What is ASOC?
Stands for Application security orchestration and correlation.
Ease software vulnerability testing and remediation by automating workflows and processing findings.
Automate security testing within and across development life cycle while ingesting data from multiple sources.
Correlate and analyze findings to centralize efforts for easier interpretation, triage, and remediation.
Act as a management and orchestration layer between application development and security testing
Enables greater control over and visibility in security testing.
Supports better security testing coordination.
Enable increased effectiveness in prioritizing resources in resolving the most critical vulnerabilities.
Enables DevSecOps implementation,
Is a catalysts for and consistent testing and smoother operations
What Challenges ASOC solves
Too Many Findings. Challenges with the prioritization of vulnerabilities, remediation and mitigation in the lifecycle of SDLC, due to the volume of information provided by application security testing tools, ASOC ingests information from multiple testing sources, correlates results, and supports the automation of prioritization and triage tasks.
Too many tools
Running multiple testing tools at different points in the SDLC can produce duplicate results that need to be correlated and deduplicated later. Correlating and prioritizing findings across multiple AST tools is challenging and time-consuming, requiring involvement by both security and development leaders. Most fail to effectively stitch together related findings, further increasing the backlog of remediation activities.
Lengthy Scan Cycles
As application development velocity continues to accelerate, traditional approaches to application security are failing to scale. While building pipelines are often intended to run in seconds to a few minutes AppSec tool scans can often take several minutes or even hours. This problem is compounded because multiple forms of analysis (e.g., SAST, SCA, etc.) must often be performed. Aa result, teams find that integrating AppSec into their pipelines disrupts velocity goals.
Poorly Aligned Risk Models
When organizations lack clear policies on what assessment tools are needed for different risk scenarios, broad-brush approaches are employed, resulting in inadequate testing for high-risk applications, while wasting time and resources on low-risk application changes. While AST tools often include policy enforcement and vulnerability reporting capabilities, they are generally siloed implementations, typically applied at different points in the SDLC. This siloed approach makes it difficult for teams to implement policies, identify the highest priority software security risks, and aggregate reporting across the multiple AST tools in use. Teams that integrate and automate full AST scans in their CI pipelines often find that the sheer volume and duplication of results from tests performed at different stages of the SDLC is a problem.
Identifying and prioritizing high-priority vulnerabilities is a significant burden. Development and security leaders are forced to triage and prioritize issues for remediation, often requiring difficult decisions about whether to prioritize delivery schedules over application security.
Disconnected Security Activities. Despite the use of multiple application security tools, 81% of organizations still report that they’ve had applications exploited, with 60% reporting that they’ve had applications exploited by OWASP Top-10 vulnerabilities within the previous 12 months.
Too Many Exploits. To find larger, architectural issues that cause security problems, most organizations employ one or more manual security testing practices, including threat modelling, code reviews, and penetration testing.
These activities are often initiated by development and security leaders without alignment with risk policies. This makes it difficult for security teams to implement consistent and timely application security governance that is aligned with development activities, and equally difficult to harmonize findings from manual activities with those produced by automated tools.
What Value ASOC provides
Ensure the right tests are run at the right time. ASOC connect to DevOps pipelines with a couple of simple API calls, eliminating the need to reimplement build and release pipelines to add security testing. A rich and extensible set of AppSec and DevOps integrations enable further integration with a wide range of development, security, and issue tracking tools already in use.
Delivers the right information to the right teams. ASOC policies specifies rules for security evaluation, response, and notification, ASOC applies those rules to code changes and other SDLC events to trigger relevant, appropriate security tests. This intelligent approach maximizes velocity by performing only the tests that are needed at the time they are needed.
ASOC provides optimized and standardized reporting of application risk insights across multiple AppSec tools. Findings are automatically correlated, filtered, and prioritized based on risk and delivered to developers directly within development and defect tracking tools, avoiding vulnerability overload and enabling teams to achieve the maximum risk impact at minimal cost
Manual AppSec activities workflow automation. ASOC triggers manual AppSec activities, such as penetration tests, through existing defect tracking systems and communication channels, based on policy. This enables security teams to coordinate security compliance workflows with development workflows and SDLC events Aggregate and correlate findings from testing tools. ASOC aggregates and correlates findings from application security tools, reducing noise, highlighting findings that present real business risk, and providing insight into efficacy of the tools in use. ASOC automates resource& time-intensive triage and prioritization, helping security and development teams focus on the highest areas of risk.
What are Adoption Patterns & Solved issues?
Challenge
Difficulty in reporting the risk posture of applications,
No meaningful business metrics and threat intelligence
Adoption Pattern & Outcome
Helps to identify those vulnerabilities posing the greatest risk to applications, streamlines remediation efforts
Challenge
Gap between security and development teams
Adoption Pattern & Outcome
Translates raw vulnerability data into relevant outputs to executives and application owners
Developers acceptance of application security testing programs and results
Remediation efforts are focused on areas which will deliver the greatest return on effort
What are ASOC Addoption Stoppers
ASOC is not know in the market. Despite the fact he is positioned by Gartner in Sliding into the Trough in Hype Cycle for Application Security, with a incumbent maturity. However ASOC is expected to have a 5% to 20% adoption rate in the industry with high assessed added value.
ASOC Requires high maturity. Security testing automation requires a high degree of customer maturity. Meaning Good understanding of risk posture of an application, testing type & threat modelling selection. Without this maturity causes difficulties in the definition of underlying policies on which prioritization and triage efforts rely. Not all customer reached this maturity level.
Takeaways
ASOC alleviates the integration and DevSecOps management burden
Automation of security testing within a CI/CD pipeline requires efforts caused by integration of disparate native capabilities across multiple toolsets, via bidirectional APIs or command line scripting
ASOC triggers dynamic threat modeling in DevSecOps program
Threat modelling is not easily integrated into a DevSecOps toolchain. It is largely a manual process, and dedicated tooling does not yet exist to programmatically analyse an application design and all its interactions, end to end, with accuracy.
ASOC Integrate SAST Tooling Into Dev. Systems and CI/CD Build
SAST tools are often marketed as one of the easier fits for development environments and a CI/CD build pipeline due to where they integrate with code commit processes and build tools. while SAST may be relatively easy to integrate and run quickly, it has sometimes earned the reputation of generating too many findings or too many false positives
ASOC handle the issue of duplicate findings
ASOC prioritize high volumes of AST results and orchestrate AST tooling in the build pipeline.
ASOC Feed aggregated results into application development life cycle management or bug tracking to drive remediation.
ASOC consolidate and correlates scan data across scans. Correlation address some of the issues that arise as a result of performing AST at scale, including: Same AST tool output correlation, Disparate AST tool output correlation, Centralized metrics, Vulnerability regrading.
What are ASOC types?
Integrated ASOC. Often bundled with AST tool suites, may only support correlation of output for the vendor’s own AST tools. Correlation may also be more basic, or it may not provide sufficient, granular control over scan output to aggregate results from high volumes of scans.
Dedicated ASOC. Vendors use more advanced techniques to correlate data, and their products also provide integrations with disparate AST tools from multiple vendors. However, it results in more point solutions and higher complexity.
ASOC assessment from Gartner
Gartner Hype Cycle™ for Application Security 2021
“DevSecOps is the transformational technology that enables security teams to keep pace with development and operations teams in modern development, and to deliver deep integration and automation of security tooling. Lessons learned in implementing DevSecOps processes can also be applied to more traditional development models — boosting the security of those applications as well. The range of tools and services profiled in this research should be used to deliver and operate secure software for the organization and its clients.”
Asoc is assessed by Gartner for DevSecops adoption with High Transformational Impact 2 - 5 Years adoption timeframe
What are ASOC major vendors?
Synopsys Intelligent Orchestration
Synopsys Intelligent Orchestration provides customized AppSec pipelines that not only automate security testing for a few stages, but throughout the entire software development life cycle (SDLC).
Includes native Synopsys static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST) tools.
converts reports extracted from security tools into a uniform schema. Dashboarding tools display risk calculation, scores for different app risk factors, and security activities selected for the latest pipeline run
uses separate pipelines - that don’t get in the way of your main development pipelines
get vulnerability information prioritized by the organization’s security policies
know when to run a specific scan and when not to, based on actual code changes, a dynamically calculated total risk score, and predetermined security policies
enables post-scan feedback so that designated development, security, and DevOps leads are immediately notified of paused or failed builds, or critical security vulnerabilities or failures,
Identified critical issues are then pushed automatically to issue-tracking systems
CoalFire ThreadFix
ThreadFix enables the security team to spend less time manually correlating results and more time addressing security risks and vulnerabilities. And because you can quickly identify risk areas that are most important to your organization, this can reduce the time vulnerabilities live in the applications by up to 40%.
Organize, prioritize, and speed up your security processes.
Quickly spot vulnerability trends to prioritize security efforts.
Streamline workflows among teams to fix vulnerabilities faster.
Track vulnerabilities identified by scanners, manual testing, and other assurance activities.
Automatically combine and deduplicate results from multiple scanners for easy management.
Apply DevOps concepts for continuous vulnerability resolution to reduce mean-time-to-fix.
Kenna.AppSec - Kenna Security, was acquired by Cisco in 2021
ASOC makes application scan findings more meaningful by consolidating them into one risk-based vulnerability management program. Keep vendor-neutral and allow DevOps to select the various scanning tools needed across the different parts of the development lifecycle. View rate of vulnerabilities opened, closed, and at what development point.
Collecting application security data from a wide range of sources, including SAST, DAST, SCA, penetration testing, and bug bounty programs, Kenna.AppSec is a vendor-neutral risk management solution that lets you leverage the volumetric data from application scanners you already own to maximize value from your existing technology investments.
Gives a quick view to assess the risk posture across your infrastructure assets and applications.
Allows to view the risk associated with risk groups. Risk scores for each risk group and applications group within a Stack are presented side-by-side in an easy-to-read card, with additional detail available when clicking through.
Enable developer/DevOps self-service. Security, development, and DevOps teams can finally align around the common goal of reducing risk in a practical and efficient way. Kenna.AppSec eliminates guesswork and ensures that development and DevOps teams have a powerful solution to aggregate, correlate, and triage findings, and provides actionable information on why application findings and vulnerability issues should be remediated.
Gain comprehensive application security context. Integrate application security data from a wide range of sources, including scanners, penetration testing, bug bounty programs, and static and dynamic application security testing tools to get comprehensive insights regarding the specific level of risk posed by each finding or vulnerability.
Determine risk and prioritize remediation efforts across a multi-vendor environment. Kenna.AppSec provides organizations with full visibility and accurate, real-time risk-based vulnerability prioritization.
RiskSense Application Security. Acquired by Ivanti in 2021
RiskSense Application Security normalizes all of your application vulnerability and scan findings and then continuously correlates them to active threats trending in-the-wild. You’ll immediately know which ones are the greatest risk to your organization and have the ability to drill-down to the exact code locations where they reside within the application stack.
Automate Application & Security Risk Tracking. Make application scan findings more meaningful by consolidating them into one risk-based vulnerability management program. Keep vendor-neutral and allow DevOps to select the various scanning tools needed across the different parts of the development lifecycle. View rate of vulnerabilities opened, closed, and at what development point.
Help to prioritize and Predict actions. Take highly effective actions for vulnerability remediation because every CVE and CWE is assessed based on active threat-context. Gain the exposure insight and prioritization needed so you can quickly address what matters the most.
Explore all Perspectives of Application Security: CVE and CWE NVD details, Exposure to CWE Top 25 Software Errors, Exposure OWASP Top 10 Application Security
Filter to find what immediately is needed by application and scanner type: Patch recommendations, Weaponized exploits and malware, Associated exploits trending in- the-wild
Ties to ransomware variants, Use tags to identify full-stack development environments to view collective risk
RiskSense Application Security
Orchestron is an Application Vulnerability Correlation and Test Orchestration platform, that allows engineering and security teams to effectively manage security vulnerabilities
provides a correlated list of security vulnerabilities that is free from duplication and enlists potential false positives.
ranks vulnerabilities according to their severity facilitating risk-based vulnerability remediation.
provides vulnerability remediation assistance through snippets of Good code/Bad code.
Harness IO ASOC
Automatically run the right security scanners at the right stages of the pipeline (shift-left security) to deliver secure applications faster and minimize business risk. Harness performs the time-intensive scanner output analysis for your engineering team saving time and resulting in: Unified and prioritized vulnerability fix lists, Automated remediation verification, Tracked exemption lists. Use Open Policy Agent (OPA) policies, built into Harness, to ensure all desired application security scans are performed and achieve acceptable results. Consistent application security processes reduce the risk to your business. Uses application security scanner results to determine if deployments should happen or not. Application security scans are performed across all stages of CI/CD to promote highly secure code and deployments. Harness STO normalizes, deduplicates, and correlates all scanner results, applying intelligence to create a prioritized list of vulnerabilities to fix with remediation recommendations. Provides comprehensive audit logs that can be used to quickly and painlessly pass audit and compliance activities. Incorporate and enforce security guardrails in CI/CD pipelines. Achieve high velocity while improving application security.
Vulcan Cyber® supports across the full cyber risk management lifecycle so you can go beyond vulnerability scanning, understand your risk – and actually reduce it.
Vulcan takes your unique risk tolerance into account, prioritizing vulnerabilities based on severity, threat intelligence, and actual business risk. Vulcan remediation intelligence delivers the exact patch, config script, workaround or compensating control for the vulnerabilities you need to fix. Vulcan risk analytics shows efficacy over time so you’re always shrinking risk for good. Automate the cyber risk management effort – from ticket routing to patch identification – so you’re free to focus on risk reduction outcomes, at scale.
Nopsec ASOC enables companies to design and manage vulnerability processes from identification through remediation. Automatically track SLA compliance and generate alerts when required remediation dates are missed. Manage exceptions and false positives with periodic reviews to ensure that temporary exceptions don't fall through the cracks.
Security/IT/DevOps Workflow and Collaboration. Communicating remediation tasks, SLA's and priorities across functional teams is one of the core business challenges when implementing a closed loop vulnerability management program. Relying on emailed lists or tickets created manually in your ITSM is inefficient and error prone, providing additional opportunities for attackers to exploit existing vulnerabilities. Automation of remediation assignment via integration to existing ticketing and orchestration platforms is the best way to ensure that your teams stay in sync.
Integrate with EDR/Policy Management platforms to validate the existence and effectiveness of compensating controls for a true picture of vulnerability risk.
Prioritize, track, and push automated remediation actions to your EDR, Policy Management, or orchestration platform to resolve threats caused by misconfigurations.
Mozilla Minion
Minion is an open source Security Automation platform. The 0.3 release of Minion allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed.
The 0.3 release incorporates significant changes, including a migration away from Django and Bootstrap to a Flask and Angular.js based application. It also involves significant improvements in back-end performance and scaling, and an updated plugin architecture.
This is the first Minion release that is ready for large scale adoption with access management features to constrain which users can access scan results, and an invitation system to actively engage new users.
Salesforce Vulnreport is a “penetration test management and automation platform”. That’s a bit of a mouthful; what it means is that this software takes the tedious work out of running and reporting on security penetration testing. It doesn’t replace security testers; it just augments their abilities, and makes them more efficient.
Other open Source ASOCs
Salesforce- Salesforce Chimera for Salesforce independent software vendors
Offensive Web Testing Framework: https://owtf.github.io/
Forther reading and details.
Please consulting the bellow presentation or reach us for a focused discussion on how you can secure your DevSecops.