Omdia Application Security Posture Management Market Landscape: 4 Key ASPM Questions Answered

ASPM has evolved over the past year, per Omdia, “to help both security teams and developers make the application code their organization is producing more secure, which entails identifying any of a number of potential security issues, prioritizing them according to their criticality, and suggesting ways of remediating them.”

Behind such a seemingly straightforward definition, however, lies a more complex backstory and even more nuanced capabilities—all of which are outlined in Omdia’s Market Landscape: Application Security Posture Management (ASPM) authored by Senior Principal Analyst, Cybersecurity at Omdia, Rik Turner.

Keep reading for our take on the market landscape—distilled into 4 key ASPM questions answered—or get a copy of the full guide here.

First off, why is there a need for ASPM in an already crowded AppSec space?

Although application security posture management (ASPM) shares three words in common with other security posture management (SPM) variants (i.e., CSPM, DSPM), the major difference, which Omdia points out, is that ASPM wasn’t born in a vacuum. ASPM emerged as a layer on top of an already burgeoning application security testing (AST) market and software supply chain security (SSCS) market that’s now gaining traction. 

Because most enterprises have already “solved” the detection problem across different types of application security risks with various tools, ASPM is more focused on “the ability to aggregate, normalize, deduplicate, and correlate the findings of a multitude of other tools, then analyze the data, prioritizing the issues found and recommending remedial actions.”

Where have all these ASPM vendors evolved from?

Some ASPMs evolved from software supply chain security and application security testing. Some (like Apiiro) evolved from deep code analysis, and still others evolved from application security orchestration and correlation (ASOC). 

Although ASOC has been around for the better part of a decade, it never gained much traction—likely because it didn’t provide enough value as an aggregator. ASPM takes ASOC’s goal of aggregating disparate security findings into a single view and ups the ante. Like the other security posture management (SPM) variants, ASPM requires “inventory, analysis, prioritization, and recommendations for remedial action as core elements,” leading us to our next takeaway.

What are the core value props of ASPM?

Most enterprises seeking out an ASPM share the goal of focusing on the risks that matter most—in other words, prioritization. On the surface, that’s a simple goal, but in reality, it’s much more complicated, due in large part to the “‘big data’ challenge that is alert noise and the ensuing fatigue among security professionals.”

As Omdia points out, risk-based prioritization of security findings is only as effective as the underlying analysis and context powering said prioritization. This is where many ASPMs differ. Some offer little more than aggregating and grouping by CVE, while others (such as Apiiro) pull in various context sources—from deep code analysis to runtime connections to 3rd-party databases—to determine how risky a security finding really is. The key is to provide as much relevant context as possible so that each organization can define what risk means to their organization—and then, of course, take action. That means fixing business-critical risks and enforcing policies through automation workflows and developer guardrails.

Is ASPM more rooted in code or runtime?

Although by no means a “new” concept, shifting security checks as early into the SDLC as possible is core to ASPM’s proactive approach. ASPMs should be able to deliver on that promise with integrations into development tools and workflows, or even earlier, helping to assess the risk of new potential risks before code is even written. 

But because of the complexity and layers of abstraction within cloud-native applications, understanding code isn’t enough to adequately achieve the goal to (say it with us) prioritize based on real risk. ASPMs need to rely on runtime context to understand factors (i.e. is it deployed or internet-facing?) that may increase the likelihood of a risk actualizing. Only then will end users (both developers and AppSec teams) get reliable and useful data that helps them focus their efforts on the highest priority risks. This is the only way to truly move the needle in a market landscape chock-full of testing tools, under-staffed teams, and ever-growing lists of regulatory and compliance requirements to fulfill.

⬩⬩⬩

While the ASPM market is relatively new to the AppSec scene, it’s by no means lonely. Many vendors have joined the ASPM party to solve the very real challenges facing application security and development teams. Omdia’s observations and outlook on the ASPM market paint a picture of an exciting road ahead.

If you are looking for an ASPM, we highly recommend you take a look at Omdia’s market guide. It provides a solid outlook on the market, key vendor evaluation recommendations, and a full rundown of Apiiro’s strengths as a fully integrated and deep ASPM augmented by native AppSec solutions.