Most of the AppSec teams are not yet aware of it; some plan to take action this year, and some have tried to develop it internally, but what is the ASOC tool?
12 min read
Application Security Orchestration and Correlation (ASOC) is a technology for security teams to manage security testing tools and vulnerability remediation processes.
A modern ASOC Tool should be able to integrate with all kinds of vulnerability scanning tools, issue managers, notification tools and application lifecycle management tools.
ASOC tools are relatively new in the market, and according to Gartner, only %5-20 of the application security teams are aware of application security orchestration and correlation tools.
As the rules of the game are just tuning in, It is essential to talk about what matters in action:
1- Flexibility: There is no one-size-fits-all solution in the ASOC world. These tools need a flexible architecture that can be easily configured to respond to the custom needs of each organization.
2-Scalability: As these tools manage all vulnerabilities coming from multiple security tools, they must perform well under heavy load.
3-Role-based views: ASOC intends to function as a single source of truth for multiple teams; only the relevant data and permissions should be presented to each stakeholder.
4-Speed: You have another feature request for an alternative view or integration; how long will it take your ASOC partner to build it?
If you hear we update it quarterly, it is a clear red flag.
The famous saying goes, “Software will eat the world, in all sectors. So companies need to adapt, or they will become extinct. In the future, every company will become a software company.”
While software development teams grow exponentially, security teams can hardly grow due to a shortage of security engineers in the market.
New security tools also keep popping up, which makes it even harder for understaffed security teams to keep up without orchestration and automation. This is exactly where ASOC tools come into play.
As we know, any solution that doesn't take automation into account is incomplete. So you need to go and integrate all these individual tools into CI/CD pipeline and then your issue management system, or better to use an ASOC Tool for all of these.
All tools are integrated, scans are getting triggered, and you assign JIRA tickets to your developers, all great.
But you have nine different tools for vulnerability remediation before moving to development teams, nine issue reports and security standards, which are not ideal.
With your ASOC Tool, whether it comes from source code scanning results or container image scans, you have your vulnerability territory under control.
If you are the captain of an enterprise ship, you have to think about different teams, business units, locations, projects…
Each project's risk factors and SLAs are different; not all Criticals are created equal, as you know.
Finally, cybersecurity is no longer deemed a luxurious investment but a necessary one. But still, it is more challenging for cybersecurity teams to quantify their success or be glorified in the board meetings.
Imagine it is your CISO's turn in the quarterly board meeting, and he says, “We've fixed 24 more XSS issues than last quarter”. Who cares? Or what if they ask, “Are we more secure than last quarter?”…
We can do better than this to gear up our teams to see where we need to put more love and feed smart data for our CISO to understand where this ship is going.
All security trends, risk scores and vulnerability remediation metrics for each project/business unit should be within your ASOC tool's reach.
You have the best security testing tools and processes and uncovered all the issues; 44 critical, 121 high, 455 medium, 19 low; then What?
There is a chain of questions waiting in the line;
a- Who needs to see these issues?
b- What actions need to be taken now? (take down, pullback)
c- How fast do we have to fix it (SLAs)?
d- Who should be informed if it gets Overdue?
Who Watches the Watchmen?
This is an underrated problem: Account Management.
Did you remove the security testing tool access for the developer who left the company two months ago? Hmm…
Sure, nobody asked you to do it, but guess what? You don't want your issue tickets to be in public records.
You can connect the Single Sign-on platform to the ASOC tool, and it will manage not just the authentication and provisioning.
User Types in Kondukto:
Is there any other requirement from an ASOC that you have… but didn’t see in this article? Or maybe you have a question.
Either way, let me know by leaving a comment below right now.