Good Application Security Posture Management Requires Great Data

Good Application Security Posture Management Requires Great Data

Recently, the cybersecurity industry has been using the term 'security posture" to describe an organization's overall security and response readiness. We are witnessing the emergence and evolution of solutions that can aggregate findings and provide a holistic view of the security risks in your systems, networks, and applications.

Security posture can also be seen as a way to prioritize security work, helping you answer the question, "What should we work on next?" That answer needs to be based on understanding and balancing your security risks through analyzing in-context data and weighing the needed remediation effort involved.

But where will the needed data for these solutions come from? Does it require new scanners? Will you need a new evaluation plan to "rip and replace" existing tools? We don't believe so; ASPM is a new type of risk management tooling that can best be built on top of what already works for your enterprise.

ASPM

In May 2023, Gartner defined ASPM as the newest segment of the Security Posture management market. They define Application Security Posture Management as a system that "continuously manages application risk through collection, analysis, and prioritization of security issues across the software life cycle."

ASPM solutions surface issues with an application and help with your risk impact analysis, including data on any needed remediation processes. These issues include hardcoded secrets, unauthenticated APIs, unencrypted data flows, PII data issues, and multiple types of application vulnerabilities, among many others. This is a rapidly expanding market, with players including ArmorCode, Bionic (a CrowdStrike company), Cider Security (a Palo Alto Networks company), and Kondukto.

The components of ASPM as defined by Gartner

In addition, not a replacement

Every security professional wants a "single pane of glass" to look into and get every relevant test result, threat alert, and remediation workflow progress update they need to do their job securing the enterprise. Recently, James Berthoty, Security Engineer at PagerDuty, shared the following in his "WTF is ASPM" write-up:

"I don't know a single security professional who wouldn't be happy to drop all their old tools for a single better one if they didn't sacrifice useful features in the process." (emphasis mine)

The reality is that even if an 'all-in-one' security tool could outperform tools addressing specific security concerns, the sheer cost and political will needed to replace existing and working technology with a 'promising' new tool across the enterprise is a non-starter. Viewing any technology as a 'one size fits all' multitool is not generally a wise decision. ASPM should be seen as a new way to analyze all the existing data so you can make decisions on where you carry the most security risk at any given moment. The goal should be creating a prioritization plan that balances technology, business, legal, and operational risks. Based on your risk impact analysis, you can then engage with the rest of the enterprise.

Your security posture is only as good as your data

While ASPM solutions are not miracle cure-alls, they can provide a new level of value. When properly implemented, they have the potential to help improve overall security faster and more efficiently. But like any technology, there are some pitfalls you should be aware of that might make your shiny new tooling less than useful.

Rotting apple that looks fine on the outside.

False Positives

If every test from your security tools has a high noise-to-signal ratio, with a high volume of false alarms, then it will affect your ability to clearly understand what is happening. Further, if those tools and platforms generate untagged or unscored incident reports, then it is really hard to differentiate between critical and low-risk issues.

Unfortunately, we have seen the ASPM solutions attempting to replace all existing scanners are simply behind in accuracy tuning. While they will continue to improve, so too will the tools that have been fine-tuning their detection and validation engines for years.

False Negatives

The absence of an alarm does not necessarily mean everything is good; it might mean that you simply are not checking for the right things. Misconfigured tools can report a test as passing when it does not actually check for anything of concern. Thinking there are no problems can lead you not to notice a growing issue until it becomes disruptive and costly.

Solution complexity

Due to the nature of ASPM solutions, taking in data from multiple sources and scanners, there is an inherent complexity that comes with the approach. If you only manage one or two small applications, in the case of ASPM or CSPM, or just a small handful of SaaS solutions in the case of SSPM, then the costs outweigh the benefits. Not all organizations will get equal benefits from this approach.

GitGuardian gives you clean data reliably

GitGuardian is going to continue to do what we have done since 2017, focusing on code security and secrets sprawl as the best code security platform tuned for the DevOps generation. We believe in creating and evolving in-depth scanners and focusing on remediation to provide valuable data to ASPMs. We are proud to partner with multiple ASPMs to deliver the best results possible, including Snyk AppRisk, ArmorCode, and Kondukto.

GitGuardian can help you identify where secrets, such as API keys, passwords, and certificates, have leaked, no matter what your tech stack looks like. Even if you do not write custom code, GitGuardian Secrets Detection can help you scan log files and, now, even Slack for plaintext credentials leaks.

Remediation is key

ASPM strategies involve surfacing a remediation path for identified issues. The amount of effort it will take to fix an issue is a serious consideration when weighing various tasks in a triage list. If a fix takes moments to implement and it will reduce risk significantly, that is what you should tackle. If it will take weeks to fix but has lower risk, you might backlog that task for a future sprint.

Again, GitGuardian is here to help. We don't just show alerts or point out the problems; we focus on helping you fix any incidents you find, providing the premiere secrets remediation platform accessed through the GitGuardian Dashboard and API. Incidents can easily be assigned to the right team members with a quick click or API call. While other business risks might take more immediate precedence, having a rock-solid foundation for solving code security issues will help you evaluate your action plan for improving your security posture.

Ready for the risks ahead

The evolution of the security posture management market marks an evolution of the security industry. No longer can enterprises rely on unconnected sets of test results and massive security reports. Managing risks in the modern enterprise requires a more active and holistic approach.

Underneath any ASPM approach is the need for good data and a clear path to remediation. GitGuardian Secrets Detection is enterprise-tuned for high throughput scanning with the highest accuracy possible, no matter where your secrets leak. Our remediation coordination platform makes it easy to plan and track your response to these code security incidents.

No matter how you define risk, GitGuardian is there to help you reach your security goals.