Bionic Uncensored Ep #3
Bionic Uncensored Ep #3
The thing we’re gonna talk about today is the concept of the space between.
You’re probably asking what is the space between?
When we think about an application ecosystem, we are typically asked how we compare to different tooling from a standpoint of infrastructure vs. application, so on and so forth.
Thinking about the application ecosystem, you really have the app itself and then the infrastructure that it lives on. The infrastructure can either be the cloud or a data center.
Everyone’s moving to the cloud, so cloud folks automatically think that cloud security posture management is the way to understand the entire ecosystem. But what cloud security posture management or CSPM really does is focus on the infrastructure of the cloud environment.
But the application itself is made up of a lot of different pieces. When we’re talking about the app itself, we’re talking about custom code, frameworks, third-party libraries, open-source libraries, APIs, and the database. All these things are working together to provide a functioning application that lives on the infrastructure.
But everyone’s response to that is, “Oh, there are tons of application security testing tools out there.”
We already mentioned CSPM from the cloud infrastructure standpoint, so let’s dive into the application security tools that focus on the application ecosystem.
SAST, static application security testing, is focusing on the custom code, vulnerabilities within the custom code, and the frameworks and third-party libraries. It then creates a map based on a vulnerability.
Software composition analysis (SCA) focuses on the component of open source APIs.
API scanning technologies are focused on the APIs themselves.
IAST, interactive application security testing, is the inside-out in terms of a running application. But it’s only as good as the functional testing. If your functional testing isn’t holistic and touching everything, IAST isn’t gonna find things.
DAST, dynamic application security testing, is the outside-in approach, which is looking at the application as a running entity and doesn’t really understand the different building blocks that we’re talking about here.
(Me: frightened that all these other tools don’t give people holistic visibility of their apps.)
If we are thinking about the interrelationship of all of these components, the custom code to the open-source, the frameworks, the third parties, the APIs, and the connections of everything. This is the space in between. This area that is not kinda called out by any of these toolings is the space in between, and this is what Bionic focuses on.
It’s the interrelationships of all the services of your application and how there potentially can be a risk due to the unknown, due to the connection of custom code to open source. Instead of just looking at the open-source and finding vulnerabilities there, we’re looking at the data flows, the interrelationships of PII data, of open source vulnerabilities, of the frameworks, of the third-party libraries.
This is where a lot of the unknown is. A lot of times people don’t know what they don’t know. They don’t know what to look for, and they don’t know the entire ecosystem of the application in the interrelationships of all these things.
I’m big into movie references. And the movie is “Ant-Man.”
How many people are Marvel fans? (this is you raising your hand)
Hopefully, you’re a Marvel fan. If you’ve seen “Ant-Man,” great. If not I’ll give you a brief synopsis.
Ant-Man had to get in between the atoms, in between the blank space, in between, and to solve the problem of the movie.
That’s what you need to really do is focus on the space in between the ecosystem of the application in the interrelationships. This is only done by looking at it at an architectural level, not at a vulnerability level, that all of these tools are kinda looking at. They’re looking at it through a very granular lens and not looking at the holistic picture.
Visualize every architecture drift, security risk, and compliance violation that each code change introduces, in real-time.