In a timely discussion hosted by S&P Global Market Intelligence, Principal Research Analyst Daniel Kennedy sat down with Idan Plotnik (Founder of Apiiro) and Jason Espone (Global Head of Application Security Engineering at C.H. Robinson) to explore the evolution of Application Security Posture Management (ASPM). With application environments growing increasingly complex, the panel addressed how ASPM is emerging as a core solution for managing fragmented toolsets, surfacing real risks, and helping security and development teams scale effectively.

Why ASPM Is Emerging as the Core of AppSec Strategy

Daniel Kennedy opened the session by noting that ASPM is poised to become the “center of gravity” for application security platforms. Rather than relying on disjointed tools that overwhelm teams with alerts and lack meaningful prioritization, ASPM offers a framework for correlation, context, and clarity.

ASPM has roots in application security orchestration and software supply chain risk management, but it has matured into a broader, more intelligent platform that consolidates risk across the entire SDLC.

Practitioner Pain Points: Too Many Tools, Not Enough Insight

Both Idan and Jason shared war stories from years of building AppSec programs in large-scale environments. Common challenges included:

• Manual, performative reviews that slow down release velocity
  
• Overload of false positives from AST tools like SAST, DAST, and SCA
  
• Lack of actionable correlation between scan results and actual code risk
  
• Friction between security teams and developers due to noise and misaligned priorities
  

Jason noted, “We had three AppSec folks and 800 developers. Peer review was just not scalable.”

The Shift: From Scan Results to Material Code Changes

We’re now seeing a shift from managing vulnerability scans to understanding material code changes. Findings can be categorized into four types: known vulnerabilities, unknown threats (like malware), misconfigurations, and material changes. The last category—such as introducing a GenAI framework or changing authentication logic—can carry significant risk even if no CVE is present.

Apiiro’s deep code analysis (DCA) is a foundational capability that allows teams to map software architecture, flag risky changes, and triage issues earlier in the development lifecycle.

ASPM as the SDLC System of Record

In a surprising but intuitive new use case, large enterprises are beginning to adopt ASPM as their SDLC system of record, consolidating evidence from code reviews, bug bounties, runtime tools, and more into one platform. This reduces manual overhead and enables better compliance and audit readiness, particularly for second- and third-line defense functions.

In the webinar, Jason echoed this trend, highlighting how ASPM can unify signals across the SDLC and offer a “single pane of glass” for executive-level risk reporting.

Final Thoughts: ASPM Is Not One-Size-Fits-All—And That’s the Point

ASPM is still an evolving category, and for good reason. Every enterprise has different tech stacks, architectures, and risk tolerances. As Jason noted, “Security isn’t just about the CVSS score anymore. It’s about context, ownership, and what’s truly critical.”

Idan emphasized that Apiiro’s approach isn’t just about aggregation. It’s really about building on a foundation of real software understanding, supporting over 2,000 frameworks across 17+ languages.

Want to dive deeper?

You can watch the full webinar to hear more about how organizations like C.H. Robinson are using ASPM to scale their security efforts without slowing down development.