This is the third in a three-part series describing the thought process and functionality behind SaltMiner, the first true enterprise application security management tool and data warehouse. Read the first two installments: Delivering AppSec Program Visibility at Scale and Design Objectives.
First, we drew upon our application security program experience to define the pain enterprises have in managing their application security data and determining their true application security posture. Then, we defined the characteristics and requirements necessary to manage an application security program from a data management perspective. Now, we want to describe what we built and how it helps enterprises manage and report on their application security to a level that simply hasn’t been possible until now.
Functionally, SaltMiner helps enterprises:
- See all vulnerabilities across all applications in an entire organization in a single dashboard view
- Manage thousands of applications and scans, and all the testers who interact with them
- Aggregate and analyze application testing results no matter their technology of origin
- Prove compliance by ensuring applications are being tested with the right technology at the right time in the right order
To enable that functionality, we designed and built SaltMiner with three key architectural supports:
SaltMiner supports fast and scalable integration of your existing testing methodologies and results. SaltMiner gives an enterprise the ability to synchronize their testing results across their entire organization via REST APIs. So no matter the methodology, the results can be imported in a synchronized process.
Caption: SaltMiner’s aggregation technology, synchronizing data across the entire organization
SaltMiner’s ETL processes integrates the application security data from various security testing tools and techniques and stores it in one central database. Each process is customizable based on each unique customer needs and environment.
SaltMiner scales linearly so when needed servers can be added on the fly (aka the same process Google relies on for speed). SaltMiner leverages ElasticSearch and Kibana to manage results and reporting. This serves to make SaltMiner scalable for a large number of users while also being cost effective. SaltMiner also relies on the same integrated and standards-based authentication and authorization. And it means the data is open to your business needs with the appropriate level of security.