It’s no stretch to say that at Saltworks Security, we’ve been involved with application security since its earliest days. One thing that has remained a constant over the years- enterprises still struggle to answer a fundamental question: how many application vulnerabilities do we have? While this is a simple question, finding the answer has not been easy, especially at scale or as part of repeatable and reliable processes. We’ve decided to change that with SaltMiner.
SaltMiner is an enterprise dashboard for Application Security Management. Regardless of origin, it aggregates, standardizes, and reports assessment results into a single pane of glass.
SaltMiner provides clarity across the enterprise, which enables you to manage your Application Security program effectively.
With SaltMiner, enterprises have an automated way to aggregate, analyze, and report on results from scans conducted using different technologies, and to do it at scale. To paraphrase Peter Drucker, you can only manage what you can measure. With SaltMiner, that now includes application security program success.
But we don’t want to just introduce SaltMiner and its components without first describing the enterprise application security challenges it solves and the design objectives behind it. We’ll be doing that in a series of blog posts. This first installment describes the problems we’ve encountered while helping enterprises secure their applications, and the opportunity we saw to help enterprises improve how they manage their application security.
Enterprise AppSec problems and opportunity
A big reason why enterprises struggle to capture a holistic picture of their application security risk is because there hasn't been a single package that can collate and manage results across different testing tools and methodologies. SAST, DAST, OSS and Pen Testing produce different results- not only in which vulnerabilities they find, but also in how they report on those vulnerabilities. While enterprises can generally measure the effectiveness of one tool in their arsenal, manually combining the results of these tools into a holistic picture is a much more complicated, labor-intensive, and inherently error-prone process.
Part of the problem is that vendors have more than a slight interest in keeping you loyal to their platform and using their reporting mechanisms. Intended or not, this approach has the consequence of making it more difficult to share and collate results across different products. What that really means for enterprises, though, are additional costs in time, money, and manual labor requirements. Manual correlation takes a significant investment in resources and time. And it also makes it harder to answer not only the initial question of how many vulnerabilities you have, but also other basic, but fundamental questions that must be answered to create the best possible security outcomes. Am I scanning the things I should scan? Am I testing them properly? And finally, am I fixing them? All of the answers to these questions need to be tracked over time, to measure progress and the overall success of the program.
Those are all enterprise-level problems. However, the lack of answers for these questions also makes it incredibly challenging for enterprises to filter down and answer key business questions around specific divisions or compliance standards. Showing trends over time is complicated, but showing progress over time is more akin to painful. Framed another way, it’s not automated, and makes the enterprise-level scaling necessary to do it very hard to accomplish successfully.
For the best possible security outcomes, Business Units need to be able to see how they are trending over time. This helps them to prioritize which vulnerabilities to address. They also need the ability to drill down into their application security results to answer specific business questions around compliance and other initiatives.
Next up: SaltMiner – Design Objectives