Have you noticed that security technology evolution has gone along two orthogonal directions: detection and aggregation? Detection arrived first, aggregation more recently. Looking at application security testing (AST) helps to visualize the differences and the trends. Since its inception in early 2000s, AST expanded by adding detectors (scanners/testers) to its portfolio of tools, e.g., 

• SAST (Static Application Security Testing), which analyzes application code
• DAST (Dynamic Application Security Testing), which analyzes application runtime
• SCA (Software  Composition Analysis), which detects vulnerable OSS components
• IaC (infrastructure as a code) tester, and a container tester. 

All detectors are critically important security tools that enable enterprises to get insight into the security of their application ecosystem.  

Yet over time, it became clear that, with ever growing number of detectors, users keep facing the following problems. Each detector enables  a limited visibility into security posture because it addresses just one aspect of security: e.g., SAST addresses code analysis, SCA addresses component analysis, etc. To expand visibility breadth, enterprises must use multiple detectors. Each of them has a different format of reporting, different report management features, different analytical tools (if any). The problem gets exacerbated when detectors come from different vendors (e.g., a company may have SAST from one vendor, and DAST from another one). All these issues compound, inhibiting users from getting a broad, comprehensive view of the enterprise’s security posture.

The solution to this problem comes with aggregators, technologies that collect results from multiple detectors, normalize those results, and thus enable broader visibility and analytics across different aspects of security (in our example: visibility across application security). Such aggregation technology for application security is called application security posture management (ASPM).

Aggregation enables more comprehensive, more holistic visibility. It expands visibility from the insight into results delivered by a single type of a detector (e.g., results just from SAST or just from DAST) to results delivered by many/all of them: SAST, DAST, SCA, IaC tester, container tester. Moreover, visibility expands from the results delivered by just one AST vendor to results delivered by many/all of them.

The question we are asking is what is the next step of SPM (security posture management) evolution? Is aggregation of detectors’ findings all that is needed for holistic visibility and analytics? We do not think so. In the next post we will offer our version of SPM evolution.