In our previous blog “Security Expansion: From Detectors to Aggregator” we discussed the advent of aggregators, such as Application Security Posture Management (ASPM). These technologies collect findings from the various detectors (such as application security testing (AST) tools) and aggregate them in a repository for further analysis. Aggregation enables more comprehensive, more holistic visibility. It expands visibility from the insight into the findings delivered by a single type of a detector (e.g., findings only from static application security testing (SAST) or only from dynamic application security testing (DAST)) to the findings delivered by many/all of them: SAST, DAST, SCA, IaC tester, container tester. Moreover, visibility expands from the findings delivered by only one AST vendor to the findings delivered by the detectors from the different vendors.

In that previous blog, we asked a question: what is the next step of the posture management evolution? Is aggregation of findings delivered by the various security detectors is all that is needed for holistic visibility? We do not think so. ASPM (as well as DSPM (data security posture management), CSPM (cloud security posture management), etc.) is not the end of the posture management evolution.  So, what is the next step?

In our opinion, the next step of the evolution will be defined by the ability to aggregate, correlate, and contextualize heterogeneous data, starting with risk and security data.  Today’s aggregators, such as ASPM, collect homogeneous data, in particular, findings produced by security tools, such as SAST or DAST. This data, however important, enables only a siloed view into the posture of IT ecosystem. To achieve holistic visibility across the enterprise, it is necessary to detect heterogeneous data and aggregate it for analysis.

One of the most important types of data to collect, along with security data, is risk data.  TrustMe is bringing risk and security together with Risk and Security Posture Management (RSPM).  Among different risk categories, RSPM should be aggregating data of such risk categories as risk of third-party products, risk of third-party services, and risk related to open-source software. These types of risk should be analyzed from the viewpoint of products and services legal use, reputation of the vendors, financial stability of the vendors, etc.

Yet in addition to the above-mentioned risk categories, some other risk categories’ data should be also collected, as collecting it is critical to get the enterprise’s holistic insight. One of these risk categories is the risk of DevOps Efficiency: risk of the project delays; risk of the outstanding, non-addressed development issues; risk of deploying on a project developers that exhibit poor productivity. Yet another risk category is the risk of Security Efficiency: risk of creating security vulnerabilities, risk of not fixing them in time, risk of having insecure developers on security-sensitive projects. And yet another example of the risk is the risk of Asset Utilization, e.g., having assets (e.g. databases, servers, etc.) that are underutilized, thus leading to the waste of budget and efforts.

Thus, we envision the emergence of RSPM technology, which will be collecting and aggregating heterogenous data that represent both risk and security issues. Furthermore, RSPM will be correlating this heterogeneous data and providing contextual assessments of the issues. RSPM will enable more holistic visibility into the enterprise posture than today’s security posture management (SPM) technologies such as ASPM, DSPM, CSPM.