[00:00:00] Mark Lambert: Hi, and welcome to Let's Talk Software Security. My name is Mark Lambert, Chief Product Officer here at Elmer Code, and I'm joined by Rohan Parikh, who is our Director of Product Management here at Elmer Code. How are we doing, Rohan?
[00:00:10] Rohan Parakh: Doing good, Mark. How about you?
[00:00:12] Mark Lambert: Awesome. Fantastic as ever. So, Last episode, we talked about ASPM.
We talked about how ASPM is really driven through the DevSecOps initiatives where we've got agile, microservices open source cloud containers, accelerated software deliveries, just driving this massive volume of data that's overwhelming everybody. We talked about how vulnerability management is rolling up underneath application security, or should I say, Modern vulnerability management is because we've moved away from a model where vulnerability management is managing vulnerabilities in an operating system to really manage vulnerabilities.
That's in an application as well as the operating system in the application ones. Guess what? They're the ones that are getting exploited the most. So bringing those two worlds together and putting a risk layer on top of that so we can make sure we prioritize Our activities based upon not just the technical risk of a vulnerability, but also the business impact.
Now that where we left off was talking about how diverse this ecosystem is. We've got different tools for different purposes, organizations doing best of B selection, literally hundreds of software security tools. So as we look at this Rohan, right, as an organization has a very diverse. Tool ecosystem.
How can ASPM help them manage that ecosystem and manage, you know, the, the process of making all of these tools work together?
[00:01:38] Rohan Parakh: Yeah, I remember you saying one day, right. Process is king. And that's what essentially it boils down to because all these tools essentially have to be able to go on and contribute to the processes that would result into the outcomes outcome being the risk reduction.
And. These findings that are generated by tools, right? They are going to touch so many personas, so many individuals in a typical organization, AppSec, vulnerability management team, security engineers that would range from the dev, dev, dev application security team, as well as the infrastructure team and endpoint security, IT security systems, that it would also touch development teams, teams that are going to go and fix or patch those findings first party or third party teams that are going to get coordinate with their vendors to get the patches for the third party software that they might be using. Something as simple as a Microsoft patch that has to be rolled out on 20, 000 servers or in a few hundred thousand endpoints in an environment, right? And it would also touch the respective business leaders, including chief information security officer, because they are closely tracking the risk and along with their peers on the business side as well.
So at the end of the day, it boils down to how do you kind of make sure that these findings are not left in a way that you're kind of not able to kind of treat them and they're just kind of rolling up and kind of showing red all over your reports, right? The goal is to kind of go and fix them. And that involves a lot of processes assigning those right findings to the right individuals explaining the impact of those findings, categorizing those findings, and also translating that, that into a work that a developer or an IT admin would understand. So all these processes essentially are enabled to a platform like armor code, and the best part is it makes it so modular because we spoke about how tools will get advanced, new tools and new technologies will come up, but you can always bring your own new tool or a different tool or a kind of a different type of tool into your ecosystem and kind of plug it into the same processes so that it doesn't impact the overall operations on the app second vulnerability management site on a day to day basis.
[00:03:47] Mark Lambert: Yeah, yeah. And you, you, you make a really good point there is that the tools that sit underneath that workflow and process are going to change.
You got, you know, yes, of course you've got best of breed, but you've got specialization in specific categories. So, so, you know, with my background in, in SAS, that's, you know, we, you know, we used to talk about how certain scanners were better for Java versus C plus plus versus a. net versus JavaScript, for example because of the nature of those languages. So being able to optimize the tool and be able to have that tool actually be the highest fidelity it can be. You know, organizations leveraging a portfolio tools where they're able to improve the fidelity of an individual tool is fantastic. But what we have to figure out is how do we have an inclusive ecosystem that can bring in vendors And until providers from across the categories as well as in the same category and you're potentially conflicting organizations that you can do this list live within one inclusive ecosystem that allows you that flexibility to switch in and out the best of breed tools for the purpose that they need.
Support a workflow where you've grown organically through acquisition, inorganically through acquisition. So, you know, different teams are using different tools, or maybe you've got one tool that's better to provide SAS results quickly in the developers IDE, versus something that's going to run on a long nightly job to do a deeper analysis.
But the same category, excuse me, still could still overcome in the cold. And how can I then build something on top of that that can really correlate them? And that's the key for an ASPM solution. It's been able to bring data in from across that ecosystem and be able to correlate the data.
Across those tools, because that's how you can reduce the amount of work that's going to the individuals is how you can reduce the the, the time that it takes to identify the point of remediation or the root cause is if I can correlate container security finding with an SCA finding or some infrastructure as code, which is showing me where that library is is used.
I can much quicker. I can fix the problem much quicker than I can if you just give me kind of like an infrastructure scan. So it's like bringing this inclusive ecosystem together, separating the workflow, the governance layer that sits on top of these so that you have an independent ecosystem. That satisfies multiple personas and addresses that organizational challenge.
This has now got me thinking about the next thing, which is really kind of two pronged. One of them is, hey, not everybody's a security tool. Sorry, not everybody's a cloud native application. Many organizations are on that journey. How do we help them when we're talking about application security posture management, which a lot of folks kind of orient towards cloud native only, how do we help with that model?
And plus also, how does ASVM play within a governance practice within, you know, a governance compliance or risk process, but We've talked for long enough. So let's press pause on that conversation. Let's come back to that in the next episode. So Rohan, thank you very much for joining me today. Really appreciate this time as always.
Everybody else thank you for, for joining us. Click like, subscribe, check out the show notes. We're going to include links to Gartner research on this topic area. But then also our state of AppSecOps survey that talks about this best of breed challenge and process being king that Rohan referenced.
So thanks very much. Stay safe. See you in the next episode. See you next time.