The job of every security professional is to decipher buzzwords created by analysts and vendors. ASOC and ASPM are the latest, which are increasingly relevant in 2023 as applications become cloud-native (more distributed tech) and incorporate CI/CD (loads of f***king changes).
In this post, I shall try to explain what ASOC and ASPM are, why they are relevant, and how they compare.
So, WTF is ASOC?
Gartner coined the term ASOC back in 2020 as part of their Market Guide for Compliance Automation Tools in DevOps:
Application security orchestration and correlation (ASOC): ASOC tools ease software vulnerability testing and remediation by automating workflows and processing findings. They automate security testing within and across development life cycles and projects, while ingesting data from multiple sources. ASOC tools correlate and analyze findings to centralize efforts for easier interpretation, triage, and remediation. They act as a management and orchestration layer between application development and security testing.
In a nutshell: ASOC allows DevSecOps teams to integrate their application security tools, de-dupe, normalize, and prioritize what vulnerabilities engineering teams should fix first across their CI/CD pipelines and code repositories.
- Provides a single pane of glass across your AppSec tool ecosystem
- Works well for simple apps that span a few codebases or repositories (e.g. monolithic)
- Reduces vulnerability noise from thousands to hundreds
- Integrates into your existing DevOps workflows and tools (e.g. Jira)
- Generates metrics and reports across tools/workflows
- Application models are manually defined, require continuous configuration as architectures evolve, and can be incomplete
- Difficult to manage complex distributed apps that span tens or hundreds of codebases or repositories (e.g microservices/serverless)
- The number of vulnerabilities, though reduced to100s instead of 1,000s, still creates toil for engineering teams
- Limited visibility of actual application security posture in production
- Agents/software install required to scale
Notable vendors include: AppSec Phoenix; ArmorCode; Enso; Maverix; Nucleus Security; Rezilion; RiskSense; Synopsys; Vulcan Cyber; Wabbi
WTF is ASPM?
Bionic started to use this term in early 2022 while identifying a major gap in security tools. Why? Customers already had Cloud (CSPM) and Data (DSPM) solutions but nothing for Applications (ASPM). Specifically, there were no tools that could show an organization’s actual application security posture in production.
Existing AppSec tools were exclusively focused on pre-production use cases like SAST, DAST, and SCA. More so, they relied on source code repositories as the source of truth for evaluating the posture of an application vs. evaluating what was actually deployed to production.
‘Application’ in this context means the business logic, APIs, and developer code that is actually deployed and exploitable in a production environment. Think microservices, APIs, third-party services, databases, and layer seven stuff (if you’re old skool). ASPM is basically one level deeper than CSPM visibility, so teams get to see and secure what’s running inside their containers/VMs/workloads and cloud infra.
CSPM focuses on cloud infrastructure, like compute, OS, processes, containers, and storage. Specifically around their configuration and identity access management (IAM) controls.
DSPM focuses on the storage part of the cloud, specifically around where sensitive data is stored and managed (e.g. S3 buckets, data stores, and databases).
In a nutshell: ASPM allows DevSecOps teams to see and secure their actual application security posture in production, so the most critical risks get fixed as engineering teams continuously deliver code.
- Agentless and easy to scale
- Application architecture models are automated, complete, and continuous
- Works well in large, complex distributed environments (e.g. microservices/serverless)
- Reduce vulnerability alerts and noise from thousands to tens
- Complete and deep visibility of your actual application security posture in production, showing all related dependencies and attack surfaces that are exploitable
- Visibility into sensitive data flows for DSPM and data privacy use cases like GDPR
- Platform support is specific to the language of an application (e.g. Java, .NET, Python) and is not generic across cloud providers like CSPM or DSPM solutions
- Limited support for COTS applications
- Value is somewhat limited in simple environments (e.g. monolithic, legacy)
- Integrations are not as broad as ASOC, and typically only focus on production AppSec or CloudSec tools (e.g. Wiz), in addition to DevOps tools like JIRA.
- Limited pre-production visibility with SAST, DAST, and SCA tools
ASOC is best fit for pre-production use cases (app security testing), and ASPM is best fit for production use cases (observability, visibility, risk scoring, compliance).
ASOC is really about seeing across your different AppSec tools and code repositories and deduping your security alerts/vulnerabilities so that engineers don’t drown in a noisy, chaotic sea of false positives. It’s basically a way to normalize and report security on your DevSecOps pipelines.
ASPM is about knowing what your application security posture actually is in production and measuring whether your DevSecOps process and pipelines are improving or regressing over time.
The ideal DevSecOps process would include both ASOC and ASPM, so you have complete end-to-end visibility of your application security from testing (ASOC) through production (ASPM).
Interested in learning more about WTF ASPM is? Check out our Application Security Posture Management ebook.