As the digital revolution has unfolded, the dramatic increase in the amount of code written, borrowed, and bought means that the attack surface has also increased dramatically. Software proliferation creates challenges for teams that must keep up with innovation while also securing their software. To address the threat that security breaches pose, many firms have added multiple point tools throughout their software development life cycle (SDLC), yet gaining complete insight across these tools remains a persistent challenge. Businesses struggle with too many tests, too many tools, and too many findings, which hinder their ability to ship software quickly. In a budget-conscious economy, this is why you’re hearing so much right now from business and software experts about security tools and vendor consolidation.
Consolidating vendors and security tools addresses three primary concerns plaguing businesses across all industries: growing complexity, diminished risk management, and resource inefficiencies that raise total cost of ownership (TCO). The profusion of AppSec tests and tools generates SDLC friction, increases development times, adds error and security risks, and leaves organizations struggling to scale and integrate new technologies.
The recently published 2023 Software Vulnerability Snapshot report from Black Duck uses anonymized data from three years of tests on commercial software systems and applications to demonstrate that while there has been a significant decrease in vulnerabilities found in target applications—from 97% in 2020 to 83% in 2022—persistent vulnerabilities remain and pose significant challenges to web and software application security.
The report reinforced that organizations need a multilayered security approach that combines static application security testing (SAST) to identify coding flaws, dynamic application security testing (DAST) to examine running applications, software composition analysis (SCA) to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that might have been missed by internal testing. With more attackers using automated exploitation tools that can attack thousands of systems in a matter of seconds, fixing high- and critical-risk vulnerabilities is urgent, not least because well over half of reported vulnerabilities are exploited within a week of disclosure.
The report found that
The report also found that inadequate security training is a major roadblock to security, as is the shortage of security personnel. When you combine this with a threat landscape that is growing in size and sophistication, ensuring your AppSec program is efficient and effective is critical.
The findings from the report suggest that covering the critical testing types is necessary for it to be effective, but doing so without slowing down development or lengthening time to triage and remediate is where organizations struggle. This is where consolidation presents as an important initiative to help your organization not only to improve resource efficiency during a time of strained budgets, but also improve your overall risk posture.
So now that we can see the importance of a multilayered approach to AppSec, the question remains, how do you gain consolidated insight across your entire enterprise security landscape when risk data continues to live within point tools and teams?
If you approach your consolidation initiative by first adding a layer of abstraction between the development team and the security tools you are using, you can achieve three core goals for your AppSec program. First, you remove the burden of the development team to learn multiple UIs and let them continue to work within the tools they already know. Second, you remove the burden on the AppSec team to implement standard and consistent policies across each of the point tools being used by the different development teams across the company. And third, and quite importantly, with all your security tools running through one place, you gain a single source of truth for what was tested, what was found, what was fixed, and what your overall risk is at any point in time.
This layer of abstraction is one of the key benefits of application security posture management (ASPM) tools. They act as a translation layer between AppSec and development, so AppSec teams can continue to control and implement policies, SLAs, dashboards, and reporting, and development can quickly understand what needs to be fixed and how.
An ASPM tool will aggregate, normalize, and prioritize findings across all security tools in one centralized location. This will reduce noise for development teams so they can focus on what to fix, in what order, and by what date, enabling them to keep the development process moving. Identifying and prioritizing critical issues with an accurate business context of applications, components, and associated security data provides teams with an actionable picture of overall software risk at any point in time.
Black Duck offers the most comprehensive portfolio in application security, including market-leading solutions in the “big three”: SAST, DAST, and SCA. Our ASPM solution is an open ecosystem, so you have the flexibility to use the existing tooling across your entire security program. Black Duck is a one-stop partner for application security.
The latest report highlights persistent vulnerabilities in web and software application security, including information disclosure/leakage, misconfigurations, and insufficient transport layer protection. The report also emphasizes the risks of vulnerable third-party libraries and the importance of software supply chain security.