DevSecOps Report: ASPM and its impact on software security

ASOC vs ASPM

ASOC solutions were among the first to combine and correlate vulnerability information from AST tools. ASPM brings the concept of ASOC one step further, collecting data from even more sources, such as production monitoring tools, to provide a more comprehensive and actionable approach to application security management.

While ASOC typically focuses on preproduction use cases, ASPM can be used for both preproduction and production, making it a more versatile and useful solution for a wider range of DevOps teams. For example, line-of-business managers are focused on the need to understand the effectiveness of their AppSec tools and procedures. ASPM can provide them with complete visibility into process and performance across development, operations, and security teams. Conversely, DevOps teams want a centralized view of issues so they can identify activities that will have the most impact. And those whose focus is on security need to cut through the noise to prioritize critical issues quickly.

ASOC tools typically are focused on simply identifying and reporting software vulnerabilities. ASPM tools, on the other hand, can help teams prioritize vulnerabilities based on their risk, as well as aiding in monitoring and tracking the remediation of those vulnerabilities. By providing visibility into production environments, ASPM also helps shorten lengthy remediation times for deployed applications. This is particularly important given that most exploits appear within days after a vulnerability is disclosed.

In the Synopsys DevSecOps report survey, respondents were asked how long it takes their organization to patch/resolve critical security risks/vulnerabilities for applications already deployed/in use. As shown below, nearly three-quarters noted that their organizations can take anywhere from two weeks to a month to patch known critical vulnerabilities.