Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Help shape the future of cloud security! Take our quick survey on SaaS Security and AI.

Building vs. Buying an ASPM Solution (And What We Can Learn from Raising Tamagotchis)

Home
Industry Insights
Building vs. Buying an ASPM Solution (And What We Can Learn from Raising Tamagotchis)

Blog Article Published: 08/21/2024

Originally published by Dazz.


Let’s travel back in time to the mid ‘90’s, shall we?

Tamagotchis—those adorable, electronic virtual pets—were introduced to the market in 1996 and absolutely exploded. In less than a year, Bandai had sold more than 10 million little e-critters, and to date, over 91 million units have been sold. They were the most entertaining, buzzy toy on the market for a while, but they caused a problem.

Some virtual pet owners reported having to check their pets every 20 minutes or so to maintain 100% happiness – from feeding them to playing with them to…marrying them off? (True story). Tamagotchis became so distracting and engrossing that some schools began banning them. Worst of all, kids (and adults) alike felt remorse, guilt, sadness, and a sense of failure if and when Tamagotchis were neglected and moved on to their keychain-sized mansions in the sky. What was once a fun project became a literal “burden in the hand” that siphoned away time, attention, and perhaps a level of sanity.

The allure of the Tamagotchi is clear, but in the end the conclusion is the same:

This sounded like a great idea at first, and now, not so much.

This is the sentiment many technology teams face when it comes to build vs. buy debates. Designing and building can be exciting, and may appear more cost effective for organizations with plentiful development resources. But maintaining it is not so fun—particularly when the solution isn’t productized and requires constant care and feeding to keep working.

When it comes to building an application security posture management (ASPM) solution in particular, we’ve heard a common theme: while some cybersecurity teams did make progress on visibility and prioritization with their home-grown solution, they ultimately fell short of driving a measurably improved remediation process.

So—how should you be thinking about building vs. buying an ASPM solution?


A Few Build vs. Buy Considerations

Data ingestion and quality

An ASPM platform needs to account for:

  • Data heterogeneity: every tool that knows about your environment describes it slightly differently. The ability to understand the differences in the data and how to normalize it requires a lot of time and expertise across each of these solutions.
  • Data quality: finding duplicates, missing values, and inconsistencies can eat up too much time. The right ASPM takes this problem off of the table.
  • Data storage: how long do you need to retain data? How far do you need to look back into vulnerabilities and issues? Storage costs can add up very quickly as you begin to unify historical data.
  • Data processing: high performance databases are needed to process large amounts of historical data - another significant cost to consider
  • API versioning and updates: your vendors are frequently changing APIs and data schemas. As they do, your modeling and DIY solution instantly breaks.

Questions to ask yourself around data if you’re thinking of building might include:

  1. How long will it take to build a framework to normalize data from disparate sources?
  2. Do you have necessary expertise across security and engineering teams?
  3. Once you’ve unified the data, how long will you need to test quality?
  4. How much data will be processed?
  5. How will you store the data?
  6. How will you handle vendor API changes, and do you have the resources available to dedicate to making those adjustments?


Actioning the data to reduce remediation time

Along with data ingestion and correlation, your platform should make the data actionable with the goal of shortening the time required to resolve issues effectively. And this is where many teams hit snags.

Root cause analysis gives you the ability to drill down into vulnerabilities at their core—and if you’re unable to do this at the code level and identify the owners who committed the code, you’ll miss the mark on having an ASPM solution in the first place: faster, more efficient, more permanent issue resolution.

If you’re looking to build, think about these questions as they pertain to data analysis:

  1. Can you build (and do you have the time to build) an automation to trace security alerts to their artifacts and introductory code?
  2. Do you have a framework to begin the process of data normalization?


Automated remediation

According to the CSA State of Security Remediation report, about 75% of organizations have security teams spending over 20% of their time performing manual tasks when addressing security alerts despite 83% reporting they use some kind of automation in their remediation process. You need automations that work and actually reduce the amount of time and effort required to address the most critical vulnerabilities.

Whether you build or buy, your ASPM solution will need to:

  • Automate code fixes when possible
  • Auto-assign owners to address flagged issues
  • Utilize custom logic to adjust SLA due dates and severity
  • Customize conditions to mark alerts as dismissed, deprioritized, or risk accepted


Visualization and reporting

Once your data is in a reliable state and is ready for action, you’ll still need to spend time building the right reports for pertinent stakeholders.

If you’re building, consider:

  1. What system will be used for reporting (and who your internal person with the knowledge of that system is)
  2. Whether special coding is needed to generate reports
  3. If dashboards will automatically update based on data received


Long term value and maintenance

And here’s where the Tamagatchi-esque feeding, caring, and nurturing comes in.

Even if a security team has successfully built an ASPM solution, many want to continue expanding on the capabilities they built initially to include prioritization, root-cause analysis, expanded integrations, automated workflows and visual dashboards and reports... but balancing the maintenance of the current capabilities while adding new complex capabilities is very costly and time consuming. Organizations that go down this path often end up with a less capable and far more expensive alternative with less availability and lower adoption.

Additional challenges to bear in mind include:

  • Technology changes: Switching out technologies utilized across security, dev, and infrastructure teams may require rebuilding elements like automations and data models. And, as previously mentioned, when vendor APIs change, someone will need to be a vigilant resource with the time to make changes.
  • Team changes: If the people who build the solution leave the company, they may take with them the tribal knowledge necessary to understand and maintain a custom solution.
  • Opportunity cost: What other initiatives could team members be actively pursuing if they weren’t tethered to system maintenance for the potential Frankenstein they’ve created?

To build or to buy depends on the solution under consideration, the criticality to the team, and the budget and resources required to make it happen, and naturally, the decision will be unique to the company and the situation. Just make sure that execution risk and costs involved are carefully weighed while making the choice to ensure you’re able to keep your important ASPM initiative alive and thriving, and keep you and your stakeholders happy.

Even a Tamagotchi could tell you that.

Cloud Security Services ManagementDevSecOpsEnhancing cloud security strategyRisk Management

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Zero Trust Guiding Principles v1.1
Register for CSA's Global AI Symposium
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 Top 10 Linux Server Hardening and Security Best Practices
#2 The Common Misconfigurations that Lead to Cloud Data Breaches
#3 The Implications of AI in Cybersecurity: A Transformative Journey
#4 The 6 Phases of Data Security
#5 9 Best Practices for Preventing Credential Stuffing Attacks
Level up with Cloud Infrastructure Security Training
Related Articles:
IDC Analyst Brief Findings: Trust Centers Can Help Organizations Save Time and Accelerate Sales

Published: 09/12/2024

What are OAuth Tokens, and Why are They Important to Secure?

Published: 09/12/2024

As Non-Human Identity Attacks Soar, Cloud Security Alliance and Astrix Security Reveal Critical Gaps in Non-Human Identity Protection

Published: 09/12/2024

7 Essential SaaS Security Best Practices

Published: 09/12/2024