Asking the Right Questions About ASPM

Originally published by Dazz.

You may have heard this Gartner stat: 40% of organizations developing proprietary applications will adopt ASPM by 2026. In the next two years do you have a plan in place for adopting an ASPM solution? Noah Simon, Head of Product Marketing at Dazz recently hosted a session covering the top questions asked about ASPM. You can access the full video recording here – or catch up with the highlights below.

What is ASPM, and how has the definition changed?

ASPM (Application Security Posture Management) helps security teams understand, prioritize, and fix risks across custom-built applications. These are proprietary software applications that companies are building. ASPM used to be called Application Security Orchestration and Correlation (ASOC) – but teams realized that they needed the ability to do more than just orchestrate findings and correlate them. Now, teams have growing backlogs of issues and vulnerabilities, and there's a greater focus on actually fixing issues found in their custom-built software applications, rather than just correlating all the different alerts together.

What does an organization's security practice look like with and without an ASPM solution?

Most companies today are without ASPM—it’s a very new category and type of technology. Without ASPM, a lot of teams have siloed data. Many different tools are detecting issues across their applications. There's software composition analysis, SAST and DAST applications, security testing, and all these different application tools sometimes putting out incomplete, duplicative or conflicting data on the issues and security risks within your application. So that creates a lot of incomplete analysis, and duplicative work. And unfortunately, that's where many teams are today. That's just a function of how complex software has gotten and how complex software security has become in line with that. Now, ASPM really unifies that visibility. So you get that unified visibility across your apps, multiple points of context on any vulnerability or security issue. And ideally, you get the best path to remediate any specific issues. So that's what at a very high level an organization would look like with and without ASPM in place.

Who needs an ASPM solution?

Ultimately any company building proprietary software needs an ASPM solution. Some companies may instead heavily rely on SaaS solutions, third-party solutions, or platform as a service. However, if there's any need to build custom applications, either internally for employees or for serving customers (B2B or B2C), you're likely generating various risks in the application development process. You might already have tools in place, such as application security testing tools, to detect these risks. If so, you're probably a good fit for ASPM. Even if you have some tools in place, you're still likely a good fit for ASPM, given that these risks are multiplying each year. In 2023, we saw a record number of vulnerabilities disclosed and the same was true the year prior. If you're building custom applications and have detection tools in place to identify them – ASPM will help unify these detections, identify the best path forward, prioritize fixes, and measure the success of your fixes.

What key components should I look for?

• One crucial aspect is integrations. Applications aren't solely built and hosted on GitHub; they're also on CICD platforms and cloud infrastructure. Integrations should cover this entire development process and include security detection tools. This ensures comprehensive context not just on the code but also on where the application is built, deployed, tested, and used by customers.

• The second aspect is automated root cause analysis and triage, or automated triage capability. Previously, there was a market for Application Security Orchestration Correlation (ASOC), which unified security detections and findings across applications. While this was beneficial, what companies now require is not just unification, but also the ability to identify the root cause of issues amidst the noise, prioritize fixes, and determine the best solutions.

• Thirdly, actions to address these issues are crucial. These actions could involve automation, such as automatically fixing code and merging pull requests with suggested fixes for testing and potential deployment. Alternatively, they could entail assistive actions, such as creating tickets for the appropriate product owner or developer. These actions contribute significantly to time savings and provide benefits while reducing headaches across security and development teams.

• Considering AI's role is crucial. Gen AI offers valuable remediation suggestions. Seek ASPMs that effectively utilize AI now and in the future. Robust reporting is essential, especially for teams dealing with diverse data types and regulatory environments like PCI, HIPAA, SOC 2, or FedRAMP. Look for ASPMs with customizable, comprehensive reporting options.

These are just some of the key considerations to keep in mind.

Is it difficult to implement an ASPM solution? What’s involved?

The short answer is no. ASPM solutions are typically API-driven, facilitating integrations into existing solutions. These include source code management systems, CICD platforms, ticketing solutions, and application security testing tools, requiring three to four integrations to commence.

Some companies may encounter bureaucratic hurdles in setting up integrations, necessitating planning, sign-offs, and change management processes. However, typically, this initial setup suffices. ASPM entails three to four integrations, enabling an understanding of application security across the board. It's a straightforward way to begin, comparatively easier than many other technologies to implement.

What are the benefits of ASPM? What impact can you expect to see in the long term/short term?

Short-term: It enables better prioritization of issues within your applications. While detection tools excel at finding issues, not all detected issues need immediate attention. Some vulnerabilities may not be exploitable or may not affect external-facing applications. Consequently, a small percentage of detected issues may require fixing, and an even smaller percentage may be feasible for your team to address. Therefore, in the short term, ASPM facilitates effective prioritization based on correlation across applications and associated security risks. This understanding enables you to determine what needs immediate attention versus what can be deferred.

Long-term: The aim is to measure the results of prioritization and subsequent fixes. This involves assessing faster remediation times. As teams become accustomed to prioritization, they can autonomously address issues, leveraging the context provided by ASPM solutions. This empowerment streamlines processes for both security and development teams. Ideally, ASPM tools should be utilized by all teams involved, not solely the security team. They should facilitate developers, software engineers, and product owners in independently addressing application issues, minimizing the need for extensive coordination with security. While both teams collaborate on prioritization and SLAs, effective ASPM solutions offer comprehensive support for issue resolution, leading to significant reductions in resolution times.

Are ASPMs just bundled code scanners?

Numerous companies today market ASPM solutions. Some of these solutions bundle various code scanners. This bundling may suit companies lacking existing detection tools, providing a form of application security posture management. Without static or dynamic application security testing or data on supply chain risks, such solutions offer a means to manage application security risks when visibility is lacking. However, while many companies possess some form of detection tool, ASPM offers enhanced sense-making, noise reduction, and prioritization using existing detection tools.

This approach enables a transition from mere visibility into application security risks to understanding how to address and measure reduced risk effectively. ASPM involves more than bundling code scanners. It entails integration with established tools in the market, empowering customers to prioritize fixes over detections.

How is ASPM different from vulnerability prioritization tools?

This is an excellent question that we encounter frequently when engaging with various companies. There is indeed some overlap between them. Vulnerability prioritization tools essentially perform what ASPM does for applications but traditionally for IT on-premise assets. These tools ingest data from vulnerability detection tools, de-duplicate and correlate it, and ideally provide guidance on prioritizing remediation efforts. While some vulnerability prioritization tools integrate with application security testing tools, they often lack visibility into how applications are built and deployed in cloud infrastructure.

This distinction is crucial for effective application security posture management because understanding the context of application development and deployment is paramount. ASPM solutions provide insights into whether issues stem from the code itself or the cloud infrastructure. They achieve this by comprehensively mapping out the logic of code propagation across CI/CD pipelines, a capability that vulnerability prioritization tools typically lack.