Subscribe to our Blogs
Get weekly updates on the latest industry news, thought leadership, and other security topics in our blogs.
Note: This blog provides excerpts from a Security Guide recently published by AppSOC. Over the next few weeks, we will share posts summarizing each chapter of this guide, but the entire guide is available for free download at any time.
Managing and staying ahead of software vulnerabilities has always been a painful and never-ending process, fraught with data overload, painstaking manual processes, risky remediation steps filled with unintended consequences, and unrealistic expectations about what is possible, and how well you can manage risk.
The bad news is these problems are getting worse – much worse. With the explosion of application development, generative AI large language models, infrastructure as cloud, and rapid code-to-cloud deployment, on top of traditional security operations, and new compliance mandates, many security teams are feeling overwhelmed, under resourced, and often paralyzed by the constant onslaught of new events. Just keeping up is challenging, and getting ahead of these problems can seem hopeless.
Gartner has defined a new solution category that addresses these challenges – Application Security Posture Management (ASPM) and describes the challenge:
As applications become more complex, and with security tools and responsibilities spanning multiple groups, visibility into the overall security posture of applications becomes vastly more difficult to obtain. This complicates efforts to assess, measure, prioritize and respond to application risks.
Gartner, Inc., Innovation Insight for Application Security Posture Management, 2023
The Funnel Challenge
The simplest way to think about the task of managing vulnerabilities is to draw a funnel. At the top are all the raw vulnerabilities and security issues coming from your tools. For a typical medium-sized security team, this can be tens of thousands of findings across dozens of tools and is unmanageable without significant filtering.
If you’re consolidating data from several tools, the first step is to get rid of the duplicates. This can be painful manually, with similar findings in varying formats, or multiple issues caused by the same underlying threats. Depending on the number of tools you use, good de-duplication can eliminate about 10-20% of the noise. That’s a good first step.
Next, good code scanners and other security tools should provide some level of prioritization – typically by looking of the CVSS of each vulnerability. This is useful as a first level filter but is limited in scope and only measures severity, without judging exploitability, likelihood, or factors specific to your business. But, if done well, this step can filter out another 40-50% of the noise. Another step in the right direction.
But the remainder is still not manageable. Say you have 4 full-time security analysts, and each “critical” vulnerability requires about 20 minutes to triage, assess, research, determine remediation steps, and alert others. This means you have the capacity to properly address no more than 100 vulnerabilities per day, with little time for other activities.
Capacity: 4 analyst x 3 vulns/hour (20 min each) x 8 hrs. = 96 vulns
Load: 2,700 high priority vulns received from scanners
Days required to process the load: 28
Team required to process load in 1 day: 113
In our example, we’ve reduced 7,000 issues down to about 2,700 issues that your tools report as critical – roughly a 60% reduction. But it’s still an unmanageable number that would require over 100 FTEs just for first-level analysis!
Clearly, analyzing all 7,000 issues is impossible. While your current tools may have reduced this number by 60%, covering the remaining 40% is still impossible. Your capacity to respond only covers less than 5% of the issues delivered by your security tools.
So, what do you do now? You can guess which ones are dangerous, eliminate broad swaths of data, throw darts, or have your analysts “use their intuition” to essentially guess what merits their limited bandwidth. None of these inspire confidence that your security posture is adequate or robust.
The AppSOC Security Guide provides a framework to effectively close this gap, eliminate the noise, and accurately prioritize the limited number of critical issues that must be addressed immediately.
These steps are based on logical processes that you may already attempt manually or with spreadsheets. But manual processes usually don’t keep up, and brute force crunching of data through spreadsheets and late-night coffee is not a recipe for success.
The 5 Steps
- Consolidate and Clean Up Security Data
Orchestrate data from disparate security tools and data silos. Aggregate, de-duplicate, and normalize issues with one centralized tool. - Correlate Findings Across Sources, Techniques, and App Structure
Identify and group related issues that may occur in multiple locations or come through different sources. Map the results to your application hierarchy and software supply chain. - Prioritize Intelligently Based on Business Context
Enrich base scores from security tools factoring impact, likelihood, exploitability, and the business context for your specific organization. Dramatically narrow your focus to the most critical findings in a quantity that matches your team’s ability to respond. - Remediate Through Automated Workflows
Streamline processes to identify remediation steps, notify stakeholders, open tickets, and track SLAs for completion. - Continuous Compliance to Ensure Risk Reduction
Deliver measurable results that are relevant to all teams, track SLA adherence, and map security maturity across groups in your organization.
In following blogs (and in the full guide) we will describe the challenges, costs, and best practices. We’ll also map these to capabilities in the AppSOC platform to automate these processes, bring visibility and clarity to your findings, prioritize remediation that is achievable with limited resources, and help you answer the nagging questions:
- Are our applications secure?
- Have we addressed the right vulnerabilities?
- Do we know our overall risk levels?
- Can I assure the Board that we’re on top of application security?
If you follow these steps and implement a more advanced approach to continuous application security and vulnerability management, you will be able to confidently answer all these questions with a definitive “yes.”
