An interesting data point in the recently released “Global State of DevSecOps 2023” report is the growing use of application security orchestration and correlation (ASOC), now more commonly referred to as application security posture management (ASPM).
Based on data from 2021, Gartner noted in a research paper that about 5% of surveyed organizations had adopted an ASPM solution or the ASOC tools from which ASPM evolved, and that number is expected to increase rapidly. The accuracy of Gartner’s prediction is reflected in the Black Duck DevSecOps report, which relates that 28% of the 1,000 respondents surveyed this year were already using ASOC/ASPM. The surveyed group included developers, AppSec professionals, DevOps engineers, CISOs, and experts who work in various roles in technology, cybersecurity, and application/software development. Survey participants came from the U.S., U.K., France, Finland, Germany, China, Singapore, and Japan.
Gartner also noted that early adopters of ASPM tend to be organizations with mature DevSecOps programs and those using multiple security tools, both of which are characteristic of the organizations profiled in the Black Duck report. According to Gartner, ASPM should be a priority for any organization that uses multiple development and security tools, which in today’s software development environment is nearly every organization. In fact, a paper by the Enterprise Strategy Group, "Cracking the Code of DevSecOps," claims that over 70% of enterprises are using more than 10 application security testing (AST) tools.
ASOC solutions were among the first to combine and correlate vulnerability information from AST tools. ASPM brings the concept of ASOC one step further, collecting data from even more sources, such as production monitoring tools, to provide a more comprehensive and actionable approach to application security management.
While ASOC typically focuses on preproduction use cases, ASPM can be used for both preproduction and production, making it a more versatile and useful solution for a wider range of DevOps teams. For example, line-of-business managers are focused on the need to understand the effectiveness of their AppSec tools and procedures. ASPM can provide them with complete visibility into process and performance across development, operations, and security teams. Conversely, DevOps teams want a centralized view of issues so they can identify activities that will have the most impact. And those whose focus is on security need to cut through the noise to prioritize critical issues quickly.
ASOC tools typically are focused on simply identifying and reporting software vulnerabilities. ASPM tools, on the other hand, can help teams prioritize vulnerabilities based on their risk, as well as aiding in monitoring and tracking the remediation of those vulnerabilities. By providing visibility into production environments, ASPM also helps shorten lengthy remediation times for deployed applications. This is particularly important given that most exploits appear within days after a vulnerability is disclosed.
In the DevSecOps report survey, respondents were asked how long it takes their organization to patch/resolve critical security risks/vulnerabilities for applications already deployed/in use. As shown below, nearly three-quarters noted that their organizations can take anywhere from two weeks to a month to patch known critical vulnerabilities.
And failure to patch quickly affects the bottom line. More than 80% of respondents in the report said that dealing with critical vulnerabilities or related security issues of deployed software impacted their delivery schedules during 2022-23.
The “Global State of DevSecOps 2023" report makes a compelling case that fragmented results from security tools, overloaded DevOps teams, and slow vulnerability resolution represent fundamental challenges to successful DevSecOps. ASPM could be the key to effectively addressing those challenges.
Interested in seeing ASPM in action? Software Risk Manager by Black Duck is a comprehensive ASPM solution that enables teams to