4 highlights from the 2023 Gartner® Innovation Insight for Application Security Posture Management (ASPM)

Over the past few decades, application security has seen dozens of market categories, hundreds of new approaches, and thousands of solutions. From legacy point solutions like SAST, DAST, and SCA to new approaches like DevSecOps and software supply chain security. As per Gartner, “Application security tools invariably produce reams of data about potential vulnerabilities. Traditional, frequently manual, approaches to assessing and prioritizing these findings have failed to scale to accommodate either the amount of data or the speed associated with modern development processes.”

The latest solution to make its way through the noise – Application Security Posture Management (ASPM) – aims to solve that challenge. By integrating and analyzing security signals across software development, deployment, and operation, ASPM provides improved application visibility (which is the foundation for securing complex modern applications) and enables teams to more effectively identify and prioritize risks.

The new Gartner Innovation Insight for Application Security Posture Management, authored by Dale Gardner, Dionisio Zumerle, and Manjunath Bhat, details exactly how ASPM has evolved, its core capabilities, and recommendations for evaluating and adopting ASPM solutions. Keep reading for our take, or get a complimentary copy here.

ASPM unifies multiple point solutions into a comprehensive platform

As siloed application security testing (AST) tools have gone mainstream, the lines between application layers have blurred, and developers have become increasingly dependent on third-party tools and components, several solutions have cropped up.

To integrate signals from AST tools, application security orchestration and correlation (ASOC) emerged but wasn’t widely adopted because they lacked context. To bridge the divide between security and DevOps, DevSecOps has become ubiquitous. Finally, and perhaps most notably, software supply chain security has rapidly gained momentum as attacks on version control systems, open source packages, and CI/CD pipelines have become the latest targets.

ASPM brings together all those functions, providing a comprehensive solution for risk assessment, remediation, and reporting through integration and instrumentation across the software development lifecycle.

At Apiiro, we believe that ASPM is a necessary complement to Cloud Security Posture Management (CSPM) solutions, Cloud Native Application Protection Platforms (CNAPP), and/or Cloud Workload Protection Platforms (CWPP). Just as you need a consolidated view of your runtime vulnerabilities and misconfigurations, you need that same visibility into your application components in design, development, build, and deploy time.

ASPM is solving nascent AppSec challenges

The rise of DevOps and continuous integration and continuous delivery (CI/CD), and the reliance on siloed AppSec tools and manual processes overwhelm application security and development teams. Without a single pane of glass for security issues, it’s impossible to know which are real risks. Instead, security teams spend hours assessing risks in a manual manner, face endless backlogs to triage, and developers waste their time on false positives or risks that have no impact on the business.

Without contextual and centralized application policy enforcement, ensuring new code changes are always secure and compliant is nearly impossible, and blind spots left by disparate AST tools and manual processes are inevitable.

To combat those challenges, as per Gartner, ASPM:

• Eliminates application security silos and provides a comprehensive view of an organization’s application security stance
• Enables the creation and enforcement of application security policies
• Improves prioritization and triage of application risks

All of these benefits and uses ultimately help application security and development teams work together to, ultimately, improve the security posture of applications (hence, the category name) and do it more effectively.

The market has aligned on core ASPM capabilities

As mentioned in the report, the following capabilities are now common and are considered core capabilities for an ASPM product:

• “Coverage: Originally focused on application security testing in development, offerings now include data from operational environments (e.g., cloud platforms, containers, physical infrastructure).
• Testing orchestration: The ability to integrate security tools across the application life cycle and control their operation based on organizational policies is essential.
• Remediation: Includes both integration into workflow tools, such as trouble ticketing systems, and the provision of specific guidance on possible fixes.
• Correlation: While most tools perform one-to-one vulnerability correlation (of related findings across tools), they also increasingly group data related to application components in order to represent a complete application.
• Prioritization and triage: Tools should offer the ability to prioritize those vulnerabilities that pose the greatest risk, based on risk factors provided by users or inferred from the application.
• Root cause identification: By analyzing data from different application components, some tools can facilitate the identification of the root cause of a vulnerability.
• Risk management: ASPM tools frequently attempt to provide an overall risk indicator for components or applications.”

But as this market evolves, there are ranges of sophistication and maturity that are important to take into consideration.

The future of ASPM is bright

Gartner estimates that “[a]bout 5% of organizations have adopted ASPM solutions or the ASOC products from which they evolved.” but that “[b]y 2026, over 40% of organizations developing proprietary applications will adopt ASPM to more rapidly identify and resolve application security issues.”

This rapid adoption signals important maturity in the market but comes with its own caveats. As you evaluate ASPM solutions, make sure your unique needs are met. Can it provide coverage for your specific technologies, languages, and use cases? Can it scale for your needs?

At Apiiro, we also believe it’s important to evaluate more than just the foundational ASPM capabilities. From working with our customers, we know that based on your existing AppSec maturity, it may be valuable to leverage an ASPM that has built-in testing tools. Additionally, ASPMs that provide software supply chain security, such as creating software bills of materials (SBOMs) and helping to secure development environments, are extremely valuable – especially if you don’t already have them.

Apiiro’s approach to ASPM

At Apiiro, we built one platform that unifies ASPM, AST, SBOM, and Software Supply Chain Security. By bringing together the best of ASPM along with key software supply chain security use cases, SBOM generation, and graph-based contextual inventory of your application components, Apiiro enables organizations to map their application attack surfaces, contextualize security alerts, correlate and prioritize risks, and remediate faster.

We are excited about Gartner’s recognition of the ASPM market and are extremely thrilled to be part of shaping its future. Get your copy of the Gartner Innovation Insight for Application Security Posture Management (ASPM), or get a demo to learn more about Apiiro’s unique, contextual approach to ASPM.

Gartner, Innovation Insight for Application Security Posture Management, Dale Gardner, Dionisio Zumerle, Manjunath Bhat, 4 May 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.