AppSec Santa

Application Security Orchestration and Correlation

Summary

Most AppSec teams are not yet aware of it; some are planning to take action this year, and some have tried to develop it internally, but what is the ASOC tool?

12 min read

Application Security Orchestration and Correlation
Herbert von Karajan conducting in 1941

What is Application Security Orchestration and Correlation?

Application Security Orchestration and Correlation (ASOC) is a technology for security teams to manage security testing tools and vulnerability remediation processes. 

A modern ASOC Tool should be able to integrate with all kinds of vulnerability scanning tools, issue managers, notification tools and application lifecycle management tools.

ASOC Tools Integrations

How to choose your ASOC Tool?

ASOC tools are relatively new in the market, and according to Gartner, only %5-20 of the application security teams are aware of application security orchestration and correlation tools.

As the rules of the game are just tuning in, It is essential to talk about what matters in action:

1- Flexibility: There is no one-size-fits-all solution in the ASOC world. These tools need a flexible architecture that can be easily configured to respond to the custom needs of each organization.

2-Scalability: As these tools manage all vulnerabilities coming from multiple security tools,  they must perform well under heavy load.

3-Role-based views: ASOC intends to function as a single source of truth for multiple teams; only the relevant data and permissions should be presented to each stakeholder.

4-Speed: You have another feature request for an alternative view or integration; how long will it take your ASOC partner to build it?

 If you hear we update it quarterly, it is a clear red flag.

Main Benefits of Using an ASOC Tool

The famous saying goes, “Software will eat the world, in all sectors. So companies need to adapt, or they will become extinct. In the future, every company will become a software company.” 

While software development teams grow exponentially, security teams can hardly grow due to a shortage of security engineers in the market.

New security tools also keep popping up, which makes it even harder for understaffed security teams to keep up without orchestration and automation. This is exactly where ASOC tools come into play.

1️⃣ Save time from Integrations

As we know, any solution that doesn't take automation into account is incomplete. So you need to go and integrate all these individual tools into CI/CD pipeline and then your issue management system, or better to use an ASOC Tool for all of these.

2️⃣ One Tool to rule them all

All tools are integrated, scans are getting triggered, and you assign JIRA tickets to your developers, all great.

But you have nine different tools for vulnerability remediation before moving to development teams, nine issue reports and security standards, which are not ideal.

too many browser tabs

With your ASOC Tool, whether it comes from source code scanning results or container image scans, you have your vulnerability territory under control. 

Dependabot SCA Scan Results

If you are the captain of an enterprise ship, you have to think about different teams, business units, locations, projects…

Each project's risk factors and SLAs are different; not all Criticals are created equal, as you know.

Kondukto Projects Dashboard

3️⃣ Security KPIs to monitor risks

Finally, cybersecurity is no longer deemed a luxurious investment but a necessary one. But still, it is more challenging for cybersecurity teams to quantify their success or be glorified in the board meetings.

Imagine it is your CISO's turn in the quarterly board meeting, and he says, “We've fixed 24 more XSS issues than last quarter”. Who cares? Or what if they ask, “Are we more secure than last quarter?”…

CISO in an Uneffective meeting

We can do better than this to gear up our teams to see where we need to put more love and feed smart data for our CISO to understand where this ship is going.

All security trends, risk scores and vulnerability remediation metrics for each project/business unit should be within your ASOC tool's reach.

4️⃣ Communication is the Key

Application Security Orchestration and Correlation
Corbis Historical via Getty Images

You have the best security testing tools and processes and uncovered all the issues; 44 critical, 121 high, 455 medium, 19 low; then What?

There is a chain of questions waiting in the line;

a- Who needs to see these issues?

b- What actions need to be taken now? (take down, pullback)

c- How fast do we have to fix it (SLAs)?

d- Who should be informed if it gets Overdue?

Who Watches the Watchmen? 

5️⃣ Manage your teams and business units

This is an underrated problem: Account Management.

Did you remove the security testing tool access for the developer who left the company two months ago? Hmm…

Sure, nobody asked you to do it, but guess what? You don't want your issue tickets to be in public records.

Kondukto Single Sign-On

You can connect the Single Sign-on platform to the ASOC tool, and it will manage not just the authentication and provisioning.

User Types in Kondukto:

  • Admin
  • Manager
  • Team Lead
  • Developer
  • Pentester

 

Kondukto User Management

5️⃣ Get Access to Kondukto

You can get a full-featured trial account on Kondukto here:

⁉️ Anything I missed?

Is there any other requirement from an ASOC that you have… but didn’t see in this article? Or maybe you have a question.

Either way, let me know by leaving a comment below right now.

On this page:

Leave a Reply

Your email address will not be published.