Is your sprawling AppSec toolset stopping threats or burning out staff and resources? Time for the ASPM diet…
Cyber alert fatigue at the forefront
In 1967, The Joint Computer Conference coined the term “penetration testing.” Four years later, Bob Thomas’s “Creeper” virus/worm demonstrated the possibilities of mobile code — and exposed vulnerabilities and flaws in connected systems. As Thomas said later, it was more like an “allergy test than a common cold” — no more than 28 machines could have been impacted by it.
Fast forward to 2024, and application vulnerabilities are the critical path to action to initiate a breach. Today’s defenders are up against a constantly expanding attack surface and sophisticated threat actors: more threats, more attack surfaces, more tools, more alerts, more siloes, more devices…you get the idea.
In this threat environment, anything you can do to maximize the performance of the tools you have while minimizing the pressure on human resources should carry a lot of weight. What do you do, then, when it’s the tools themselves that are adding to the chaos? When tools’ threat detection capabilities improve, new challenges are introduced: How do you handle the increase in vulnerability noise and alert fatigue that typically accompanies new tool deployment? How do you hone in on the real problems without adding time, effort, and staff? How can you effectively correlate data between disparate systems? How do you validate conflicting data from different sources? How can you ensure that your teams can swiftly find, respond to, and remediate the most critical vulnerabilities first?
Drowning in AppSec alerts
On average, security teams monitor 129 applications and 68 or more technologies, generating 118,000+ vulnerability alerts. In a development environment where third-party code makes up a significant portion of the codebase, finding and triaging critical vulnerabilities in a sea of noise is difficult at the best of times, and dangerous at the worst.
The now-infamous Target data breach (which wiped 46% off profits and caused an estimated $200m in card replacement costs) started with alert fatigue: at least eight employees had identified the threat and overlooked it. Small wonder that the origins of the term “alert fatigue” go back to 2004, when a US hospital organization, The Joint Commission, was concerned about the false alerts being generated by an ever-expanding array of highly sensitive devices. Just like the AppSec community today, medical teams were in danger of drowning in a sea of their own successful problem identification.
For AppSec teams, vulnerability noise and alert fatigue are major obstacles to finding, responding to, and remediating vulnerabilities. Alert fatigue in environments where security teams are working across multiple, siloed consoles — often managed by different AppSec, OpSec, and Dev teams — is a laborious, often manual, chore.
A fine line between “best-of-breed” and cybersecurity tool sprawl
As we’ve seen, AppSec teams are often monitoring over a hundred Application Security Testing (AST) tools, including Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).
While these tools enable a more holistic approach that integrates security into DevOps processes and help prevent siloes, they don’t often “talk” to each other — literally the case with IAST, because it’s programming-language dependent, meaning that some tools require a code change to work (or won’t work with your stack at all).
With so many tools in place, engineers are left manually piecing together data from disparate, fragmented solutions. It doesn’t end there; the data from those manual processes has to be enriched and correlated from third-party resources, including the NVDD, CISA, KEV, and other vulnerability trackers.
More tools, more processes, more data, more processes, more gaps. Many best-of-breed tools do a great job at one or two things. But at what cost? Team8 CISO-in-residence Ross Young’s recent comparison is revealing:
“Best-of-breed” is expensive
Young’s table gives a great overview — not to mention a clear bottom-line estimate — of where a platform versus best-of-breed approach to AppSec can take you. But let’s take a brief look at some of the hidden costs of AppSec tool sprawl that are wrapped up in those numbers:
License and subscription fees: The average large enterprise is spending around $7.4m annually on under- and unused software. Some research suggests that only 10-20% of cybersecurity technology is actually ever used. However you slice it, tool redundancy and complexity can result in a doubling up on money and effort.
Complexity slows you down: More tools, more effort: IDC research indicates that 50% of software developers are spending 19% of their time each week on security tasks. Seventy percent said that switching between different tools reduced efficiency. Excessive management overheads are distracting.
Fragmented data and delayed response times: Multiple tools operating in siloes leads to a fragmented view and lack of clarity that, in turn, makes prioritization and contextualization challenging. Fifty-five percent of defenders report difficulty with correlating alerts from multiple tools; 64% say that this lack of integration inhibits comprehensive and timely investigation and response. Take the fragmented solutions route and expect slow response times and an increased risk of missing or underestimating a threat.
Thirty-one percent of cybersecurity professionals feel they have too many tasks; 30% say they feel overwhelmed. If there were a way to combine the power of multiple consoles and data sources into a single platform, without losing sight of everything, you’d take it, right?
ASPM: Consolidation is king?
Application Security Posture Management (ASPM) mitigates many of the obstacles created by tool sprawl by unifying AST, software supply chain security, and security posture management tools into one management plane to provide end-to-end visibility and traceability from code to cloud.
If slashing costs by approximately 50% (see Young’s table above) isn’t enough, the benefits of ASPM over multiple point solutions reach across AppSec, SecOps, and Dev teams, including:
360-degree visibility and control: ASPM breaks down the siloes that contribute to coverage and visibility gaps, trigger excessive alerts, and increase workloads. By mapping applications from code to cloud, AppSec teams and developers gain deeper understanding of architectures and dependencies.
Drive AppSec and DevOps collaboration: ASPM collects, correlates, and enriches data from multiple tools and sources, delivering a synthesized view of applications and their associated security state. The result: A consolidated approach that keeps AppSec and DevOps on the same page.
Deep context meets risk-based prioritization: Move from CVE chasing to risk-based vulnerability management: ASPM helps defenders understand and identify badly maintained, vulnerable, or out-of-date code libraries. By incorporating advanced risk calculations based on key metrics such as reachability, exploitability, and business impact, ASPM enables meaningful application attack surface management.
Integration and automation: ASPM allows AppSec teams to integrate security checks directly into software development workflows, making automated monitoring and consistent policy enforcement easy — driving earlier detection and remediation and removing what traditionally has been a significant bottleneck for accelerated release times.
AppSec tool consolidation for the win
Unlike best-of-breed approaches, ASPM integrates data from multiple, traditionally disparate toolsets. This not only saves money, but brings additional benefits through automation, reduced manual effort, and disambiguation of inconsistencies in data.
The Ox Security Active ASPM platform unifies application security across the software development lifecycle (SDLC). Unlike the pick ‘n’ mix approach using connectors to stitch together tools from multiple vendors, OX was purpose-built to provide comprehensive AppSec posture management, combining 10 native scanning solutions with source data from 3rd-party integrations.
To get the complete picture of how ASPM and a platform-based approach are transforming AppSec and driving Shift Left collaboration, book a Demo.
.
