Scanning and Governance Only Work if They Stay Separate
With the increased adoption of DevSecOps and accelerating software release cycles, organizations are facing a problem: there are too many security alerts coming from too many scanners across too many software assets. This leaves security teams drowning in siloed and disconnected alerts that get passed to development teams without sufficient context, causing friction and impacting releases.
More and more, the industry as a whole is recognizing the impact of this problem. The rise of security management layers with different scopes and focus areas, like Application Security Orchestration and Correlation (ASOC), Application Security Posture Management (ASPM), and Application Security Operations (AppSecOps) is testament to that. Security leaders are now faced with the decision of how best to incorporate governance, workflow management, and orchestration into their existing security programs.
Approaches to building an AppSec program
There are three primary ways to approach technologies. One approach is to build it yourself. This makes sense for people with an abundance of time and resources, as they can customize the solution to their heart’s content. The downside is the amount of investment and ongoing upcoming required. The second way is a portfolio approach, where you buy everything from one vendor. This can work for smaller organizations or ones where the quality of technology is less important. However, no one vendor can be great at every element of a security program, or even across every language for a SAST solution, for example. The third and most common approach is "best-of-breed"—selecting tools that optimally fit your application security program needs.
For the majority of security leaders, the best-of-breed approach to technology selection is the preferred strategy for creating their AppSec program. In the 2022 State of AppSecOps survey, 52% of security leaders said they took a best-of-breed strategy for choosing their security tooling. In 2023, the number increased to 57%.
It makes sense, as best-of-breed allows organizations to use the best possible tool for every given use case. Different areas of security and of the DevSecOps pipeline have different focuses and requirements, and no single vendor can be the best everywhere that matters. Even if a vendor is strong in the areas of most importance to your organization, security is a space of rapid evolution, and your needs may change quickly. Best-of-breed enables security leaders to put the strongest tool in place for every area of their ecosystem and avoid lock-in in any given area. The downside of best-of-breed is that it builds in some chaos. Tools from different vendors or open source offerings aren’t built to talk to each other, creating silos and disconnected information. This creates a demand for a management layer, or glue, to bring everything together.
Governance and scanning are like oil and water
If you’ve taken a best-of-breed approach to security tooling, like most organizations, then your management layer has to be separate from your application security testing tools. A governance tool that also does its own scanning will naturally prioritize the results from their own scans and focus much less on integrations with competitive tooling. Likewise, a CNAPP or AST tool that has governance capabilities will put their scanning results front and center, and work much more poorly with scanners and testing tools that they see as competitive. Competitive solutions may not even allow that CNAPP or AST tool to integrate with them in the first place, leaving unavoidable gaps in coverage. It’s the natural order of business. It’s too tempting to play favorites with your portfolio solutions and capabilities, from both a technical and sales perspective, and competitive overlap causes friction. We’ve seen it happen time and time again in the industry. It would be like putting a car manufacturer in charge of transportation planning for a city. You’ll end up with lots of roads and very few trains, regardless of what may be best for the city.
What results from combining scanning with governance is that security teams are not able to do best-of-breed, because the scanners they’re using won’t be treated equally as the ones offered by the governance tool. Even if their current tooling choices work with the scanning + governance solution, what happens if they want to churn a scanner and replace it with a competitive solution? They will either have to accept sub-optimal governance, or not be able to switch and end up pushed into more of a portfolio approach, where the choice of vendor dictates their other tooling choices. Consolidation here is the enemy of best-of-breed. A truly vendor-neutral, or even better, vendor-inclusive management layer tool is a must for any organization wanting best-of-breed for their security tooling. The incentives just don’t align otherwise.
Design the right AppSec program for you
Security leaders must think holistically about their AppSec program. Make your choices with the end state in mind. If, like most security leaders, you want a best-of-breed program, then ensure that that applies to your scanners and testing tools across your ecosystem, as well as your governance tool that brings everything together.
At ArmorCode, we truly believe that scanners and governance cannot co-exist in one platform, which is why ArmorCode does not scan any part of your ecosystem directly. Many scanners are open source, and would be easy to incorporate, but we believe that that approach will only hurt customers and create a conflict of interest. A management layer must treat every source tool and integration equally, because what matters is supporting the user’s tooling choices and ecosystem, not catering to the vendor’s preferences.