My Observations from 2.5 Years of Deploying ASPM across enterprise organizations

What is ASPM? Application Security Posture Management isn’t a tool or simply a collection of tools. It’s a holistic process to measure, monitor and improve the security posture of an organization's internally-developed software assets. To learn more about ASPM, read this post.

‍
‍Since joining ArmorCode at the end of 2021, I’ve had the fortune to work directly with dozens of industry leading companies deploying ASPM and as I look back over the last 2.5 years, my observations boil down to three things:

1. Application Security Posture Management goes beyond Application Security Testing (AST) tools: Understanding the security posture of an application requires a comprehensive view from design to deployment - with a seperation of governance from scanners to avoid bias. To achieve this you need an ecosystem of tools to achieve a complete view of application security posture.
2. Managing Vulnerabilities and Findings by severity alone doesn’t scale: While severity-based prioritization is common, it often leads to an overwhelming backlog of security issues. Prioritization must be based on risk and consider factors like threat intelligence, business impact to efficiently manage security debt and focus efforts on the most impactful remediation actions.
3. AI is unlocking a new wave of automation and disruption: Automation has always been essential for effective application security programs, but the advent of AI introduces new possibilities for automating not just repetitive and mundane tasks but also cognitively intensive activities.

Let’s go into each of these in a little more detail...
‍

ASPM goes beyond Application Security Testing (AST) tools

To understand the posture of our applications we need to have the ‘complete’ view of the application from “design to deploy”—so let’s think about what sources we need to consider to achieve complete application security posture:

• How secure is the design? i.e. Threat modeling
• How secure is the underlying code? i.e. Static Application Security Testing (SAST)
• How secure are the open source dependencies? i.e. Software Composition Analysis (SCA)
• How secure is the supply chain, beyond the use of open source libraries? i.e. Software Bill of Materials (SBOM)
• How secure are my digital assets against targeted threats? i.e. Dynamic Application Security Testing (DAST), Pen Testing, Red Teaming
• How secure is the infrastructure? i.e. cloud, container and infrastructure as code (IaC) security testing … but don’t forget about vulnerability management for traditional endpoint/data server centric deployments … because most enterprise organizations are not 100% cloud!!
• How secure is the pipeline? Do I have all the controls in place? I.e. CI/CD posture management

Bottom line, it takes an ecosystem of tools to get a complete view of your application security posture, leveraging combinations from multiple vendors and open source. This ecosystem is further diversified by teams selecting ‘best of breed’ tools, organizations growing through acquisition where tools are already in place, or changes in toolchain driven by commercial or technical needs. 

This is where ArmorCode excels, with over 230 out-of-the-box integrations for everything from threat modeling and application security testing to cloud, container and vulnerability management—ArmorCode has by far the broadest ecosystem support. But it’s not only the number of integrations that matters. As there will always be another scanner, it’s also about how ArmorCode is able to rapidly expand the ecosystem. Two years ago at RSAC 2022 we announced that we had crossed over 100 integrations, and now we have more than double that number. This increase is in response to our community and the expanding ecosystem they are using to understand their application security posture.
‍

Managing Vulnerabilities and Findings by severity doesn’t scale

Everyone loves to use a new scanner. We find something that we didn’t know about before, we prioritize it, we fix it, we feel good about it. But very soon the number of new Findings starts to grow; new scanners, new applications being scanned, more releases to manage—and very soon our security backlog is too large to manage… and don’t forget we have to get back to ‘delivering new features’ to the business. 

This is where it all breaks down and the liability of critical and high severity ‘security debt’ just grows out of control (...with many losing all hope of addressing medium or low severity issues). The result is that we have unmanaged risk in production and ‘real vulnerabilities’ end up slipping through the cracks. As security and development leaders and practitioners, we have a responsibility to the business to burn down the security liability and do it in the most efficient way possible - and has driven ArmorCode’s advancements in risk scoring and correlation. 

All too often security teams prioritize efforts based on severity of a vulnerability or finding. However, this doesn’t take into account how ‘real’ the threat is or how impacting it is to the business. By combining severity, threat intelligence (such as exploit prediction) and business impact we can determine risk in a way that can unify teams and manage an active backlog of work that needs to be done (check out the blog Prioritizing Remediation Based on Risk)

Furthermore, by combining risk based prioritization with correlation, we can bring together findings from across tools to focus efforts on those remediation actions that will have the largest impact on the security debt and reduce the MTTR for vulnerabilities by more quickly locating the point of remediation.

Now development teams are no longer inundated with unnecessary escalations or multiple tickets for the same issue. And when an issue is escalated, the risk scoring gives the context why it is important. All leading to a more effective way of burning down the debt and responding to the threats that have real business impact. 
‍

AI is unlocking a new wave of automation and disruption

Automation has always been a key requirement for a high performing application security program, and represents a key set of capabilities within the ArmorCode platform; de-duplication of repeat findings, correlation of findings across tools, automating triage for similar findings, ticket creation, escalation and notification workflows.

Since the release of ChatGPT, AI started unlocking insights into how we can automate and streamline not just the mundane and repetitive tasks but also the cognitively intensive tasks such as root cause identification, triage classification and remediation.

The cybersecurity industry is only scratching the surface of how AI can be leveraged, but it is clear that to successfully apply AI in a meaningful way you need three things: volume, variety and validation. For ArmorCode that translates to:

1. Volume: >6 billion findings processed
2. Variety: 230+ integrations across every scan type
3. Validation: used by over 1500 security professionals supporting over 75k developers

These are what has driven our last innovation, AI Correlation, the first in a suite of AI-powered capabilities that we will be introducing over the next 12 months. By leveraging data fusion, AI Correlation is helping teams reduce risk and MTTR by correlating SAST with DAST, Container security with SCA, CSPM with IaC and more (check out our recent podcast episode where I talk about Unlocking Cross-Tool Correlation with Next-Gen ASPM).
‍

Take the next step

Explore out our whitepaper 3 Mandatory Steps to Mature your AppSec Program Today to learn more about how to mature your Application Security program, or request a demo to see how ArmorCode can help.