I’m ASPM, You’re ASPM… We’re All ASPM!

There is no doubt in my mind that ASPM is an absolute must for Product and Application Security teams to efficiently operationalize the remediation of vulnerabilities at scale… and it seems I’m not the only one.

While I’m not an Oprah fan (no disrespect Oprah! I’m just not your audience), I do feel as though I’ve been experiencing one of her memes on a daily basis. The meme stems from the phrase: “you get a car, and you get a car… everyone gets a car!”, where “car” is often replaced with a word or phrase of a satirical nature. For me, it’s been more like this:

Source: https://imgflip.com/i/7v0yme

I’m noticing marketing teams from a variety of technology companies throwing the ASPM acronym on their list of buzz phrases to be referenced in social media posts to maximize impressions. In some cases, it’s similar to what I used to (and still) see from Application Security Testing (AST) providers in reference to the OWASP Top Ten. The conversation often goes something like this:

[MARKETING] We test for everything in the OWASP Top Ten!
[ME] Cool! So how are you testing for “Broken Access Control” or “Insecure Design”?
[MARKETING] We look at the CORS HTTP Header!
[ME] Even if we’re using Protobuf over Kafka?
[MARKETING] Of course! We’re comprehensive.
[ME] Any other tests?
[MARKETING] Of course! We also test for Cross-Site Scripting!
[ME] … got it.

This illustrates a common pattern I see among marketing teams; that is, claiming the ability to support the totality of an industry recognized standard even though the product can only do one thing in that standard. To my marketing friends out there – no judgment here, this is simply an observation. These teams face tremendous pressure to help products stand out in crowded and fast moving markets – not an easy task!

In response to this observation, I thought it would be helpful to call out some of the key capabilities of ASPM that differentiate it from the various other application, infrastructure, supply chain, and cloud security products out there. A couple months back, there was an incredibly well written and insightful article released by someone I met in front of the mirror the other day (link: https://tromzo.com/blog/context-a-cornerstone-in-gartner-s-innovation-insight-for-aspm). In it, the author conveys three things really well:

First, he quotes Gartner’s definition of ASPM from Gartner’s Innovation Insight for ASPM as follows:

“Application security posture management analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to improve application security efficacy and better manage risk.”
– Gartner

Second, he underscores the significance of context in driving the ROI of ASPM; correctly stating that “you cannot ‘improve visibility, better manage vulnerabilities and enforce controls’ (Gartner defined ASPM capabilities) without knowing the context around the assets and issues under your purview.”

Third, he summarizes three categories of product security teams that have led the way in driving operational efficiency using an ASPM: those that have tight collaboration with development teams, those managing an abundance of different tools across different teams, and those that work with product focused DEV teams owning the entire stack.

If you haven’t done so already, I encourage you to give it a look as it is quick and to the point. The reason I am referencing this article is that it places emphasis on the successful outcomes that teams can derive from the adoption of ASPM. Looking at these outcomes, we can better understand the capabilities and underlying context required to successfully deliver on such as solution:

1. The ability to aggregate security vulnerabilities across the entire product stack in a way that provides a collective and holistic view without impeding your ability to select, use and integrate the best in class security testing solutions the market can provide.
2. The ability to integrate with software and security technologies across the entire software supply chain and ecosystem, including those used to write software, build software, test software, deploy software, and consume software.
3. The ability to identify and automate the derivation of relationships between the various software and security technologies and produce relevant corresponding metadata.
4. The ability to express and overlay organizational as well as team specific security policies on top of the derived metadata.
5. The ability to derive actions and insights from this metadata that help prioritize and drive to remediation the most significant vulnerabilities.

That last bullet is probably the most important. Restated differently…

Application Security Posture Management solutions are designed to accelerate the triage and remediation of vulnerabilities representing the greatest risk to the organization at scale.
-Eric Sheridan (Tromzo)

Doing this effectively requires a tremendous amount of data, connectivity, analysis, and insight. Tromzo is steadfast and focused on delivering a best in class remediation ASPM solution, and this is how we’re doing it. In fact, we can deliver this value using your existing technology stack. We do not compete with the security testing solutions on the market today – and this is by design. We see our ability to “play nice” with all the best in class security testing solutions as being critical for the success of our customers; you have the freedom to select and adopt the technologies that work best for you. I cannot think of any other ASPM provider that can say the same.

So this is that time in the article where you take a moment for self reflection. Is what I’m building really an ASPM? Are we driving the operational effectiveness of remediation at scale? Or perhaps are we doing something else?

Anyway, I know my answer. Back to Oprah… whops, I meant Jerry Springer… wait, I meant… ahh forget it. You get the idea.

Sidebar: come talk ProdSec with me, and bring a chess board too! (link: https://tromzo.com/developers-and-security-are-friends-day)