Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of MSP Channel Insights is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The MSP Channel Insights Video magazine contains the latest Zoom interviews with experts in the industry.
AppSec professionals have a lot on their hands. Literally. They’re now besieged by increasing pressure from market demands for software, new regulatory requirements, dropping budgets and on top of all that - they’re surrounded by a collection of tools they can’t effectively use which produce reams of data and alerts they can’t make sense of.
Tool sprawl in AppSec
Within AppSec, tools will cover a whole range of different functions: Software Composition Analysis, API security, Dynamic Application Security Testing, Static Application Security Testing, Container security and more. It’s a lot to manage. In fact, one report from ESG that one enterprise - on average - could maintain as many as 20 tools for AppSec alone.
Ironically enough, this often produces worse AppSec outcomes as the complex picture of AppSec produced by that sprawl produces waste and inefficiency into the process.
AppSec inconsistency
Firstly, it creates a highly inconsistent view of AppSec within the enterprise - often making it almost impossible to see a full picture of the environment. In fact, it often creates a mess of overlapping, confusing metrics which don’t integrate with one another and send operators hopping between tools as they try to make some sense of what exactly is happening. This chaotic arrangement means that AppSec often can’t get a hold of where real risk lies or where vulnerabilities are emerging.
Duplicating costs, capabilities and headaches
Each of those tools will require time, training and expertise to use. Furthermore, they’ll each have their own policies, dashboard and UIs which will need to be learned. As one might expect this can result in a huge drag on productivity: Wasting time, energy and the focus of valued specialists.
Many of these tools will also overlap in function - finding the same problems but presenting them through different UIs. Very often, the same vulnerabilities will show as distinct vulnerabilities through different tools, leaving operators scrambling to fix one thing and then realising it's already been fixed. In turn, this serves as a waste of time and budget, duplicating work for a fraction of the pay off.
Integration and maintenance
Manually attempting to integrate those tools presents another problem. Each of those tools will require integration and tuning to the specific demands of the AppSec environment in which they’re placed. With a large collection of tools, that means more time, money and engineering to actually make those tools perform for the business.
Integrating those tools is difficult but maintaining them might be even harder. As digital transformation happens, that integration will have to be maintained. If for example, the API version of a tool changes, that might break the synchronisation with ticketing software. In turn, that will result in missed issues that could go undetected for extended periods. Ultimately, maintaining integration for myriad tools is a brittle system that can easily come undone with even small changes to the broader environment in which they operate.
Alerts
AppSec tools are meant to find vulnerabilities and produce alerts. In fact, they do it so much - it often becomes a problem. The sheer amount of tools often produces such a volume of duplicated alerts and false positives that overwhelm operators and makes it impossible to prioritise real issues.
In the long term, these tools will produce so many alerts that they actually wear out human operators. A phenomenon known as alert fatigue has emerged in AppSec where operators’ tools produce so many alerts that operators stop trusting most of them, believing them to be false positives and often turning their scanners off entirely. In turn, real vulnerabilities get ignored as those operators just imagine them to be false positives.
Trust of AppSec within the organisation
This effectively speaks to the strategic problem of tool sprawl in AppSec - the wholesale erosion of trust of AppSec within the enterprise. AppSec is a crucial function for any organisation that produces software. Indeed, demand for new software, apps and services has never been quite as high. Catching vulnerabilities and errors are fundamental to those organisations’ ability to produce trustworthy and reliable products. Tool sprawl ultimately damages the organisational trust AppSec processes. In turn, that will have dire consequences for the long-term health of the organisation in general.
Not Too Fast: Retain the tools, manage them better
While that arrangement is unmanageable for most organisations, we shouldn't immediately think dumping them and replacing them with a platform is a good solution. Those tools represent a huge amount of value to an enterprise, with many of them likely being best-of-breed. Simply getting rid of them and relying on a platform to carry out those functions will merely result in worse AppSec. From this point of view, the problem of tool sprawl is not about tool overpopulation, but poor management: The inability to actually use those tools effectively, and thus take advantage of the real value they represent.
ASPM Orchestration
An emerging category of technology is changing what tool sprawl means within AppSec: Application Security Posture Management (ASPM). This effectively brings together AppSec tools and unifies them behind one dashboard. From there, the capabilities and data streams of those tools can be automated and managed centrally.
Centralising insight and restoring trust
By bringing together that previously chaotic medley of data streams from different tools, an ASPM can transmute them into actionable insights - measuring risk levels, age and severity of vulnerabilities. The ability to centralise data streams and tool functionality means that AppSec can finally get hard data and insights that they can report to higher ups: benchmarking maturity, demonstrating improvements and resource shortfalls and turning AppSec into a demonstrable enterprise asset, and ultimately restoring organisational trust in this crucial part of security.
Enforcing consistent and durable processes
ASPMs can also enforce consistent policies across the AppSec environment and automating workflows - ensuring that a finding on one tool reaches the ticketing system without delays or obstacles. By cleaning up these workflows and automating tool orchestration, enterprises can then rid themselves of all of the time and expense that otherwise accumulates in this needlessly brittle process. That means less waste and far more efficient mean time to remediation (MTTR) too so that vulnerabilities can be fixed faster and more thoroughly.
Lowering the volume
ASPM will also serve as a noise filter for the overbearing level of alerts produced by AppSec tool sprawl. ASPMs can correlate findings from different tools and thus find and root out duplications from different streams, while combining alerts from different tools into one alert. On top of that it can also contextualise - using those tools’ capabilities to not just find vulnerabilities but identify vulnerabilities that actually matter. By doing that, they produce alerts that are actually actionable, thus mitigating the tsunami of alerts that so often holds back AppSec.
Tool Sprawl is the bad result of a good intention. AppSec teams accumulate tools because they offer real value and find themselves in trouble when they realise that they have so much to manage, they can’t make sense of what could otherwise be valuable insights. The ability to orchestrate and centrally manage those apps is fundamental to getting value out of those tools and ultimately, retaining organisational faith in AppSec.
