Uncensored
Bionic’s Chief Architect, Matt Rose, breaks down application security one glass board session at a time.
BionicBionicBionic’s Chief Architect, Matt Rose, breaks down application security one glass board session at a time.
In this episode, we take a deeper dive into how ASPM provides you an understanding of applications & API’s, and how it is different from API Security.
Let’s take a look at how API Security and ASPM work by using an analogy of trucks delivering from one factory to another.
Today’s word of the day is: Agile. Let’s talk about how the word ‘agile’ can mean different things to different people.
Why are hackers thinking of every permutation of a hack against your application? Because they can. And they have unlimited time and resources to do so. More often than not, these types of ‘X-edge’ cases are never put into consideration when securing an application.
Let’s just face the fact there is no such thing as a perfect application. It is much easier to remediate all types of bugs through the same process and context using ASPM. Having a separate process to remediate functional and configuration bugs vs security bugs does not work any more.
ASPM makes Software Composition Analysis BETTER! Application Security Posture Management provides comprehensive context for what’s going on in your application ecosystem.
If you are an organization using third-party development, you NEED to use ASPM. Application Security Posture Management allows you to have more information than just human-made documents that don’t update in real time.
Oh no! A new vulnerability has been identified in your application environment. Often, a non-standard process is taken to fix the vulnerability. This results in an unapproved application architecture, which can potentially expose you to more risks. ASPM baselines your approved application architecture in production and re-architects any new push of code.
Once your applications are deployed into production, you must get visibility into every potential attack surface. What is in pre-production, staging, and QA more than likely looks different than in production. Let’s look at what complete application visibility looks like and how it can benefit you in production.
One important finding that ASPM can provide organizations is business risk context – which is the security posture of your application services – visibility on connections, functionality, data flows, and identifying drift.
How can the addition of an API to a third-party service increase the surface area of an attack surface? In this Bionic Uncensored, Matt Rose goes over a real-life example of what can be found in an ASPM tool like Bionic.
The old way of doing application security: looking for structured security risks. Matthew Rose talks about how ASPM goes deeper than traditional Static Analysis Security Testing (SAST).
Application Security Posture Management. It’s like CSPM for the application layer. Matthew Rose goes over the key differentiation between CSPM and ASPM.
Bionic addresses many issues in current day application security. Matt Rose goes over three components of Bionic that work better together: DBOM, DMap, and DQuery.
Our Chief Architect, Matt Rose is frustrated, so here is his way to rant about all of the repetitive talking points that occur in the application security industry.
SBOMs are created by SCA tools to give you a breakdown of what your software is built by. Which is great, but it is static. Bionic has created this concept of the dynamic bill of materials.
It takes teams days to find all of those Log4J vulnerabilities in their applications. By the time they find all of the vulnerabilities, they have no idea where to start.
Data flows are extremely difficult to identify. Where does sensitive data live? What services are interacting with your sensitive data? How do you map critical vulnerabilities connecting to sensitive data?
We have just one question: how is the security & risk profile of your applications? Just like your applications, understanding security & risk is extremely difficult.
The further “left” you go in the DevOps process, the less you focus on the holistic picture of your application ecosystem. The less you focus on the holistic picture, the more likely you are to miss architectural risk.
The space between is the interrelationship of the custom code to the open-source, the frameworks, the third parties, the APIs, and the connections of everything.
Much like an airplane, think about testing the whole ecosystem, not just the cockpit controls or the landing gear or the slats or the rudder. Test the interaction, not just the individual component.
Welcome to the first episode of Bionic Uncensored! SAST, DAST, IAST, RASP, SCA…Bionic’s Chief Architect Matt Rose walks us through the history of application security.