In 2023, Gartner coined a new term for a growing space, taking over, and broadening the scope of what they previously termed ASOC – Application Security Orchestration and Correlation, highlighting the importance of application security posture management.

While Application Security Posture Management (ASPM) doesn’t exactly roll off the tongue, and posture management reminds me of lectures from teachers in middle school, it does address a growing and important need in managing application security posture. It also extends the broader concept of posture management that Gartner has defined, such as Cloud Security Posture Management (CSPM) or SaaS Security Posture Management (SSPM).

Too many security point solutions

It’s hardly news to say that we have too many disparate security products. It’s easy to disparage this problem, but this sprawl happens for a reason, as anxious security practitioners struggle to address the latest security threats, and fast-moving vendors, innovate to meet these specific needs.

Most of these tools continue to work well at their specific functions for many years, and few organizations want to scrap an investment in something that is working. We’ve seen this with SIEM, TIP, and SOAR – all of which helped to address problems with threats, detection, incidents, and response. Eventually, these capabilities may become incorporated into broader platforms, but that’s a slow process. 

Now we’re seeing the Application Security, Cloud Security, and Vulnerability Management spaces go through the same growing pains – too many products, creating too much noise, that is difficult to manage and act upon.

Two choices to deal with security sprawl:

1. Add a new layer overlaying these point solutions that aggregates their results, reduces noise, and simplifies operations, while maintaining the best-of-breed components. 
2. Wait for a larger vendor to incorporate or acquire all these point-solution features into a single unified platform. Sounds great – too bad it rarely works.

For smaller organizations, or new companies that don’t have an existing security investment, vendor consolidation makes sense, to provide “good enough” coverage.

However, for larger, more complex organizations consolidation often means taking away tools that teams actively use, and have built processes around, and replacing it with dumbed-down platforms that don’t make most constituents happy.

Here’s an analogy – think about the US Congress. Today, most Americans think Congress is a dysfunctional mess, driven by special interests with blinders on. But… these same majorities tend to like their specific Congressperson and re-elect them repeatedly. The problem is not with my representative – it’s the idiots elected by others.

Similarly, security analysts generally like their tools, and have built expertise and processes around them. Asking them to scrap these tools and start over with standardized platforms that offer fewer capabilities, is usually an “over my dead body” non-starter. Over the long term, consolidation might make sense, but most organizations are reluctant to cause major disruption. Application security posture management best practices can help mitigate these challenges by integrating existing tools effectively.

If you can’t consolidate - collaborate

So, if you can’t beat them – join them, or rather, join them together. This is exactly the promise of ASPM – providing consolidated orchestration, correlation, and visibility over a wide range of existing products including code scanners (SAST, DAST, SCA), cloud security tools (containers, CWPP, CSPM), and a wide range of infrastructure and network security tools. Understanding what is ASPM can help organizations leverage these benefits effectively.

Most of these tools share a common purpose – identifying vulnerabilities, misconfigurations, and other exploitable flaws, and remediating them before code is released, while managing new vulnerabilities in a continuous process – the ubiquitous infinite loop used to describe DevSecOps.

While these tools may have substantial overlap (a big contributor to noise) they also have specific strengths that their users don’t want to give up. And these needs and strengths vary greatly by different teams, making consensus difficult to impossible.

It’s easy to argue that adding a new layer of security, to manage a plethora of other tools, is making the problem worse. But, if you don’t want to scrap existing tools, then an overlay platform that makes them all work together can save you time and money. 

Leading Application Security Posture Management tools must include the following:

• Integration and orchestration across hundreds of existing tools and vendors,
• Aggregation and deduplication of vulnerability data across tools,
• Normalization and correlation of results across multiple vectors,
• Context on which specific threats are relevant to your organization,
• Flexible visualization of consolidated results,
• Effective prioritization finding the needles in haystacks of potential vulnerabilities,
• Automated remediation workflows integrated with ITSM and alerting tools.

In practice, collaboration requires both the right mindset and the right tools. The pace of application development, code-to-cloud releases, and new security threats will only increase, and managing all of these consistently, and properly prioritizing threats requires a platform like ASPM security. For more information on the AppSOC platform, please watch our demo videos or request a one-on-one demonstration.