Definition

Application vulnerability correlation (AVC) is a growing trend within the AppSec space that can greatly help organizations transition to a DevSecOps model. AVC refers to tools which provide workflow and process management capabilities that help streamline vulnerability remediation in the software development life cycle (SDLC). AVC solutions have an ability to normalize AST results to a common nomenclature, correlate findings from a myriad of security testing tools and data sources into a central repository, filter out duplicate results, and assess the exploitability and severity of a vulnerability, making remediation and prioritization of security activities more effective. This optimizes the triage process and greatly reduces friction between security and development teams by automating the process flow between the tools, functions, and remediation stakeholders.

Introduction

The desire to ensure software quality within agile workflows has driven a growing trend among security and development teams to run their application security program at the speed of DevOps. But this can be difficult to accomplish for a couple of reasons: 

  • There are significant issues in information collection, sorting, and analysis. This is a complex process which involves running AST tools, consuming results from different sources and formats, performing manual code reviews, and then, dissecting from these results what needs to be fixed first. 
  • Security teams struggle to allocate an adequate number of resources to triaging existing vulnerabilities. This is because of the time-intensive nature of manually gathering relevant data points and business context to assess prioritization of a single finding. 

Growingly, this has created a need for simpler ways of consuming a growing volume of AST security results and determining critical work. In a Gartner study from November 2020 on Intelligent Automation in Application Testing Services, successful use cases of advanced security testing included the ability to consume and correlate testing results with relevant business metrics, and from this analysis, pinpoint vulnerable software. These capabilities are considered essential to ensuring better resilience, cost optimization, and product quality. Much of what can help organizations achieve this outcome effectively relies on having a good AVC solution.


What does traditional application vulnerability management look like?

Organizations invest in a variety of AppSec tools. Common AST tools include dynamic application security testing (DAST), static application security testing (SAST), software composition analysis (SCA), and open source tools. Each tool searches for specific types of software flaws, exploitability, and issue sources, and each is deployed at different stages of the SDLC. SAST and SCA are typically leveraged at the build/development stage, and DAST is leveraged during staging to uncover issues in simulated production conditions. Additionally, within each of these categories of AST tools, the detection capabilities and types of applications and programming languages supported can vary between vendors. Having a comprehensive appsec program can translate to investing in multiple tools within an AST category, and implementing the appropriate AST tools across stages of the SDLC.

Traditional AppSec tools often fail to meet the needs of agile DevOps environments due to the difficulty of gleaning clear, actionable insight from the overabundance of data in siloed tooling. Sorting through a backlog of application vulnerabilities makes security a bottleneck for the development teams responsible for remediation. And manually filtering through AppSec noise—including false positives and redundant findings across different tools—compromises development velocity and the effectiveness of an organization’s existing AppSec investment.

 


What problems does application vulnerability correlation solve?

When analyzing AppSec data, security teams have to sort through a huge volume of relevant information in varied and disparate sources across SAST, DAST, SCA, and open-source /3rd party tools. This often adds redundancy, complexity, and huge time lags to the triage process because analysts don’t have a centralized repository where they can examine trends between similar flaws, or filter out duplicate results between different tools. The key problems AVC solves are the challenges posed by the overwhelming amount of data generated by AppSec testing tools. With its correlation capabilities, an AVC tool consolidates the results from all testing tools, and helps automatically remove any duplicated findings. 

Put simply, AVC streamlines AST results across your entire SDLC, enhancing the effectiveness and efficiency of your DevSecOps program. Importantly, a good AVC solution also helps bolster your overall software risk management, improving your software quality and development practices. Software Risk Manager correlates the results from different types of analysis tools, and prioritizes security issues with the highest likelihood of exploitation first.


How does application vulnerability correlation work?

AVC tools provide one single set of correlated test results and have deduplication and normalization capabilities that give you a clear definition and level of risk. After gathering and correlating these results, a good AVC tool then uses your own vulnerability policies to help prioritize and manage the remediation of those vulnerabilities. It also allows you to integrate these findings within your existing application security tools.

Essentially, an AVC tool gathers all the existing data from your test results to your policies, and provides you with a clear and concise single source of truth that you can use to take strategic and prioritized action. 


What key capabilities does application vulnerability correlation offer?

AVC tools offer a single vantage point into the ever-increasing volume of data generated by the AppSec tools you rely on. AVC tools correlate the vulnerability findings of your AppSec tools, so you gain an accurate view of the vulnerabilities across your applications.

This streamlined view allows you to stop wasting valuable time managing your tools, and focus your efforts on actually fixing the vulnerabilities in your applications. By simplifying vulnerability identification and remediation, AVC tools enable you to fix vulnerabilities before they can be exploited, lowering your overall level of risk.


What are the main characteristics of a good AVC tool?

Support for different AST tools:

  • Is your AVC tool-agnostic? How many different AST products can it support? Does it require a runtime agent to correlate these findings? Often, AVCs which rely on runtime agents can be vendor-specific, limiting the number of supported integrations. These agents can also add latency to the SDLC. Code Dx offers an agentless correlation engine, and it supports over 90 integrations with some of the most popular developer tools today.

AppSec Visibility and Efficiency:

  • Does your AVC solution have the ability to filter down to results that are unique and show you effectiveness of your existing AST tooling? Can it do this in a way that doesn’t congest your CI/CD pipeline?

Risk and policy management:

  • Can you contextualize AST findings based on software risk? Can you identify your most vulnerable software and link this data to scanning policies? This is crucial to getting value out of your AVC solution. The ability to prioritize findings within your AVC and intelligently execute further AppSec testing greatly optimizes developer time spent on fixes and remediation. Software Risk Manager tackles policy management, test execution, and software risk. Security analysts can speed up testing by implementing scanning policies as code. Within Software Risk Manager, analysts can compile reports and dashboards that show risk scoring of a given finding, and any associated compliance standards. This allows developers to only test when needed, standardize security processes, and identify their most vulnerable software.

 

Resources to manage your AppSec risk at enterprise scale