Application Security Posture Management (ASPM) is a hot new technology that organizations and analysts are investigating and researching. They are reading vendor reports, social media posts, and even blogs like this one to try and educate themselves on ASPM. Even with this research, there are still questions and confusion about ASPM. A common question I have often heard is, “What the heck does ASPM do for me?” The goal of this blog is to answer this question.
ASPM Capability #1: Application Service Risk Scoring
Every application security or cyber security solution provides a method or ranking risk. The problem is that the risk ranking from these solutions is typically very narrow in scope. The ranking looks at just one aspect of the overall application architecture, such as source code, open-source packages, or APIs. ASPM provides a risk ranking at the application service level that looks at the risk resident within the specific application service and how that risk could be drastically increased due to how the application service interacts with other services or sensitive data.
Why is Application Service Risk Scoring important?
Suppose you are only looking for risk at the service or component level (Code, Open-Source Packages, etc.). In that case, you do not understand the full risk context or how to prioritize risk remediation. The risk scoring that ASPM provides considers all aspects of the service and its relationship with other services so you can prioritize what to fix first more efficiently.
ASPM Capability #2: Auto Tagging of Sensitive Data
The primary purpose of most applications is the processing and using of sensitive data. Modern CI/CD pipelines change an organization’s production code daily. Due to this constant change, it is challenging to understand every service consuming or using sensitive data, so prioritization of remediation activities is complicated. You can completely understand where data exists in your application architecture by tagging application services containing PII data.
Why is Auto Tagging of Sensitive Data important?
Sensitive Data, PII, PCI, and PHI, is the primary target for hackers. The problem is that it is sometimes challenging to identify every source of sensitive data within your application architecture. ASPM’s ability to auto-tag sensitive data services and what application services communicate with them provides an understanding of your application architecture that you do not currently have.
ASPM Capability #3: Zero-Day Identification and Prioritization
Zero-Day issues are an ongoing problem for organizations around the world. How do you address the situation when a new zero-day vulnerability becomes public? The first step is identification, then prioritization, and finally remediation. Finding the issue is challenging but not impossible. The biggest challenge is the prioritization of what to remediate first. The prioritization problem is where ASPM helps organizations work smarter, not harder. ASPM allows organizations to work smarter by providing prioritization information associated with the Risk Scoring and Sensitive Data Tagging mentioned in sections #1 and #2 of this blog.
Why is Zero-Day Identification and Prioritization important?
Zero-Day issues are a challenge to prioritize and fix because something you thought was secure and compliant instantly becomes a huge security risk. You are faced with remediating thousands of issues with limited time and resources. ASPM provides complete contextual information so you can prioritize and remediate much quicker.
ASPM Capability #4: Complete Dependency Mapping
By reverse engineering application artifacts (WAR, JAR, DLL, etc.) and the associated configuration files and environment variables using static analysis techniques, ASPM provides you with a complete list of all application service dependencies. This list is code accurate to your application deployed to production or a lower-level environment.
Why is Complete Dependency Mapping important?
I saw a real-world example of an organization that missed a critical dependency when moving from one cloud provider to another—this missing dependency caused over 5 hours of downtime for a mission-critical production application. Since ASPM uses the code as a source of truth for the application architecture instead of questionnaires or outdated documentation, all dependencies are known.
ASPM Capability #5: Sensitive Data Exposure Identification
We previously talked about auto-tagging services that contained sensitive data like PII. Tagging is a very effective way to understand where sensitive data exists, but it is only half the equation. Identifying if sensitive data is exposed through a web service with a critical CVE or misconfiguration is a crucial capability of ASPM.
Why is Sensitive Data Exposure Identification important?
A real-world example I saw recently was a developer adding credit card processing functionality to an application service. Previously this service did not process any PCI or PII data, so it was not on the security team’s radar even though it had a critical CVE for RCE. The security team had no idea that this application service now processed PCI and PII data. ASPM was able to identify this sensitive data exposed quickly.
ASPM Capability #6: Compliance Risk Identification
ASPM can look for compliance standards by configuring policies and their associated rules for detailed compliance requirements. Some examples of compliance standards that ASPM can help with are GDPR, PCI-DSS, and HIPPA.
Why is Compliance Risk Identification important?
A real-world compliance issue that I recently saw identified by ASPM was associated with GDPR. An organization was expanding into the EU, so GDPR was now something that they were concerned about. This organization thoroughly investigated to ensure they were GDPR compliant, which they thought they were. ASPM was able to identify an application service connecting to a data store in the US which is a violation of GDPR.
ASPM Capability #7: Application Architecture Drift
Knowing what your application looks like in production is becoming increasingly hard with siloed development teams and aggressive CI/CD pipelines. Even though your application has undergone an architectural review process, there is no guarantee that the architecture in a production environment is still acceptable in terms of security posture due to constant change.
Why is Application Architecture Drift important?
How can you ensure your applications are secure and compliant if you don’t even completely understand what is deployed in production. ASPM continuously monitors for drift of application architectures to immediately notify if there is application architecture drift that needs further investigation.
ASPM Capability #8: Automated Threat Modeling
ASPM is a new way to automate threat modeling activities. It does not use standard threat modeling methodologies such as STRIDE, PASTA, or a whiteboard to manually draw out the application architecture. ASPM automates not only the design phase of threat modeling but also allows you to threat model more effectively based on a code accurate bill of materials.
Why is Automated Threat Modeling important?
Threat Modeling is an important activity when it comes to identifying risk. The problem is that threat modeling takes a lot of time to complete, is very manual, and does not keep up with the speed of modern DevOps pipelines. ASPM can automate threat modeling activities for your organization and much more.
ASPM Capability #9: Customizable Application Architectural Map
A visual representation of your application architecture is challenging to keep up to date based on modern CI/CD pipelines. ASPM allows you to have a continuously updated application architectural map based on each code push to production. An ASPM-generated application map can be updated to represent different views of your application based on data flow, cloud, region, and business application views.
Why is Customizable Application Architectural Map important?
Understanding the entire contextual risk of your application architecture is key to identifying all potential risk and compliance concerns. An adjustable architectural map lets you see risk from different perspectives or understand the blast radius when something goes wrong.
ASPM Capability #10: Complete Application Data Flow Mapping
Understanding where data is going and coming from in your applications is one of the most critical aspects of security risk. If you don’t have the full context of the data flows, it is impossible to protect the data being used by your applications. If you don’t know about the risk, how can you protect against it?
Why is Complete Application Data Flow Mapping important?
Organizations struggle with ensuring data in transit and data at rest is secure. ASPM provides complete data flow mapping for your applications so you can understand where data is, where it came from, and where it is going.