AppSec Orchestration and Correlation
AppSec orchestration and correlation has increasingly become a hot topic in the industry, with many benefits and challenges.
Application security orchestration and correlation has increasingly become a hot topic in the industry. These are often spoken of simultaneously, but it’s really the combination of two separate topics. For the sake of discussion, we have split them into separate sections.
With the continued speed and complexity of modern development, the demands on AppSec teams continue to grow. Many organizations utilize numerous different tools from various vendors to cover their AppSec needs for SCA, SAST, DAST, and more. Attempting to manage each of these tools separately creates complex problems and bandwidth issues. From a broader standpoint, one security professional might only have access to security tools utilized in the applications they cover.
AppSec orchestration plays an important role in enabling these small teams of AppSec professionals to meet the increasing demands and deliver scalable, dynamic, and static scanning solutions to large teams of developers across the organization. This comes from utilizing a single source to schedule automated and scalable scans across numerous tools used throughout the organization.
Development organization leaders and executives mainly care about the risk of the environment. Risk management provides a comprehensive view of risk from applications and their supporting infrastructure. With a focus on this approach, executives can get a clearer picture of their assets, business context, and ROI. Solutions such as SaltMiner from Saltworks Security do this by pulling in contextual data beyond just AppSec.
With vulnerability management, we are seeing the continued evolution of solutions that aggregate, analyze, and report results into a single pane of glass—providing visibility into all of the application security initiatives within an organization. This provides a holistic view for organizations to assess their AppSec data at an executive level.
To further expand the basic idea of AppSec correlation as expanded vulnerability management, there is the aspect of systematic problems and patterns that can emerge.
By layering the results of dynamic analysis on top of static analysis, customers gain a valuable additional risk metric that allows them to see a more complete real-world risk picture. While it is important to identify vulnerabilities early in the SDLC using technologies such as static analysis, it is also critically important to create feedback loops that can identify when those findings surface in running environments via a DAST scan. An organization that identifies findings such as XSS early in the SDLC, and continues to detect those issues in production, can focus their training and development resources on addressing systemic problems.
A unified application security vulnerability management platform is critical not only in terms of the simplified prioritization and triage workflows that it introduces, but also in terms of the patterns that can be gleaned from the data. More intelligent scanning means DAST validation of SAST findings and DAST tuning by SAST results.