Six takeaways from our ASPM masterclass series
April 10, 2024
0 mins readSoftware development moves fast, and many application security teams struggle to keep up. More sophisticated agile, DevOps, and cloud practices, along with the growing use of AI, mean more agility for development teams. However, these innovations are a challenge for security teams, as they must move at this same speed in order to secure applications effectively.
Application security posture management (ASPM) directly responds to these emerging challenges. It equips security teams with the support they need to identify the threats that matter most and remediate them based on organization-specific risk.
Snyk recently hosted a masterclass series featuring experts from Snyk, SentinelOne, Sysdig, Accenture, Google, and Deloitte. The 6-part series dove deep into the world of ASPM, covering how ASPM works alongside other AppSec practices, what it does to support both development and security teams, and which steps to take to implement an ASPM strategy at your organization.
Read on for six highlights from these masterclasses (or sign up for the whole series on demand)!
1. ASPM doesn’t replace existing AppSec functions — it up-levels them
In Chapter 1 of the masterclass series, Sonya Moisset, Senior Security Advocate at Snyk, covered how ASPM can empower teams to build better AppSec programs. While many existing application security tools, such as static application security testing (SAST) and software composition analysis (SCA), provide powerful results, it’s often challenging for siloed teams to leverage these results across a large environment. In addition, the results from these tools lack context, meaning that teams can’t decipher which risks are the most pressing and understand who needs to fix each one.
ASPM solves these issues with unified visibility, comprehensive coverage, and strategic decision-making capabilities to improve an organization's overall application security program. It up-levels existing tools by transforming them from isolated, non-contextual results into a risk-based, unified approach.
2. An ASPM approach supports asset visibility
In Chapter 2, Chen Gour-Arie, Director of Engineering at Snyk, talked about the importance of centering your security approach around assets — the individual source code, dependencies, container images, and cloud configurations that make up your applications.
An asset-based security approach can change the game for an organization, as it redirects security attention to the most mission-critical assets and reduces the noise coming from AppSec tooling. It’s all about using assets as the backbone of your process — consolidating all assets from across the organization and then making security decisions based on how they are used for business processes.
But, it can be challenging for a team to compile and manage these assets across the entire organization. ASPM can support these efforts by enabling teams to continually assess posture, prioritize critical assets, and identify security gaps.
3. Risk-based management with ASPM is vital to AppSec success
Chapter 3 of the masterclass series covered risk-based management and how ASPM enables teams to find and fix vulnerabilities based on the risk they pose to mission-critical operations.
Micah Silverman, Director of Developer Relations at Snyk, and Rick Bosworth, Cloud Security Leader at SentinelOne, dove into how risk-based management works and the steps teams can take to move towards this approach with the support of ASPM.
Bosworth discussed why a risk-based management approach is more effective than simply ranking vulnerabilities by CVSS. He said, “How do you know a CVSS score of 9.7 is more critical to work on than the 5.0 or the 5.5 that…is sitting on business-critical or PII data? I agree with the statement that not every vulnerability is created equal. You have to have context so that you can make informed decisions.”
The key to risk-based management is an ASPM approach, which provides deeper contextual insights into each project and its relationship to mission-critical operations.
4. ASPM empowers incident response to zero-day vulnerabilities
The next chapter in the series covered the importance of establishing incident response processes for application security and offered tips for establishing a plan for your organization. Because zero-day vulnerabilities are a significant threat to today’s applications, teams need to set up a process for identifying these real-time risks and responding to them as efficiently as possible.
Omer Yaron, Senior Security Engineer at Snyk, and Alex Lawrence, Field CISO at Sysdig, discussed how solutions like ASPM and cloud-native application protection platform (CNAPP) can play a role in an effective incident response process.
Lawrence said, “When we have applications running, particularly applications and containers, how do we not waste our time dealing with the fluff inside those images… it’s really about taking the data we have on a build and enriching it with the data from runtime. So then we have information about what is actually loaded in memory in a container, which of those libraries have vulnerabilities, which are exploitable, and which have active accessibility to the internet or outside sources. We can leverage this information and push it back into the developer’s lifecycle to help prioritize what gets done.”
5. ASPM goes hand-in-hand with a DevSecOps approach
Chapter 5 of the series discussed how ASPM plays a role in establishing and measuring DevSecOps success. Successfully managing risk across an entire development lifecycle ultimately takes a comprehensive approach to security that considers the full software development lifecycle and integrates security into each stage. It also requires consolidated reporting that provides insights into developer success.
AppSec teams must focus on accomplishing this integrated approach in a way that works with — not against — existing development workflows. Part of this teamwork starts by providing real-time remediation guidance that doesn’t overwhelm developers. ASPM can support these efforts by prioritizing vulnerabilities based on contextual risk to the organization, minimizing alert overload throughout the SDLC. It also provides a centralized location to pull reporting on remediation, adoption, and other important DevSecOps success metrics.
6. ASPM enhances teamwork and collaboration
The last chapter of the masterclass series covered the teamwork aspect of application security: how to establish collaboration for stakeholders across the organization. A collection of speakers from Snyk, Google, and Accenture mentioned a few critical tips for fostering this collaboration between developers, security teams, and leadership, including:
Early security prioritization to avoid burnout
Considering functionality and user experience when implementing security controls
Focusing on third-party risks
Automating security tools and processes
Recognizing small wins and celebrating successes
Focusing on the balance between security needs and business objectives
ASPM fosters this level of team collaboration, as it empowers developers to conduct security testing earlier in the life cycle, centralizes success metrics into a single location, and connects the dots between business objectives and security results.
If you’re interested in learning more about ASPM, be sure to check out the entire series on demand.
Unlock DevSecOps with Snyk
Overcome application complexities and AI hallucinations while fostering collaboration between dev and sec teams with insights from Snyk and Accenture.