Bionic Uncensored: Breaking Down the Layers of an Application

Cloud security posture management (CSPM) is a cloud-level tool that identifies (and potentially remediates) risks across cloud infrastructures. So what is CSPM really good at?

Visualizing and mapping the cloud infrastructure. But what about the applications that run inside the cloud environment, and all of the app services, databases, and APIs that comprise the application?

This is where ASPM, or Application Security Posture Management, steps in. Well, what is Application Security Posture Management?

In this episode of Bionic Uncensored, Matt Rose explores:

  • What the application environment looks like
  • What ASPM looks at compared to CSPM
  • Application services, APIs, dependencies, and data flows
  • Application context and risk scoring

Watch the full episode to dive deeply into the different app layers, how ASPM fits in, and how it is different from CSPM and other cloud security tools.

Watch the Full Episode

Top 3 Takeaways

Takeaway #1: Different Layers of an Application

There are many infrastructure layers before you reach the application and service layer. Here is what a typical “application” looks like (top-down):

  • Cloud Layer: cloud infrastructure, network, regions, zones
  • Compute Layer: OS, servers, storage
  • Orchestration Layer: Kubernetes, containers, VMs
  • Application layer: runtime, configuration
  • Service Layer: code, configuration, associated components (libraries, APIs, frameworks, dependencies)
  • Data Layer: PII, PHI, and PCI data are located

In order to secure from the application layer down to the data layer, you need to have visibility into the application, its associated services, and where that data is flowing throughout the service layer.

Breakdown of the different application layers

Takeaway #2: CSPM vs ASPM

We have already defined CSPM as a tool that visualizes the cloud services and identifies risks at the cloud infrastructure layer. 

ASPM, or Application Security Posture Management, visualizes the application services, dependencies, and data flows and identifies risks at the application layer.

What are some critical risks that CSPM can identify?

  • Publicly exposed VM instance/serverless/web service
  • Externally exposed and unpatched VM instance with cleartext SSH private keys allowing lateral movement
  • CVE-2021-44228 (Log4Shell) detected on a publicly exposed VM instance/serverless

What are some critical risks that ASPM can identify?

  • Internet Facing Services with Unauthenticated APIs
  • Services with Hardcoded Tokens and Third-Party Service Access
  • Services using Log4j versions susceptible to Log4Shell and Accessing Sensitive (PII) Data

Main difference?

CSPM is looking at contextualizing the risk of cloud services.

ASPM is looking at contextualizing the risk of application services.

Data Flow Map with Critical Vulnerability

Takeaway #3: CSPM + ASPM = Better Together

It is important to make the distinction between ASPM and CSPM because they are two different technologies pointed to solve two separate problems.

  • CSPM secures the cloud infrastructure
  • ASPM secures the underlying application services

But if you are like most companies who are moving to a multi/hybrid-cloud strategy, you need both technologies in order to properly secure your cloud environment. 

We can’t tease it just yet, but we are working with a CSPM vendor to give you the proper visibility across both the cloud & application layers.

CSPM Data Flow View of Application

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform