Episode 57

Defining ASPM

Mark is joined by a fellow security expert from team ArmorCode to begin answering a hot question among security professionals tasked with the impossible: what is ASPM? Along the way, we uncover what trends are setting the stage, why the abundance of security tools in the market, and how ASPM drives prioritization of software risk management efforts.

Resources

Check out the State of AppSec 2023 Report with insights on the "best-of-breed" approach to security tooling

Read the latest Gartner® Research on adopting AI & Cybersecurity in 2024

View Transcript

[00:00:00] Mark Lambert: Hi and welcome to Let's Talk Software Security. My name is Mark Lambert, Chief Product Officer here at ArmourCode, and I'm joined by Rohan Parakh. How are we doing, Rohan? I'm doing good, Mark. How about you? Very good. So Rohan, you're new to the show. So go ahead. Let's go ahead and introduce yourself to the audience.

[00:00:17] Rohan Parakh: My name is Rohan Parakh. Director of product management here at ArmorCode about a six months here. I'm in California as well, just like Mark, but slightly in a different location less whether it is better for Mark. I come from AppSec and security background, you know, I started my career looking at bugs, security bugs being assigned to me and having no clue about how to deal with those.

And that kind of kind of generated a lot of interest and anxiety in me. And then I moved to work for system integrators who were doing vulnerability management, companies that were literally doing pen testing for customers, for application firewalls, endpoint security. And then, of course Kind of spending a lot of time on the field as a solution architect and pre sales engineer, I kind of moved into a product management role in the same space and great to be here.

Great to be in the, in the game now with the ArmorCode and team.

[00:01:13] Mark Lambert: Yeah. Yeah. Only six months feels like six years, right? This is this is startup life and you know A lot of great things that we're we're doing within the community and you're one of the things about this podcast is we really get to talk about the things that we see and we experience working with the community members that are part of the ArmorCode community and and one of those things is Is obviously application security posture management.

This is like a big movement in the industry right now. You know, our traditional approach to application security you know, just doesn't scale to the modern DevSecOps world where we've got cloud containers, microservices high, high release, agile iterations. Volume of data is just overwhelming, folks.

Now we also then start looking at, well, well, what's the initiative that's driving this? And it's DevSecOps. Now, infrastructure delivery is different, right? So now we've got traditional vulnerability management being impacted because the vulnerabilities are no longer that. Just in the operating system, they're in the applications.

And how do we respond? So we've seen very clearly that these two worlds are coming together. And application security push management is the emerging approach to address these challenges. So I know, Rohan, you've been in application security for a number of years now, right? Kind of what have you seen as the trends that have been pushing organizations towards this?

[00:02:39] Rohan Parakh: As you say, right, the type of vulnerabilities, the type of assessments that you would do in any organization that has expanded drastically. So that means you have a variety of scan types coming in and even more number of vulnerabilities coming in, right? And I remember even back then, 10 years back when, I was working with pen testers.

They would find 10, 20 vulnerabilities in a product, but then that is exponentially high because that's not just pen testing. You're doing SCA, you're doing SAS, TAS, IS, and whatnot. More importantly, all organizations are becoming a product organization today, right? Even a financial company has their own technology product.

So product security is again, becoming an important aspect because you no longer have to, Oh, pay for it. are only limited to security of software that they are using, but you're also focusing on security of the software that you are going to deliver to your customers. So the scope expands drastically and I think that's where there is a strong need of platforms like an ASPM where organization can kind of look at in a more holistic and consolidated manner and look at the technology risks that are coming in that are that they are exposed to.

[00:03:47] Mark Lambert: Yeah. Yeah. And that definition of, you know, the A in ASPM, what's the definition of the application, right? The application is obviously the code you're developing. It's the infrastructure that that application is deployed upon. So now this is where the vulnerability management stuff starts coming in.

So really, you know, modern vulnerability management really needs to take an application security focus, which is why it kind of rolls up underneath the, the ASPM umbrella. And then the third leg of the stool is software supply chain. So it's the software that you are using either within the software that you're also developing.

So obviously open source is the obvious one there. SCA source composition analysis is going to help us there. But it's also commercial software that we are using as part of our delirious APIs. What's behind those APIs? This is where the S bomb comes in. It's also a business continuity software. You know, are you using Salesforce in your organization?

Where are you managing your customer data? Where are you managing your critical business data? And how do you understand your security posture of those applications as well? It's right. All roles together under this, this overall umbrella. The challenge that I also see It's like, now we've got so much data, how do we, what do we fix first?

So, so, you know, I know we've been talking about that and we're talking about risk and what have you kind of, what have you seen as being the key things that drive that prioritization and, and the things that an organization needs to be able to do so that they can prior, get visibility and prioritize the appropriate work?

[00:05:16] Rohan Parakh: The two things that we have seen very commonly, right? And as we talk to our customers also, one is what's the real impact of a particular vulnerability, right? And it could be a CV that's just coming along just announced, or probably still on the dark web, a zero day, or it could be a misconfiguration in your environment, or it could be a risk that an external third party might bring up because you are using some of their services.

So what kind of impact these services that can they have. And the second is what kind of assets you are protecting against, right? Because depending on the criticality of assets, if it is your most critical business application, that becomes super important when it comes to prioritization. So more and more, what we see is a combination of these two things.

Which would you should be used by product security teams as well as application security teams in any organization to be able to help them prioritize because that gives them a much more focused approach and as a result also help the developers like people who have actually have to go and actually fix those vulnerabilities and it's not small number, right?

It's huge on most of the time. So it's always better to kind of look at what what works best.

[00:06:27] Mark Lambert: Yeah, it definitely, we've been, you know, seeing this switch, right from a severity orientated prioritization where I'm gonna fix my criticals to a risk orientated prioritization. Really, I'm gonna fix those things that are critical, that are representing a bigger technical risk.

Right? So you reference CBEs CBS that are exploited or have A-I-E-P-S-S score, meaning that the, the probability of exploit is higher. With the business context of how important is that to my organization? Those two things together kind of like have to come together. And it's really where bringing the data from vulnerability management and from the application security together into one process really kind of like helps you provide that bigger visibility.

Now, the other component that I see as well as obviously it's, it's driven by this proliferation of tools, right? You've got more and more tools. So how do I put this governance layer, which in essence is what ASPM is providing, is a governance layer that sits on top of this tool ecosystem. And, you know, the thing that I, I am constantly amazed with, I mean, when I joined ArmorCode two years ago, we had 60 integrations with security tools.

We just tipped over to over 210, 216 to be specific. integrations today. That's an insane volume of tools, right? What, what, why do we have so many of these tools out there, Rohan? What, I mean, what, what, what is driving this, this disparity in the tool ecosystem?

[00:07:57] Rohan Parakh: And it doesn't slow down as well, right? You know, just when we thought that, you know, I think we have a good coverage, there are more.

So there are two things, right? One is What, how, how can you kind of become better in identifying vulnerability, right? The tools on the tool ecosystem is also trying to kind of bring in advances, which can help get in more focus and get in more coverage as well. There is a separate track of open source community, right?

Which is where a lot of these tools are coming in. And what we have realized is most mature organizations have spent time in Finding out which tool works best in their environment, in the language frameworks, in the, in the way they develop applications, in the way they deploy those applications. So a lot of AppSec leadership that we have spoken to, right?

[00:08:41] Rohan Parakh: Realize that it takes some time for them to understand what's the best in breed that works for them. It takes some time for them to be able to go on and tune those tools so that it works in a best manner for them. So the proliferation is essentially driven by demand because there's a demand like anything else in, in economy, right?

There is a demand for kind of having better tools and organizations have. been able to kind of find tools which work for them best and not everything or every tool works for every organization and that's why you see a proliferation of tools in the same category also and the technology advances the kind of threats that are there I think we'll continue to see that and the expertise of kind of finding let's say a dependency related vulnerability expertise of finding a first party code related vulnerability expertise of finding a vulnerability in a third party's odd software.

Will always remain with these two providers and they have developed these over years, right? So we cannot kind of discount that.

[00:09:38] Mark Lambert: Yeah, yeah. And you know, we need to dig deeper on this subject because really this is this is a key component as to how you orchestrate this and how you put the governance on top of all of this in an ASPM solution.

But I just looked at the clock. We've gone pretty long on this one. So let's, let's go ahead and put, press the pause. And then we'll pick up the conversation in the next episode and we'll go deeper into this tool ecosystem and how you can build an ASPM program and really get a handle on your application security with this highly diverse tool ecosystem.

So with that being said, thanks very much for watching. Click like, subscribe, check out the show notes. We're going to have links to Ghana research as well as the application security. State of application security report that we pulled out last year. There's data in there, which talks about exactly this best of breed approach.

Rohan, thanks very much. I'll see you on the next podcast. See you next time. Thank you.

‍