Context a Cornerstone in Gartner’s Innovation Insight for ASPM

Originally posted on Medium: https://medium.com/@eric_sheridan/context-a-cornerstone-in-gartners-innovation-insight-for-aspm-55502b99ca9a 

Gartner’s got you covered:

“Application security posture management analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to improve application security efficacy and better manage risk.” – Gartner

Dale Gardner, Dionisio Zumerle, and Manjunath Bhat make some pretty significant observations and predictions, one of which is that over 40% of organizations developing proprietary applications will adopt ASPM by 2026.. That’s a pretty big jump in adoption rate from Gartner’s current estimate of 5%. The Innovation Insight further states that the scope of ASPM has recently broadened to include capabilities around environmental connectivity, workflow integration, root cause analysis, etc. are now considered core.

The Key to Application Security Posture Management is Context

Here’s the thing: once you finish reading the detailed writeup from Gartner and the slew of Product Marketing materials responding to said writeup (yes, I’m guilty here!), you’ll find that it all comes down to one… single… crucial… point: context. In our collective past experience in CISO, Product, Engineering, and Security leadership roles, we have found that you cannot “improve visibility, better manage vulnerabilities and enforce controls” without knowing the context around the assets and issues under your purview.

And you want to know something cool? We’re not the only ones who have realized this fact. Forward thinking security teams adopting such ASPM solutions are leveraging this context to drive operational efficiency of security and often tend to fall into one or more of the following groups:

Tight Collaboration Between Development and Security

Organizations that have culturally embraced DevSecOps will have tight collaboration between development and security teams. These are organizations that speak a common language around the importance of application security to them and are actively seeking to co-develop preventative solutions based on technology stacks and services selected by software engineering teams. One possible conversation had by these teams is around the adoption of Static Application Security Testing (SAST) and Software Composition Analysis (SCA) technologies within the CI/CD process, which requires answering questions like:

• “What branches do we scan?”
• “Do we scan each and every PR?”
• “Under what conditions do we reject the PR and fail the build, if at all?”
• and more…

Now, looking at these questions, which of them could be solved by simply aggregating vulnerability data from different security tools into a single dashboard? None, of course! Implementing these preventative security controls requires integration into source code management systems and the context thereof. Modern ASPM solutions enable you to efficiently obtain the context necessary to answer these questions. With an ASPM, you can write a policy that ensures each and every source code repository is configured in accordance with whatever you and the software engineering team agreed upon in regards to running SAST and SCA tools. Done right, ASPM actually helps increase the collaboration between software and security engineering over time.

Abundance of Different Security Tools Used by Different Teams

For varying reasons, some security teams encourage their software engineering teams to take greater ownership of security tooling, offering them guidance instead of a prescription. This can often lead to the adoption of many different security tools for many different purposes, and it can be hard to wrap your head around what’s going on. After you provide everyone guidance, you’ll soon start asking yourself questions like:

• “Is everyone actually using SAST/DAST/IAST/SCA?”
• “Are they fixing vulnerabilities in the agreed upon timeline?”
• “Why are some teams seemingly more successful than others?”
• and more…

Playing Sherlock Holmes trying to uncover the path taken by each team or department is simply not tenable. If you’re looking to obtain a consolidated view of overall application security status, you turn to your ASPM platform. An ASPM platform provides the context necessary for identifying security related tooling and configurations across these teams along with their overall performance. With a context-aware ASPM, security teams are able to better identify those engineering teams that are successful and those that need a bit more help in producing more secure software.

Product Focused Dev Teams that Own the Entire Stack

Many Dev teams take a “product-focused” approach to software development, where the team owns the entire stack, top to bottom – including application security. The complexity associated with the diversity of software development technologies has now infiltrated infrastructure, thanks to cloud computing and technologies such as containers, Kubernetes, Infrastructure-as-Code, and more. In this world, the idea of a standardized infrastructure or set of frameworks simply does not exist. Each product-focused team effectively does their own thing, with guidance from security engineering along the way. How do you get visibility into the application security posture in an environment like this, where every team could theoretically be doing and using something different? ASPM platforms provide such context and subsequent visibility via aggregation and consolidation of security relevant data from the integrations with many different types of technologies. In fact, according to Gartner’s Innovation Insight, integrations with Source Code Management, Infrastructure as Code, and Cloud Configuration are now a core requirement of today’s ASPM platforms.

Simply put, you cannot achieve the goals of ASPM without having context. With the pace in which software is produced, you need context to make sure you’re making well informed and educated decisions about risk. So…what ASPM platform are you using?