 DoS attacks. These solutions should be considered when platform-based WAF is not an
option due to cost or capability. Example vendors include Akamai, Barracuda, Imperva, F5 and
Radware.

Bot mitigation: A solution that provides advanced capabilities across many types of
functionality abuse. These solutions are more capable in this area than the average platform or
WAF, which makes them a possible first choice or complement for abuse prevention.

API security: API security tools provide API threat protection, which is detecting and preventing
attacks on APIs. API security tools automatically learn what typical API usage looks like in your
environment so they can alert on suspicious activity, and they can discover unknown or
undocumented APIs.

Related Research

API Security Maturity Model

Protecting Web Applications and APIs From Exploits and Abuse

In-App Protection

Back to top

In-app protection solutions protect the application from within, rather than relying on external
tools. This allows development teams to create applications that can be deployed on end-user
devices, and enforce security policies to protect the data that is delivered through the
application.

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 7/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Key Component Characteristics

Mobile: Mobile application security requires developers to consider how the application is
deployed on the mobile device, and how the mobile application will interact with the
corresponding web application or API. Mobile applications can be protected using mobile
application management, which enforces security policies in the application on the device to
provide authorization controls and protect the data consumed by the application. Another
method is to use mobile device management, which enforces security policies for the mobile
device itself to protect, or restrict access to the application.

Browser: Applications that are delivered through an end user’s web browser must use
certificate-based encryption to protect data in transit, and employ security controls that are
available in the browser to reduce risk of compromise. However, as these client-side controls
can be disabled by an attacker, back-end systems need to enforce session timeouts and other
methods to minimize the risk of data exposure.

Internet of Things: IoT devices are typically stand-alone and self-contained. They frequently rely
on embedded systems that are not easily patched or maintained. These devices are often small,
and are at risk of being lost or stolen. Security considerations for IoT devices include access
control and encryption. Strong authentication is necessary to defend against stolen devices that
are being used by an attacker to gain access to back-end systems and data. Encryption is
required to protect data if the device is stolen. Another consideration is data integrity if an
attacker manipulates the device to provide erroneous results.

API Gateway

Back to top

An API gateway applies access policies to control access to APIs and services. It provides a
decoupling mechanism between API consumers and service implementation.

An API gateway is typically implemented as a reverse proxy with an extensible request-

processing pipeline that allows API-centric policy definitions to be applied to inbound and
outbound requests. API gateways commonly support policies such as:

Access management (authentication and authorization)

Traffic management (quotas and rate limiting)

Request routing and caching

Request and response validation

Payload filtering or transformation

Basic security checks

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 8/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

As a concentration point for API access, an API gateway can also collect API usage logs and
metrics for use in analytics, observability and API security monitoring.

API gateways are most commonly associated with REST APIs, but some can support policy
enforcement for GraphQL APIs, WebSocket, gRPC, SOAP and other protocols.

Example Technologies

The following are technologies that provide API gateway functionality:

Akamai API Gateway

Apache APISIX

AWS Amazon API Gateway

Axway Amplify Platform

Google Apigee

Google Cloud API Gateway

Gravitee.io

IBM API Connect

Kong Konnect

KrakenD

MuleSoft Universal API Management

Microsoft Azure API Management

Solo.io Gloo Gateway

Software AG webMethods API Gateway

Spring Cloud Gateway

TIBCO Cloud API Management

Tyk Gateway

WSO2 API Manager

Key Component Characteristics

An API gateway has the following characteristics:

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 9/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

It must operate as a proxy that intercepts traffic to and from an API and enforces policies. It
should provide an extensible mechanism to define and implement pre- and postprocessing
filters.

Policy definitions must be defined in external configuration to enable policy updates

independently of infrastructure or deployment changes.

The API gateway should provide a resilient and scalable deployment, commonly behind load-
balancing infrastructure.

The API gateway should enable developer-centric configuration and management through
integration into DevOps pipelines. Choose tools that encourage productivity for developers
who are both API providers and API consumers.

The API gateway should be optimized for the intended use case. For example, some
gateways provide a broad set of advanced mediation capabilities for managing B2B partner-
and customer-facing APIs supporting a variety of (often legacy) protocols. Lightweight API
gateways provide adequate policy controls for exposing backend for frontend APIs to
modern web and mobile applications, or internally exposed APIs implemented using
microservices architecture.

Related Research

Decision Point for Mediating API and Microservices Communication

Comparing Architectures for Hybrid and Multicloud API Management

How to Evaluate API Management Solutions

How to Deliver Sustainable APIs

Runtime Application Security

Back to top

Workload protection services are deployed for operational applications, and provide security
controls to detect and respond to attacks.

Key Component Characteristics

Runtime application self-protection (RASP): RASP offers high-accuracy attack mitigation,

especially for injection-type attacks, by virtue of its deep visibility into the application stack and
its instrumentation approach. It also scales and moves with applications through its integration
into the runtime environment (RTE) or instrumentation libraries, reducing some of the WAF
challenges, but not replacing WAFs outright for all capabilities.

Cloud-Native Application Protection Platforms

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 10/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Back to top

Cloud-native application protection platforms (CNAPPs) are an integrated set of security and
compliance capabilities designed to help secure and protect cloud-native applications across
development and production. CNAPPs consolidate a large number of previously siloed
capabilities, including container scanning, cloud security posture management (CSPM),
infrastructure as code (IaC) scanning, cloud infrastructure entitlements management and
runtime workload protection.

Comprehensively securing cloud-native applications requires the use of multiple tools from
multiple vendors that are rarely well-integrated. This lack of integration and automation slows
developers down and creates fragmented visibility of risk and friction. CNAPPs allow an
organization to use a single integrated offering to protect the entire life cycle of a cloud-native
application.

CNAPPs consolidate disparate fragmented security testing and protection tools that increase
cost and complexity for IT. Using a CNAPP offering will improve developer and security
professional efficacy. It will also reduce complexity and costs while maintaining development
agility and improving the developer’s experience.

Example Technologies

Aqua Security

Check Point

Cisco

Data Theorem

DoSec XIAOYOU TECH (China only, containers only)

Lacework

Microsoft

Orca Security

Palo Alto Networks

Qualys

Rapid7

SafeDog (China only)

Sysdig

Tenable

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 11/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Tencent Cloud (China only)

Tigera

Trend Micro

Wiz

Key Component Characteristics

CNAPPs include the following characteristics:

CSPM capabilities consolidated into a CNAPP give it the ability to continuously monitor,
assess and optimize the security configurations and compliance status of cloud
environments. It allows automatic identification and remediation of cloud misconfigurations,
vulnerabilities and noncompliance issues in cloud infrastructure, providing enhanced visibility
and control over cloud resources. CSPM can provide visualization and reporting mapped to
defined security frameworks and standards to support compliance; for example, CIS
benchmarks, the NIST compliance standards, the PCI DSS, the GDPR and the HIPAA.

Kubernetes Security Posture Management (KSPM) brings tools that offer a comprehensive
approach to securing Kubernetes environments, focusing on assessing and maintaining the
security and compliance of Kubernetes clusters, workloads and configurations. It involves
continuous monitoring, detection and remediation of security risks, misconfigurations and
noncompliance issues in Kubernetes infrastructure. By integrating KSPM into the
development and deployment life cycle, organizations can ensure that their Kubernetes
environments adhere to best practices and standards, resulting in reduced vulnerabilities,
enhanced security and increased confidence in the deployment and management of
containerized applications.

Cloud infrastructure entitlement management (CIEM) provides insights into significant

identity events, examines audit data from identity systems, analyzes entitlements across
cloud and looks at key access events. The idea is to find threat behavior and look for chains
of entitlements that might breach policy (e.g., separation of duty) or overprivileged admins or
changes in behavior that indicate significant changes to attack surfaces.

A cloud workload protection platform (CWPP) provides comprehensive protection against

workload risks deployed in IaaS. Workloads themselves are becoming more challenging to
protect, and this trend will continue as more organizations move to container-based service
and serverless deployments. Therefore, although a CWPP can typically provide general
protection, you should look at the capabilities of third-party tools to meet emerging workload
security requirements. This will help address both existing workloads and the organization’s
future plans for workload deployment.

CNAPPs also:

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 12/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Reduce the chance of misconfiguration, mistake or mismanagement as cloud-native

applications are rapidly developed, released into production and iterated.

Converge and reduce the number of tools and vendors involved in the continuous
integration/continuous delivery (CI/CD) pipeline.

Reduce the complexity and costs associated with creating secure and compliant cloud-native
applications.

Facilitate the reporting and auditing of cloud security posture/status.

Improve developer acceptance with security-scanning capabilities that seamlessly integrate

into their development pipelines and tooling.

Related Research

5 Ways CNAPP Will Improve Your Cloud Security

Guide to Cloud Security Concepts

How to Protect Your Clouds With CSPM, CWPP, CNAPP and CASB

Market Guide for Cloud-Native Application Protection Platforms

Key Architecture Principles and Patterns

The following architecture principles and patterns apply to the application security architecture:

Security must be pervasive: Security must be pervasive throughout the application life cycle.
Development teams need to take ownership of, and pride in, creating quality code.

Security is quality: Development teams need to treat security the same as quality. Product
teams are focused on creating and shipping the product. However, if security vulnerabilities
remain after deployment, they have not delivered a quality application.

Security by design is necessary: To create and deploy secure applications, development

teams must begin with threat modeling and secure coding practices. Just as functional
requirements are necessary to create a product that meets customer expectations, security
controls are necessary to protect the customer and their data.

Application security testing is an enabler: AST often creates friction between development
and security teams. Following the “security is quality” mindset, conducting security testing
throughout the development life cycle enables developers to catch and remediate security
vulnerabilities early in the process. This speeds time to deployment and can be an effective
teaching tool by showing the developers why common mistakes happen.

Workload protection mitigates vulnerabilities at runtime: Security is a continuous effort and

applications must be protected after they are deployed. Hosting platforms offer native
https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 13/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

security controls that can help prevent or mitigate attacks. Other security tools can run on the
application server to detect attacks at runtime and provide a last line of defense for your
systems.

Key Architecture Recommendations

The following recommendations apply to the application security architecture:

Develop an application security program: Start by creating an application security program

within your organization. This sets the baseline by defining policies, assigning responsibility
and defining requirements that enable secure applications.

Follow DevSecOps practices: Even if your organization is not ready to move completely to a
DevSecOps model, you can implement the practices in your current model. For example, in a
waterfall process, require development teams to conduct SAST during development before
testing in preproduction.

Train security coaches and champions: This serves two purposes. First, the developers and
architects who become coaches learn and develop a security mindset, which leads to
improved code quality. Second, it gives the security team a direct point of contact that
understands the application and can help with triage of security vulnerabilities. Together, this
improves overall efficiency.

Incorporate threat modeling: Development teams need to think about the application and
consider how an attacker could abuse or take advantage of the feature or enhancement that
they are creating. Over time, this leads to security-conscious developers and improves the
quality.

Validate the code: Use AST tools to discover vulnerabilities. After the development teams
have remediated the defects, rescan to validate the fix. Tracking this over time can create
meaningful metrics to show the developers are making fewer mistakes and that the security
posture of the application portfolio is improving.

Protect the application: No application is completely secure and new exploits are discovered
all the time. Organizations must implement appropriate security controls from the advanced
security grouping to protect the applications and detect malicious actors.

Save

Share

Download

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 14/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

More

Recommended by Author

Reference Architecture Reference Architecture

Brief: A Digital Workplace Brief: Microservices
Model Architecture Delivery
RESEARCH · 2 November 2023 Platform
RESEARCH · 30 October 2023

Reference Architecture
Brief: Cloud-Native
Application Architecture
RESEARCH · 30 October 2023

View More

Your Peers Also Viewed

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 15/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Reference Architecture Reference Architecture

Brief: Endpoint Security Brief: Data Security
RESEARCH · 16 February 2024 RESEARCH · 26 April 2024

Reference Architecture Reference Architecture

Brief: Network Security Brief: Cloud Security
RESEARCH · 19 February 2024 RESEARCH · 5 March 2024

Guide to Application
Security Concepts
RESEARCH · 16 August 2022

Recommended Multimedia

VIDEO

DevSecOps Platform Reference Architecture

05:22

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 16/17
10/25/24, 9:40 AM Reference Architecture Brief: Application Security

Supporting Initiatives
Security Technology and Infrastructure for Technical Professionals

Following

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
written permission. It consists of the opinions of Gartner's research organization, which should not be construed
as statements of fact. While the information contained in this publication has been obtained from sources
believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Although Gartner research may address legal and financial issues, Gartner does not provide legal
or investment advice and its research should not be construed or used as such. Your access and use of this
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or influence from
any third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner
research may not be used as input into or for the training or development of generative artificial intelligence,
machine learning, algorithms, software, or related technologies.

POLICIES PRIVACY POLICY TERMS OF USE OMBUDS Get The App

CONTACT US

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved.

https://www.gartner.com/document/5201163?ref=solrAll&refval=436087235& 17/17