How are you going to address the Log4J issue?

What is Application Security Posture Management?

By now, you have probably heard of Cloud Security Posture Management (CSPM) and the many outstanding players such as Wiz, Lacework, and Prisma Cloud.

If you have not heard of CSPM or these vendors, then welcome back from your extended trip to outer space.

CSPM is one of the hottest technology spaces these days as everyone is talking about cloud, cloud, cloud.

But something is missing.

What about the apps that live in those cloud environments?

What is CSPM all about?

With everyone’s push to the cloud, the industry needed a traffic cop to ensure that companies were doing it right based on the cloud provider standards.

Cloud architecture standards for all the cloud providers are readily available, but who has time to read all the documentation and standards?

Add to the fact that many organizations have multi-cloud initiatives, and you have a lot of information to digest while running at warp speed to get to the cloud.

Why not leave it to experts to tell me what is right and, more importantly, what is wrong with my cloud infrastructure?

Oh, and then there is cloud architecture drift

So you have the optimal cloud infrastructure setup, but how do you know it stays perfect? Do you assume or “hope” it remains perfect?

Hope is not a plan.

Due to the constant change in cloud initiatives, the concept of cloud service drift has rapidly become a huge topic of concern.

How do you ensure that your optimized cloud architecture stays optimized?

This is yet another benefit of CSPM.

CSPM can tell you when your cloud architecture “drifted” away from the approved version.

Applications are the black hole for CSPM

You have invested a ton of time, money, and resources in CSPM. You feel pretty good about your cloud initiatives based on the implementation of CSPM.

But what about applications that are deployed to your cloud?

I have many contacts at the aforementioned CSPM vendors, and they admitted to me that applications are a black hole to them.

Yes, the CSPM vendors “say” they understand the apps deployed to the cloud environment but not at a satisfactory level.

When this topic comes up, their approach is, “Yes, we understand the app completely…. SQUIRREL!!!”

How can CSPM understand the app?

This is the $10,000,000 question.

CSPM can understand the calls in and out of the application deployed in a cloud environment, but that’s about it.

They are looking at traffic and calls but not the actual application activity. They can’t see the app-service-to-app-service activity. Not to mention if there is some application security flaw or unauthorized connection to PII data.

This is by no means a knock against CSPM.

It does a great job for its intended purpose of cloud architecture validation and analysis but fails to provide the same capabilities at the app level.

Application Security Posture Management (ASPM) is here – FINALLY

I want you to think of all the great things CSPM brings to the table. Things like:

  • Identifying misconfigured cloud services
  • Cloud service drift
  • Cloud service architectural map
  • Constant cloud architectural monitoring

Now replace every instance of “cloud” with “application.”

Application Security Posture Management (ASPM) is a complete and total understanding of the application architecture based on the application code—not based on monitoring traffic or interaction of the cloud infrastructure.

Many people see a map and automatically think it represents both cloud and application services, but they are dead wrong.

What ASPM isn’t

Some vendors are trying to say they are ASPM solutions, but they are rebranding CMDB with a cool new name.

They are not analyzing the application artifacts (WAR, JAR, DLLs, etc.) but simply collecting subjective data in a common repository.

This is by no means accurate or effective and IMO a false sense of security.

Without going to the source of truth, the code itself, you will be chasing your tail. Yes, the pun was intended.

Cloud is well defined – applications are not

Cloud vendors do a great job of defining standards for cloud infrastructure environments.

Applications, on the other hand, are the wild, wild west. They are being released more frequently than ever before by very creative developers who do not like to do extra work.

Developers are artists, and their masterpiece is the application they develop with their years of expertise and tribal knowledge.

Organizations “think” they understand the masterpieces these developers create but do they really?

Do they understand “every” upstream and downstream data flow, every open-source package, every database call?

I could keep going, but I think you get the picture.

CSPM and ASPM – Better Together

To ensure that the infrastructure and applications are secure and configured correctly, you need BOTH CSPM and ASPM.

One without the other, and you are missing 50% of the complete picture of risk.

I am not a betting man, but I’m not too fond of those odds one bit. As I said before, “hope” is not a plan.

Learn more about the main differences between Bionic & CSPM.



Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

Share on linkedin
Share on twitter
Share on email
Share on facebook

See a Live Demo of the Bionic Platform