WTF is ASPM?

Application Security Posture Management (ASPM) is the latest Gartner fueled buzzword to take over cybersecurity, but no one knows exactly what it is. On the one hand, it’s a fancy name for vulnerability management: helping ingest and prioritize vulnerabilities from third party tools. On the other hand, it’s a one stop shop for code scanning. In this article I argue that the only meaningful ASPM is an all in one application security scanning tool.

Table of Contents

• Why would you want an ASPM?

• Why Disagree with Gartner?

  • CSPM and ASPM, towards an SPM

• Defining The Perfect ASPM

  • Defining the Minimum ASPM

  • Some Examples

  • Musings About the Future

Why would you want an ASPM?

DevSecOps is the only way to ship products quickly while staying secure and compliant. If you care about protecting customer data, and the consumer trust (revenue) tied to that, you need to scan your application for misconfigurations.

I have the benefit of being new to application security: I’m not used to long scan times, grumpy security buzzkills, and quarterly patch cycles. Instead, I have the expectation of scanning in the pipeline with immediate results. These results should provide clear guidance on how to fix things, and be developer friendly. Too many application security professionals are reduced to being project managers without any authority, as they spend their days assigning tickets to different development teams praying that a developer fixes something.

As DevSecOps toolings took over the market, it became apparent that there are too many point solutions.

At a high level, these are the major categories of scanning possibilities:

1. SDLC (Scanning your Git settings for things like protected branches and CI settings)

2. SCA (Open Source Dependencies)

3. SAST (Scanning the code for exploitation vulnerabilities)

4. IaC (Scanning at least Terraform, but also K8s deployments)

5. Container scanning (Dockerfiles and runtime)

6. Secret Scanning

7. DAST (Scanning the running code)

8. CSPM (Scanning the Cloud environment)

While excellent point solutions exist in each of these categories, businesses can’t manage twice the number of tools as they have security personnel, each of which are triggering thousands of findings when they’re deployed. For very large enterprises, where most application security happens, they have thousands of repos that need all of these tools orchestrated, some open source and some paid.

Vulnerability overload is why the Application Security Orchestration and Correlation (ASOC) category was created - to help you manage all these tools across all of your code base. While a rather meaningless category name (why is this different from Vulnerability Management?), at least ASOC made sense for what it was; ASPM however, is a different beast.

Why Disagree with Gartner?

ASOC tools were an attempt to provide correlation between all of your tools into a single dashboard; however, Snyk exploded in growth because they solved tool sprawl by providing all of the tools themselves. Snyk was the first major provider I was aware of who could offer SCA, SAST, IaC, and Container all in a single platform - and that proved to be exponentially more valuable than buying four separate tools, and then a fifth to orchestrate everything. First, Snyk’s partnership with StackHawk showed that they understood the problem of 8 in 1 security scanning and sought to fill the gaps with third parties. With Snyk Cloud, I was optimistic they’d be expanding from providing 4/8 categories of scanning to all 8; however, Snyk has since totally stalled out, creating a big market opportunity for churn.

Many other providers have built scattered offerings to fill the Snyk sized hole in my heart, by combining open source offerings, with the ability to ingest from other scanners.

Gartner reacted to all these tools by creating ASPM and defining it as:

Unfortunately, due to this category existing formerly as ASOC, they’ve missed what’s really happening: the total consolidation of scanning tools into a single platform. ASPM only needs to exist because you’re using so many different tools, which is a problem fundamentally unique to the largest enterprises - where there are so many old bespoke tools floating around that visibility matters to this extent. The vast majority of companies just look at all this complexity and think to themselves, “just give me the thing I need to scan all this crap with.” The answer to that problem is the tool that should win this market.

I don’t know a single security professional who wouldn’t be happy to drop all their old tools for a single better one if they didn’t sacrifice useful features in the process.

CSPM and ASPM, towards an SPM

An analogy to Wiz and CSPM is appropriate. The early cloud days were filled with the same complexity that ASPM now finds itself: there were many security point solutions for on premise environments that attempted to shift to the cloud. Would Wiz have risen to lead CSPM if they were simply a “risk management” tool that ingested findings from elsewhere and helped you prioritize? No. Wiz won the market by providing unique, all in one insights across cloud applications. To this day, they’re handily the most holistic provider because they didn’t stop themselves with superficial cloud API scanning and consolidating via partnerships; instead they pushed snapshot scanning to its limits. 

In my mind, there’s no reason to treat ASPM separately than CSPM - CSPM gives businesses all in one visibility and alerting across their cloud, ASPM should do the same with your code. The elephant in the room is that these things are converging, and CSPM is a feature of ASPM - because businesses have realized that their cloud security is fundamentally about their product security. This is why the race is on between CNAPP shifting left, and ASPM shifting right - who’s going to be the first to provide the all in one scanning solution, the Security Posture Management (SPM) solution?

Defining The Perfect ASPM

When defining categories, I’m helped by having a minimal definition next to a complete definition. The market is new enough that the “fullness of ASPM” (if you know Plato, we could say the form of ASPM rather than its shadows) does not exist yet, but several companies are working on it. 

Here’s what the complete ASPM would offer:

1. Tells the story of how your code reaches production

   1. This person pushed this code to be compiled into this binary with these libraries onto this docker image deployed in this cluster on this cloud.

   2. These vulnerabilities would be fixed by changing this line of code

2. 8 in 1 scanning coverage - SDLC, SCA, SAST, IaC, Container Scanning, Secret Scanning, DAST, CSPM

   1. Bespoke best in class features wherever possible (reachability, auto-fixes, base image detection, pre-commit hooks), open source as a backup.

   2. “Pipeline Less” (i.e. no Docker image) > Run it in your own pipeline.

   3. Whether your solution is proprietary or not doesn’t matter as much as the results.

3. Rich workflow building, offering complete flexibility alongside strong predefined workflows that are easy to apply

   1. If a new vuln shows up, slack the developer, they can choose to create a ticket or fix it now, security can ping them again if not resolved within 30 days

   2. Too many tools just offer flexibility, but miss suggested workflows that are perfect for 90% of use cases. Users aren’t primarily looking for a workflow GUI, they’re looking for a sensible outcome.

4. Integrates with other tools and provides unique value on top of the third party scanner data

   1. Pulls in vulnerabilities from other platforms, but enriches the findings with greater application context.

   2. Really a feature just for enterprises, because over time you replace their old tools with your own

5. Is fix oriented

   1. Tells teams exactly what lines of code to change, how to fix them, and the number of vulnerabilities that would be remediated if that change was applied.

Here’s what I’m proposing as the definition of ASPM:

Defining the Minimum ASPM

Here’s the minimal required to be listed in the ASPM category:

1. At least 2/8 of the scanners provided directly by you

   1. The heart of ASPM is showing cross scanning value. You can’t show cross tool value if you only provide one kind of scanning

   2. Open source tools are fine

   3. If you don’t do this, you’re a vulnerability management provider, there’s no reason to call it anything else

2. The ability to integrate into at least SCA & SAST

3. The ability to create some kind of workflow

Some Examples

1. The most common combination is SCA, SAST, and Secrets: Oxeye, Arnica, Semgrep, and Cycode all provide these. This is the most common combination of tools because there are strong open source options. Evaluation is tricky because each of these providers provide these functions with drastically different levels of maturity.

2. Everyone has a niche, to name a few: Oxeye and Apiiro are really good at runtime context, Arnica is really good at native workflows and user context, Cycode is really good at querying your pipeline, Legit Security is really good at SDLC coverage.

3. Ox gets me the most excited, not because any particular one of their tools works exceptionally well, but because they’re the only ASPM I see that I could truly say “throw everything else out and just use this.”

Musings About the Future

1. Vulnerability management tools aren’t bad. Just because it’s not as exciting or “revolutionary” as an all in one ASPM tool doesn’t mean it’s not going to make a ton of money solving the problems of here and now. If the mainframe is still around, so will Checkmarx and Fortify in 20 years - and you’re going to want those vulns to go somewhere else.

2. Who will win the race for complete coverage? The runtime providers shifting left or the code scanners shifting right? On the one hand, it’s easier for code scanning tools to add runtime context than for runtime tools to add code context. On the other hand, the runtime providers have more money and motivation. With the death of Snyk Cloud, I don’t see many ASPM providers racing for runtime.

3. Developer adoption remains the goal - I don’t see developers installing a Crowdstrike plugin anytime soon

4. The most exciting acquisition is Wiz’s acquisition of Raftt, because Raftt wasn’t a security tool. This promises the ability to offer something devs actually want.

5. Every ASPM vendor I’ve met with has something unique about their platform, I wouldn’t be surprised to see some consolidation so they can have larger shared offerings.

6. Aikido targeting startups is brilliant, because most AppSec startups are too focused on enterprise and new sales will show more value than the integration use case.

7. An inconvenient hole in all of this are host based vulnerabilities. While we’d all like to pretend that we live in a container native world, Linux hosts are relegated to legacy providers - but most large enterprises still have them around.

8. I have a lingering thought that if runtime protection gets good enough, do you even really need an ASPM? This is why Oligo, Contrast, Sysdig, and Deepfactor are cool.

The future of ASPM is the most exciting place in security because it’s showing a glimpse of a future where all vulnerabilities are discovered and remediated in one place.

As a reminder, nothing in this newsletter is sponsored, made with AI, or generating any revenue for me! If you’d like to help out, subscribe to the newsletter, and let these companies know if you found them because of me. If you’re interested in help with tool selection, contact me at [email protected]