After working in the Application Security Sector for more than 9 years, I see that most of the struggle is not in finding security vulnerabilities or in fixing them. The most common pain points are rather below.
- Having a common enterprise vulnerability repository that aggregates all vulnerabilities and make meaningful correlation.
- Business Aligned Risk where one doesn’t give same priority to a XSS issue found in a business critical app and an intranet less critical app.
- Innovation and automating manual tasks.
- Security Metrics which help the CISO office to tell them what the security posture is.
- Ability to have non-repeatable issues so that the fix you do today, doesn’t break and create an issue that was fixed last year.
- Arbitration – This is the most painful task of being stuck in between the Security Group who think that Security is more important than functionality and the business who think that Security is just a bottle neck.
There is not a single tool in the market that answers all six issues. But there are some tools that are at least trying to attempt finding solution to some of the above. Some tools that I explored are
- Tenable I.O
- Thread Fix
- Code DX
- Kenna Security
- Risk IO
- Risk VM
Some Common Features of these tools.
- Vulnerability Aggregation – Most of them accept vulnerability feeds from top SAST tools like Microfocus Fortify, Appscan, Checkmarx, Veracode etc, DAST Tools like WebInspect, Acunetix, Burp Suite, Threat Intelligence Tools.
- Vulnerability Tracking and Management – Some of these tools integrate with defect trackers and ticketing tools like Service Now
- Dashboard – The graphs of Kenna and Tenable IO are good when it comes to projecting meaningful information that can be processed.
- Security Orchestration – Code DX comes with inbuilt scan detection capability and open source scanner capability so that even if you don’t have a commercial scanner support, you can still scan using the commercial scanners without spending even 1 single minute in integrating the tools.
- Risk Scoring – Some tools offer CVSS based ranking and can be customized further.
- Automation – Code DX provides options to add your own custom attack vectors, add custom rules etc
Still, there is a long way to go as most of these tools are either application security vulnerability aggregators or network security. There is not much of a meaningful correlation between different kinds of detection methods and hence it is plain aggregation and consolidation of vulnerabilities.