You probably use numerous custom-built applications across your organization. Each one plays a unique role, and some are more critical to the business than others. The reality is that each application you deploy is another potential target for threat actors. One common proactive approach to application security is conducting automated vulnerability scanning and testing to identify and remediate vulnerabilities before attackers discover them.

By using an application security testing (AST) tools and orchestration and correlation (ASOC) solutions, security teams can automate security testing and collect, streamline, and analyze vulnerability data at scale. But this method alone fails to recognize the bigger picture that applications today are more complex and connected than ever before. Especially in a large enterprise, tackling each vulnerability individually or within a limited scope can lead to the development of cyber risk silos.

Introducing ASPM

To help improve the effectiveness and efficiency of application security, as well as lower the cost of services, Optiv recommends a more holistic approach that considers application security within the wider context of the organization’s environment. For larger enterprises with hundreds or thousands of applications and APIs hosted on-premises or in cloud workloads, we advocate for the adoption of an application security posture management (ASPM) methodology. By implementing an integrated solution that considers application security as part of a greater risk ecosystem, organizations can take advantage of enhanced remediation prioritization, centralized workflow management, and unified risk reporting. Security teams and key stakeholders will gain better visibility of application assets across the full technology stack, including custom-developed, commercial off-the-shelf (COTS), and SaaS applications spanning all lines of business.

In their “Innovation Insight for Application Security Posture Management” report published in May 2023, Gartner estimates that by 2026, "over 40% of organizations developing proprietary applications will adopt ASPM to more rapidly identify and resolve application security issues.” Optiv recognizes the same signals in the market. An increasing number of our clients are expressing an interest in folding application security vulnerability and remediation data into vulnerability and risk management platforms. Some Optiv clients have chosen to piece together their own proprietary ASPM systems and have indeed seen varying degrees of success. Others have tried and failed due to integration barriers, limits around scalability, or inflexible workflow and reporting capabilities. Many are coming to Optiv with desired outcomes that ASPM solutions deliver, but they simply do not know where to start.

ASPM solutions bring many benefits to the table, and one of the most relevant is their ability to enable “in the box” application risk management (i.e., within the platform, without dumping data to CSV or other tools) for the entire organization. ASPM platforms naturally enable a more real-time approach that equips defenders to better defend. By keeping vulnerability and remediation information at the data layer, organizations get one step closer to achieving the panacea of “continuous security.”

Analyzing ASPM Core Capabilities

Expanding upon what Gartner defines as the seven core capabilities of an ASPM solution, below are some operational aspects to consider for each capability:

“Coverage: Originally focused on application security testing in development, offerings now include data from operational environments (e.g., cloud platforms, containers, physical infrastructure).”

Many AST providers have expanded beyond the standard dynamic (DAST) and static (SAST) testing capabilities to incorporate features such as software composition analysis (SCA), software supply chain intelligence, infrastructure as code (IaC), container security, and/or cloud infrastructure security. One value of ASPM platforms is that they can ingest and centrally aggregate all this data before enhancing it with additional intelligence. For example, factoring in telematics from cyber threat intelligence (CTI) feeds and asset risk rankings from configuration management database (CMDB) platforms enriches vulnerability data that can enable your organization to prioritize and align remediation efforts with real-world risks.

“Testing orchestration: The ability to integrate security tools across the application life cycle and control their operation based on organizational policies is essential.”

As many organizations reexamine not only their secure development processes but also the security of their development pipelines, it is critical that ASPM solutions consider the stages of each team’s software development life cycle (SDLC) and how development teams function. For example, the ASPM platform should be able to set remediation policies for the development environment separately from staging and production. An application in pre-release may warrant more scrutinizing policies than in earlier stages of development. This approach frees your developers to innovate and experiment with code and components earlier in the lifecycle.

Furthermore, as your organization implements security tools across the SDLC, one will typically govern their operation per testing policies, either within the tools themselves or from within the ASPM platform. Deciding where to implement and enforce scan policies at the technical level is important. For example, you may choose to implement security gates through automation features within other tools. Assuming the ASPM solution can report on the success of out-of-band orchestrations, you should be able to attain the level of governance required.

“Remediation: Includes both integration into workflow tools, such as trouble ticketing systems, and the provision of specific guidance on possible fixes.”

Integrating ASPM solutions with workflow tools and bug ticketing systems can be straightforward, but it does require a deep understanding of how fields from data sources should map to the ASPM platform’s data model. Leaning on vendor support to perform trial and error can be time consuming and affect deployment timelines. Pulling in expertise from a third-party service provider is usually more cost effective.

Additionally, an organization should define a strategy to normalize remediation guidance across multiple scanning tools. Fix recommendations from one tool may vary from another. It is important to determine how to decide which tool will “win” when it comes to remediation guidance. An organization may wish to explore incorporating a proprietary database of recommendations to provide more consistent and business-specific fix guidance.

“Correlation: While most tools perform one-to-one vulnerability correlation (of related findings across tools), they also increasingly group data related to application components in order to represent a complete application.”

Many application security vendors introduced correlation capabilities several years ago, and more recently, findings are backed by artificial intelligence technologies. Though many tout proprietary next-generation features in this area, results tend to be limited and far from perfect. ASPM platforms can provide an additional layer of correlation to compensate for the weaknesses in a single scanning solution, as well as cover multiple AST scanner sources. Plus, linking a collection of APIs and/or sub-applications into higher-level assets may provide value from a workflow and reporting perspective.

“Prioritization and triage: Tools should offer the ability to prioritize those vulnerabilities that pose the greatest risk, based on risk factors provided by users or inferred from the application.”

ASPM solutions enable organizations to prioritize large volumes of vulnerabilities by adjusting or “normalizing” risk ratings provided by scanning tools based on factors that include asset risk, compliance, and other business factors. The solution should support grouping and managing application security policies by business criticality, data sensitivity, product team, and other attributes. With ASPM platforms, one can ignore or push certain categories of findings to the floor to reduce the overall noise level. An organization should periodically check results from automated rules to ensure that prioritization remains sound and aligned with the risk management strategy.

“Root cause identification: By analyzing data from different application components, some tools can facilitate the identification of the root cause of a vulnerability.”

Static AST technologies are fairly effective in chasing and catching the root cause rabbit in its lair. For example, software composition analysis tools reliably identify vulnerable open-source or third-party libraries if present in code or artifact repositories, build images, and containers. Market-leading solutions go deeper and provide analysis of code-level function calls to determine exploitability when calling code is necessary for risk exposure. This correlation often comes from same-label SAST and SCA solutions. Some ASPM platforms extend this capability by correlating and identifying root cause issues when evaluating source vulnerability data from multiple vendor tools.

“Risk management: ASPM tools frequently attempt to provide an overall risk indicator for components or applications.”

Obtaining meaningful risk indicators and scores per application, components, assets, and teams is important to multiple stakeholders, including external partners. ASPM platform providers should consider that there is no single risk metric that covers everyone's needs. Risk, security, legal, and business owners should be consulted on the metrics they need, as well as the process by which they do so. For example, governance, risk and compliance (GRC) teams need visibility not only into the applications/teams that fall out of compliance from a vulnerability/remediation perspective, but also into whether teams are even performing the necessary scans and testing required before releasing assets to production. This can become tricky because asset risk rating, major vs. minor version releases, and other factors must be considered, usually at a granular level.

Conclusions

With the current flux in the market, it is challenging to navigate and objectively compare one solution to the next. Pure ASOC solutions do not go far enough in feature and scope. Other platforms may appear to be more mature in their ASPM capabilities, yet they are limited in some way (e.g., only supporting cloud-native applications).

If interested in learning more about ASPM solutions, Optiv can help you. See our resources below to learn more about Optiv’s collaboration with Brinqa and Checkmarx.

Additional Resources