Running a Marathon, Not a Sprint  - The AppSec Posture Paradigm Shift

Short sprints and out of breath

AppSec has always been a struggle. As much as  I would like to plug Enso as being the one and only solution able to fix the woes of the AppSec world, no such vendor really exists. AppSec teams are overwhelmed by reports uncovering thousands of vulnerabilities, full of duplicates, false positives and lacking context into which alerts actually matter. Existing tools provide security teams with an audit of their vulnerabilities, rather than tangible recommendations or actionable insights for resolving them. This sheer amount of information, bombarding security teams without providing them with a clear frame of reference, lacks value and increases risk. It’s hard to truly measure their success and to work through the white noise they produce. 

AppSec professionals being the smart folks that they are, quickly identified these challenges. But identifying can be a long way from solving, and given the speed of today’s production environment, even the most diligent AppSec teams are just overwhelmed. 

A long jog in the right direction - ASOC 

ASOC, or Application Security Orchestration & Correlation provides AppSec teams with an effective way to identify and eliminate security coverage gaps while prioritizing resources to focus on resolving the most critical vulnerabilities. These tools can centralize efforts for easier discovery and remediation, providing a much needed management layer between development and security testing. 

Although ASOC was a monumental and effective step in the right direction (and continues to evolve), security teams still find themselves outnumbered by developers 100 to 1. More so, AppSec professionals are still working without a full-stack view of their applications, as many tools focus on the integration with scanning tools, but do not provide enough visibility. While ASOC allows teams to stop chasing after defects,  AppSec teams are still running out of breath. 

‍

Running the marathon – Posture Management (ASPM)

The perception of application security teams is shifting from running after defects and developers, to holistic management of the AppSec program. Enabling teams to manage their resources in a risk-based manner with proper correlation to the critical assets of the organization is a monumental paradigm shift in the AppSec world. This new approach allows developers to work in an agile way with minimal security interference with their velocity, while keeping track of the most important tasks to increase their overall security posture. We are already witnessing how the posture management approach is making application security more effective, easily allowing teams to track their short and long term goals while reducing friction with internal R&D development processes and developer velocity. This shift changes the race, allowing AppSec teams to finally run a marathon instead of a sprint. 

‍

About the author

Omer Yaron is the Head of Research at Enso Security, the first Application Security Posture Management (ASPM) tool used daily by AppSec teams to enforce, manage and scale a robust AppSec program, all without interfering with development.

‍