Application Security Posture Management (ASPM)
The ability to classify, mitigate and avoid risk in relation to applications remains a struggle for organizations of all sizes. Shift-Left has led to a lot of advantages and I would love to think it's had a huge impact on protecting the privacy of users as well as the intellectual property of corporations. Security isn't slowing down and neither are the various ways threat actors can capture and exploit information. This post focuses on the various ways I believe responsible security professionals should protect their resources by leveraging not only testing, but visibility. Application security has traditionally been hard to represent and explain to those who aren't familiar with core concepts.
As you are probably aware, posture management isn't exactly a sight for sore eyes and this is no exception. As of '24, ASPM is very much still being defined by those attempting to sell the feature set. As with most trends, a lot of existing companies who have provided coverage elsewhere within the security space are attempting to portion out their slice of the pie. This leads me onto my next thought... Will this flavor of posture management actually resolve development woes and mitigate risk? At this point, probably not and depending on the flavor of ASPM adopted development may in fact find yet another level of hatred for security teams. However, posture management has overall helped the industry manage assets and maintain various levels of visibility not seen prior. When it comes to globalized organizations or those heavy in mergers and acquisitions, these types of solutions are often seen as the best path forward... That's why I think ASPM providers who focus on 3rd party API ingestion and the normalization of data reported will ultimately break away with majority market share. Taking what's been paid for and enriching the information to help classify as well as prioritize organizational risk is huge.
Let's talk about the ultimate application security tool and what that looks like... The ability to provide visibility within a single dashboard from code to cloud is huge, just think about the number of possibilities it would open up for cross team collaboration. Just to give you an idea, some coverage areas could include: Configurations (IaC), Compliance, SCA, SAST, DAST, CSPM, CNAPP, CIEM, EDR, SIEM, and even SOAR. Companies often invest in these technologies in a best of breed manner when taking security initiatives seriously. That said, companies often struggle to provide a simple way to present security data and the impact each of these tools have to executive leadership teams. As with all market trends, there are numerous ways to provide coverage depending on your organizational use cases. As with most of my posts, I've outlined a few options deemed worthy of exploration below.
Snyk is actively developing ASPM capabilities by leveraging existing data they already have from years of client SCA, SAST, Container and IDE coverage. The G2M strategy here is focused on Shift-Left capabilities and is very development focused. Snyk acquired Enso which was an AppSec focused startup back in 2023. You can read more about their ASPM approach labelled AppRisk here to learn more. It's also worth noting Snyk aquired Probely, a DAST startup earlier this week. We'll have to wait and see what happens over time as the ecosystem that is Snyk continues to adopt new coverage capabilities.
Ox Security is a startup which brands itself as ASPM. The idea here is to provide a data lake experience which aims to correlate and classify findings across your entire IT ecosystem in order to prioritize risk and measure the impact of security teams. There's a lot of development work that's been put into the normalization of 3rd party data and how it's represented within Ox. Ox will also test findings to eliminate false positives and even prioritize findings based on reachability. Just because those cloud provider CLI credentials are stored in plaintext and exist in a repo doesn't mean they're active and valid. You're able to onboard almost anything with an API into Ox from your SCM provider to cloud container registries... the correlation it provides out of box to build relational depedancies between 3rd party sources is something else entirely. Painting the whole picture is what Ox does best in my opinion. The number of ways Ox permits organizations to leverage and visualize Application Risk across the organization is currently unchallenged at the time of this writing.
Thanks for taking the time to read my scribbles. Hopefully you learned something new. Until next time!