Application security posture management (ASPM) solutions have emerged due to changes in the threat landscape and software development practices. These tools promise to help organizations consolidate, prioritize, and mitigate risks identified throughout the application lifecycle.

At Endor Labs, we believe in giving you information so you can determine if a technology or approach is right for you. We have a clear perspective on the benefits and limitations of ASPM solutions, and we want to help you determine whether an ASPM solution can genuinely transform your application security strategy.

Key Summary

• ASPM solutions analyze signals from multiple application security tools to improve visibility, manage vulnerabilities, and enforce controls.
• Many application security tools (SAST, DAST, SCA, etc) create too much noise and require extensive manual research for both security and engineering teams.
• Businesses still need a way to get an accurate inventory of security risks, a way to prioritize them, and ways to mitigate or remediate risks.
• ASPM emerged as a solution that lets organizations keep their existing tools in place while aggregating results and alerts in a single dashboard.
• ASPM cannot improve the quality of alerts being aggregated (such as eliminating false positives), but can correlate results between tools to aid in deduplication or enrichment.
• However, a new generation of application security platforms are emerging that seek to reduce noise at the source, potentially better solving the problem ASPM was meant to fix.

What’s the definition of application security posture management (ASPM)?

ASPM is a set of technologies that manage an organization's security posture across the software development lifecycle (SDLC). ASPM tools can provide visibility, risk assessment, and prioritization for vulnerabilities.

ASPM solutions typically:

• Consolidate visibility into risks associated with applications and their component parts. 
• Correlate security data from multiple sources, offering a comprehensive view.
• Integrate with an organization's existing application security tools, such as static application security testing (SAST), software composition analysis (SCA), and container scanning.

What problems do ASPM solutions try to solve?

This is where a short history lesson can be useful. ASPM solutions arose out of the convergence of changes taking place in the software development lifecycle and the growth of security risks targeting the software supply chain itself. These combined trends have put pressure on the tools and processes that application security teams use to secure the software built by their organizations.

Let’s take a quick look at three trends that led to the rise of ASPM solutions:

1. The emergence of DevSecOps
2. Explosion in vulnerabilities and alerts
3. A breakdown in visibility and prioritization

Trend #1: The emergence of DevSecOps

DevSecOps has emerged as a practice that explicitly tries to close this gap between software delivery and security by integrating security earlier into the software development lifecycle. This is often referred to as “shifting left,” since security takes place earlier in the software development process. While DevSecOps is a methodology, not a tool, in practice DevSecOps teams need to integrate security tooling into software delivery pipelines. 

While the concepts of DevSecOps and shift left are ideal, AppSec tools weren’t designed to be developer-friendly (for example, look at the history of SAST). This often means that security introduces friction into developer workflows  by inserting noisy scanning tools with poor quality findings. Software engineering teams get drowned in a backlog of vulnerability findings, and eventually stop trying to fix anything due to the size of the security technical debt. This breakdown in process can increase silos between security and engineering — exactly the problem DevSecOps tried to solve.

Trend #2: Explosion in vulnerabilities and alerts

The increase in the number of reported CVEs is one of the bigger industry-wide changes of the past decade, and it has implications for how we keep software secure. When the CVE Program originated in 1999, it published 321 CVE records. Last year, it published more than 28,900 CVEs, increasing 460% in the past decade—and the amount is expected to continue growing.

‍

This growth means downstream consumers of vulnerability data—like application security teams—have more and more alerts to sift through each day, which can lead to information overload. While this increase in alerts is overwhelming, it also means the industry is much more aware of threats in the software supply chain.

But it does come with a cost. According to research by IDC, the average enterprise is drowning in more than 1 million security alerts from their different systems. This contributes to an ever-growing backlog of security vulnerabilities that need attention, making it harder to prioritize remediation efforts.

Trend #3: A breakdown in visibility and prioritization

Alerts themselves are one part of the problem. The other issue is that the tools themselves become silos. For example, a security team might get alerts for the same vulnerability across their SCA, container, and CNAPP platforms. Even when the tools are all owned by the same person or team, it’s improbable that they’ll know these are duplicate alerts. 

The need for better visibility often arises when leadership — the CISO, or in some cases the board — wants a complete view into risks in the software development lifecycle and how they are managed. While in some cases it can help to get all the tools from the same vendor, getting alert deduplication and correlation relies on an integrated platform experience. Whether from one vendor or many, teams start to look for ways to integrate findings.

What categories of ASPM solutions are in the market today?

The market doesn’t really agree on a clear definition of what constitutes an ASPM solution. As a result we’ve seen different approaches emerge. The first category of solutions, aggregators, arose out of the original problem ASPM tried to solve: consolidating alerts from SCA, SAST, DAST, and other application security tools. This is where we most often see organizations building their own solution. Subsequent categories have emerged from vendors seeking to monetize ASPM.

Aggregators

These are the original ASPM solutions. Aggregators consolidate alerts from multiple tools into a single dashboard. Thus their primary value comes from correlating and prioritizing issues by ingesting input from third-party scanners, and then helping teams prioritize the results and set policies. Compared to other solutions, they are less disruptive and allow teams to leave their existing scanners in place. But as we’ve discussed, they do nothing to improve the quality of data. It should also be noted that there are tools on the market that accomplish the goal of aggregating alerts without identifying themselves as ASPM, usually because they include value beyond just a dashboard of alerts

Aggregators with scanners

The next group of competitors largely started as aggregation solutions, and then later launched built-in scanners to help customers close gaps in their coverage. Scanning is treated as an interchangeable commodity in these platforms, and users can bring-their-own solutions or use the vendor’s provided tools. Most vendor tools in this category are repackaged open source solutions with some workflow and UI optimizations added.

Consolidated platforms

On the other end, we’ve seen some application security platforms position themselves as ASPM solutions. In contrast to aggregators, consolidated platforms start with proprietary scanners (e.g. SAST, SCA, containers, secrets) and later introduce integrations for third-party scanners. In other examples, they simply rebranded their proprietary scanners as ASPM solutions.

Does my company need ASPM (or can my problem be solved another way)?

As we saw earlier, ASPM emerged out of a need to triage the number of alerts being surfaced by application security scanners being operated by different teams. Before you make an investment — whether it's your time or your money — you owe it to yourself to figure out if you're treating a symptom or the disease.

I need to consolidate alerts for reporting purposes or risk-based scoring.

Very few application security vendors offer every single kind of scanner (or do each one really well), so consolidated visibility can be a compelling reason to consider building or buying an aggregator-style ASPM. In many large enterprises, each acquisition brings in its own tool stack, and it can take months or years (or an eternity) to get everyone on the same tools.

I need to improve the quality of the alerts so we waste less time.

If this is your reason to consider ASPM, know that it’s unlikely to give desired results unless you already have best-in-class scanners that provide accurate, prioritized results and the context developers need to apply fixes. If your underlying scanners provide poor quality data or generate excessive noise, investing in an ASPM is simply an additional cost that you’re paying to fix the shortcomings of your existing SCA and SAST solutions. ASPMs with built-in scanners may not solve this problem either if their built-in solutions are not sufficiently advanced. This can be true of platforms that have largely wrapped open-source scanners without significant additional tuning and optimization to produce higher-quality results.

In our opinion ASPM tools told a story that resonated with customers, but haven’t been able to deliver on it without addressing the underlying issue with data quality. As a result, ASPM tools added first-party scanners to try and compete with legacy application security platforms. And legacy application security platforms tried to re-brand as ASPM to capitalize on the attention ASPM was receiving. But neither category of solutions is solving the underlying issue.

How can I reduce noise and prioritize faster?

A new generation of application security platforms are addressing the problems of excessive noise and a lack of context by building fully-integrated SCA, SAST, Container, and Secrets solutions that reduce false positives while providing the context needed by engineering teams to fix risks. The industry has gone through several waves of technological innovation over the last few years. Even industry leaders from 5-10 years ago have fallen behind the pace of change. Leveraging this new generation of security platforms can help you get accurate results, correlate findings, provide context, and integrate into your existing workflows.

Get accurate results

Focus on function-level reachability for SCA

Function-level reachability is the gold-standard for software composition analysis (SCA) tools. Tools in this category go beyond reading manifest files to determine which dependencies are called in an application. Instead they use program analysis to determine direct dependencies, transitive dependencies (those are the dependencies of your dependencies), and can even identify so-called phantom dependencies directly called in your code. Because they understand how your application functions, not just what’s in it, they can identify if a vulnerability is reachable, exploitable, and can recommend specific remediations that won’t break your application.

Use advanced rules and workflows for SAST

Similarly, SAST tools often produce excessive noise when first deployed, but proper tuning and workflow optimizations can significantly reduce false positives. The best SAST vendors provide their own custom  rules that should further reduce false positives, and also provide workflow improvements like auto-remediation that provide suggested code fixes to developers. The latest generation of SAST solutions is combining rule-based workflows with LLMs to detect business logic risks, security design changes, and other risks that exclusively rule-based SAST solutions miss.

Correlate findings

Deduplication of alerts across different tools—such as your SCA and container scanners—also helps streamline remediation by preventing redundant notifications. A unified platform that consolidates first-party code, third-party dependencies, container security, and secrets management can further simplify the security process.

You should also consider how your application security tools can help contextualize findings from runtime solutions. For example, you should be able to trace attack paths surfaced in your CNAPP back to code-level findings for true code-to-cloud visibility.

Provide context to developers

Beyond improving data quality, security teams should also focus on making it easier for developers to act on security findings. Providing developers with relevant context, such as insights into how an upgrade might impact the broader application, helps them remediate vulnerabilities faster. Automated remediation suggestions for code-based vulnerabilities can further reduce friction, enabling developers to fix issues quickly without extensive security expertise.

Deliver insights where people work

Once you’ve improved the quality of your data, you can start triaging and routing findings to the appropriate groups. But it’s important to do that where each group already works. For developers, that typically involves integration with source code management tools like GitHub or GitLab, or directly in the IDE through CLI integrations. You also may need to consider dashboards for security and compliance stakeholders. Tools like Nucleaus can help you build risk scores and other dashboards. While these are not ASPM solutions, they do help with the reporting aspect provided by ASPM solutions.

Conclusion

ASPM has a clear purpose: to offer consolidated visibility for security teams operating tools from multiple vendors. However, it’s important to remember that the value of ASPM is directly tied to the quality of the underlying data. Starting with consolidated application security platforms that provide accurate data and context about your risks is the best way to get started, and then you can develop reporting workflows.

Additional Resources

• The Rise of Application Security Posture Management (Software Analyst Cyber Research, 2024)
• Innovation Insight: Application Security Posture Management (Gartner, 2023)