Bionic’s Chief Architect, Matt Rose, breaks down application security one glass board session at a time.

Ep 23: API Security & ASPM (Pt. 2)

In this episode, we take a deeper dive into how ASPM provides you an understanding of applications & API’s, and how it is different from API Security.

Ep 22: API Security & ASPM (Pt. 1)

Let’s take a look at how API Security and ASPM work by using an analogy of trucks delivering from one factory to another. 

Ep 21: Defining 'Agile'

Today’s word of the day is: Agile. Let’s talk about how the word ‘agile’ can mean different things to different people. 

Ep 20: Why? (Hackers)

Why are hackers thinking of every permutation of a hack against your application? Because they can. And they have unlimited time and resources to do so. More often than not, these types of ‘X-edge’ cases are never put into consideration when securing an application. 

Ep 19: Bugs are Bugs are Bugs

Let’s just face the fact there is no such thing as a perfect application. It is much easier to remediate all types of bugs through the same process and context using ASPM. Having a separate process to remediate functional and configuration bugs vs security bugs does not work any more.

Ep 18: Why SCA is BETTER with ASPM!

ASPM makes Software Composition Analysis BETTER! Application Security Posture Management provides comprehensive context for what’s going on in your application ecosystem.

Ep 17: ASPM + 3rd Party Development

If you are an organization using third-party development, you NEED to use ASPM. Application Security Posture Management allows you to have more information than just human-made documents that don’t update in real time.

Ep 16: Non-Standard Process

Oh no! A new vulnerability has been identified in your application environment. Often, a non-standard process is taken to fix the vulnerability. This results in an unapproved application architecture, which can potentially expose you to more risks. ASPM baselines your approved application architecture in production and re-architects any new push of code.

Ep 15: Complete App Service Attack Surface

Once your applications are deployed into production, you must get visibility into every potential attack surface. What is in pre-production, staging, and QA more than likely looks different than in production. Let’s look at what complete application visibility looks like and how it can benefit you in production.

Ep 14: Business Risk Context

One important finding that ASPM can provide organizations is business risk context – which is the security posture of your application services – visibility on connections, functionality, data flows, and identifying drift.

Ep 13: PII Data Exposure

How can the addition of an API to a third-party service increase the surface area of an attack surface? In this Bionic Uncensored, Matt Rose goes over a real-life example of what can be found in an ASPM tool like Bionic.

Ep 12: ASPM vs SAST

The old way of doing application security: looking for structured security risks. Matthew Rose talks about how ASPM goes deeper than traditional Static Analysis Security Testing (SAST).

Ep 11: ASPM vs CSPM

Application Security Posture Management. It’s like CSPM for the application layer. Matthew Rose goes over the key differentiation between CSPM and ASPM.

Ep 10: DBOM, DMap, DQuery

Bionic addresses many issues in current day application security. Matt Rose goes over three components of Bionic that work better together: DBOM, DMap, and DQuery.

Ep 9: Uncensored Rant

Our Chief Architect, Matt Rose is frustrated, so here is his way to rant about all of the repetitive talking points that occur in the application security industry.

Ep 8: Dynamic SBOM

SBOMs are created by SCA tools to give you a breakdown of what your software is built by. Which is great, but it is static. Bionic has created this concept of the dynamic bill of materials.

Ep 7: Detect & Prioritize Log4J

It takes teams days to find all of those Log4J vulnerabilities in their applications. By the time they find all of the vulnerabilities, they have no idea where to start.

Data flows are extremely difficult to identify. Where does sensitive data live? What services are interacting with your sensitive data? How do you map critical vulnerabilities connecting to sensitive data?

We have just one question: how is the security & risk profile of your applications? Just like your applications, understanding security & risk is extremely difficult.

The further “left” you go in the DevOps process, the less you focus on the holistic picture of your application ecosystem. The less you focus on the holistic picture, the more likely you are to miss architectural risk.

The space between is the interrelationship of the custom code to the open-source, the frameworks, the third parties, the APIs, and the connections of everything.

Much like an airplane, think about testing the whole ecosystem, not just the cockpit controls or the landing gear or the slats or the rudder. Test the interaction, not just the individual component.

Welcome to the first episode of Bionic Uncensored! SAST, DAST, IAST, RASP, SCA…Bionic’s Chief Architect Matt Rose walks us through the history of application security.