Welcome to 2024! I hope that as you're picking out resolutions, you're not looking to start something brand new but instead are resolving to do something old in a new way. Those resolutions tend to be stickier, in my opinion: the resolution to start working out will almost always fail, but one that involves continuing to do existing active things according to schedule sees more success. In that case, I'd like to talk about a couple of big things I'm watching for in 2024. AI and Application Security Posture Management (ASPM) are the exciting new things from where I'm sitting, but instead of talking about how new and exciting they are, I'd like to point out how they let you do old things in new ways.

Before I dive in, I'd like to thank you all for sticking around (or at least not unsubscribing) during my absence while I worked to get BSIMM14 out the door this year. I have thoughts about frameworks that I'd like to share here soon, but this isn't that post.

Here at Secure Humans, I've been very mindful not to talk about how exciting AI can be, in favor of focusing on the human element in security. However, AI is coming to help humans be more secure if they're already doing that, or it's coming to help companies be more insecure if they pull secure humans out of the mix. Unsupervised AI use is insecure AI use. I tell people that the next wave of corporate breach headlines, in the vein of unsecured AWS storage buckets, will be from companies using AI-powered tooling and taking the results as-is.

However, AI is coming whether we security professionals want it to or not. The marketing jargon will be too strong, the tools too shiny, and the promise of automated development and security too alluring. The major players have already started unveiling ML models that developers can integrate into their applications, and tool developers have had a full year to start taking advantage.

AI and ASPM

AI might begin by writing subpar code and making questionable decisions, speeding up processes but not necessarily improving them. This raises the question: are you prepared to swiftly evaluate the effectiveness of these tools? Do you have the necessary visibility and control over your data and tools from a single interface, or does each new tool add complexity to your system? Can you pull all the levers and read the right dials from one place, or does each new tool mean another UI, another data source, and another dashboard to forget about?

That's where ASPM comes into play. Back when humans did all the work, centralizing control often meant using a single interface - Outlook's meeting invite. Now, automation-infused SDLCs mean that such gathering of functionality and metrics into one place needs more automation. You're probably already doing security posture management - gathering an inventory of assets to secure, doing risk analysis, making decisions about security, and reporting on all that - ASPM is all about doing that in a new way.

When I talk about metrics, I often talk about the need for a "Single Source of Truth" (SSoT from here), one spot that all security telemetry is loaded into and then displayed, which lets security teams know what's really happening. ASPM is taking that and turning an SSoT metrics dashboard into an orchestration suite that handles inventory, risk policy, and decision enforcement.

Some companies have attempted to move into the ASPM space by partnering to close gaps in that capability list, but while doing old things is good, this approach misses the spirit of Single Source of Truth 2.0 in favor of simply covering ground. Having the SSoT ethos in place is vital when wrangling AI-provided inputs, outputs, decisions, and policy into the SDLC, as the AI multiplies the amount of data security teams will have to consume and make decisions about.

Instead, if ASPM is on your 2024 security resolutions (do security posture management better), here are some questions you can ask while selecting or building a solution:

1. What do I care about today? Catalog the risks that are scariest and already on your radar. Review the application inventory and see if there are any patterns around the crown jewels. Patterns such as mobile or containerized architecture, cloud hosting, or microservice and API dependencies. Can your ASPM solution tell stories about those trends?

2. What data is feeding my decisions today? List out which tooling, process, and testing inputs are taken into account when allocating security budget and resources. Figure out what tools are providing that data and who is running them. The best ASPM solutions should work with existing tooling while being flexible enough to integrate new sources.

3. What policy is being enforced and when? There are various ways that bad software can be kept out of production. Understand what policy and standards are in place, when they can be applied, and who is approving their enforcement. ASPM will need to factor in cloud, IT, ops, change management, legal, and other sources to really hit that SSoT note.

4. Who needs data to make the right decision at the right time? There are more stakeholders than just developers and security. ASPM solutions will need to provide reports or alerts to other stakeholders who care about the business functions that in-scope software is supporting. Not every stakeholder cares about every metric, and they don't all need to receive it in the same way.

5. What will I care about in the future? The way things are today isn't how they'll be tomorrow. Once the basics are accomplished - find bugs in code, fix bugs in code, repeat until testers and tools are happy - security professionals should start caring about proactive measures that enable developers to develop securely. An ASPM solution shouldn't just care about finding and fixing defects in an endless loop; it should provide metadata that can feed risk decisions. It should look for the use of security features and libraries that enable developers to pull secure-by-design off the shelf. It should reward good actions taken by security champions, developers, and engineers to measure the culture that software is built and operated in.

Once all those questions are asked, an ASPM solution should be sourced that makes sense in the context of the answers.

As AI comes home, make sure that your security posture management is ready because for every problem solved by AI, another will be created. The only way to really be secure in the age of AI is through automation because for every development task that is automated, there needs to be an automated security check to make sure it's not adding risk.

There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.

Share Secure Humans