Protecting enterprise applications requires constant vigilance and the right collection of defensive tools. Just as cyberthreats have become more complex and difficult to discover, so too have the applications that fuel your enterprise, living as they do in an assortment of domains, including the cloud, containers, and on premises. This presents all sorts of challenges for traditional security tools, which have struggled to keep pace.
Enter application security posture management (ASPM). ASPM offers a comprehensive approach to securing applications across their lifecycles. It joins a range of other security posture management tools, including data-, cloud-, and AI-focused ones, in aiding security teams in shoring up enterprise defense.
“ASPM has evolved and expanded in the past few years,” Katie Norton, research manager of DevSecOps and software supply chain security at IDC, tells CSO. “You need a lot more context about your applications. Organizations are buried in backlogs of vulnerabilities that no dev team could possibly remediate and need these tools to help prioritize and fix the most important ones.”
This has made the category more important as the application environment continues to evolve and as security challenges grow.
ASPMs are a natural complement to other security tools, and indeed there are vendors who offer platforms that combine two or more “postures.” Various sources agree that any ASPM should focus on three critical areas:
Protect the software development lifecycle (SDLC) and supply chain pipelines
Automate software testing
Integrate with various applications to mitigate and remove various risks
Features offered by ASPMs vary widely. As a result, tools can prove difficult to evaluate in terms of exactly what is being protected, what data and metadata is being collected to inform security judgments, and how issues, threats, and vulnerabilities are being managed, discovered, and remediated.
This wide scope makes for a messy demarcation between ASPM and other security tool categories, further complicating the buying decision process. Caleb Sima wrote about this problem in 2024, stating that figuring out the risk of a particular asset isn’t simple: “To properly answer this, you’d need to gather information from various tools such as CSPM [cloud security posture management], DSPM [data security posture management], ASPM, and IAM [identity and access management]. You’d have to generate reports from each of these products because they don’t communicate with each other. An asset can be an application, contain data, reside in the cloud, and have associated privileges. It’s a painful process to collect data from separate products, mash it up, and present it to someone for review.”
IDC’s Norton offers a more succinct way of looking at ASPMs: “They should do three things: data ingestion, prioritization, and remediation of the necessary applications.”
Two approaches to ASPM
Part of the problem in understanding the scope of any ASPM is because vendors approach the task from two different directions: code-first or cloud-first. The former reflects a more DevOps environment, beginning with an emphasis on software development and code pipeline testing. The latter starts with the cloud estate — and any on-premises applications — and works back to the specific applications. In either case, a massive amount of data is collected to document and fix potential security violations, set up policies for compliance, ensure that various digital secrets are managed properly, and other tasks. Examples of the former include Cycode, and the latter include Wiz.
There is another way to look at this market, as Norton tells CSO: “You can either be a vendor that delivers ‘AppSec in a box,’ meaning an integrated platform, or become more of an ‘AppSec Switzerland,’ having the connectors to a variety of third-party vendors.” Examples of AppSec in a box include Crowdstrike, and the latter include ArmorCode.
Leading ASPM vendors
ArmorCode offers a complete solution including software lifecycle and vulnerability management. Its strength is more than 250 integrations including application scanners and cloud workload security tools. It has an AI assistant called Anya and is expanding to cover more security postures and to automate more remediations.
CrowdStrike Falcon ASPM covers the complete application stack including open source and custom code, APIs and secrets and code pipelines, both in the cloud and on premises. This capability stems from a 2023 acquisition of Bionic. It provides an automated dependency map at runtime and adds metadata and risk scores to guide remediation priorities. ASPM is just one part of the Falcon platform that protects clouds, endpoints and data.
Cycode ASPM uses an AI-native platform to identify risks and automate remediations. It has more than 100 integrations into source code lifecycle tools and seven different dynamic application testing tools and another seven cloud security tools, functionality that is missing from its own product.
Ivanti Neurons for ASPM extends the company’s vulnerability management suite into this market. It uses its own risk scoring algorithms that can provide business-level visibility into overall SDLC risk elements by evaluating multiple scans and exploit sources. It supports more than 80 integrations, including 19 different app scanning tools. Missing GCP and containers. Unlike many of the other vendors listed here, its ASPM module is its sole entry into posture management tools.
Legit Security ASPM can find applications across a wide spectrum, including cloud and on premises, with a unified collection of policies. It has deepened its integration with its AI posture management tool since 2024 and offers AI-driven automated remediation. It has more than 100 integrations including Okta, Jira, Aqua, Orca, Wiz, ServiceNow and Github. It has several software scanning tools and will add dynamic application testing and API scanning later this year.
Nucleus Security started out in the vulnerability management space and its single platform has evolved into a full-featured ASPM. Each user can customize their own risk ratings to prioritize their remediations. Nucleus has a large collection of integrations, including numerous application scanning tools and connects to Oracle and Alibaba clouds in addition to the big three providers. There are several different data dashboards, including one that summarizes operational information. Future enhancements include better coverage of the CI/CD software pipeline.
Wiz.io has three separate but related products that make up a full-featured ASPM solution: Code, Cloud, and Defend. The company acquired Dazz and incorporated it into the Code module. Each delivers a part of application protection. But despite having three products, each works closely together to provide a consistent set of policies, threat detection profiles, and remediations. Wiz is a very visually oriented product, with multiple dashboards and more granular displays such as its Attack Path visualization, which maps how data flows through infrastructure and applications. It has more than 250 integrations and connectors to a wide variety of third-party security tools.
There are many other ASPM vendors that either refused or didn’t respond to our requests, including Apiiro, Brinqa, Checkmarx, Kondukto, Ox Security, Phoenix Security, Saltworks and Snyk.
Why enterprises need ASPM
As we wrote in our CNAPP buyer’s guide, this product category is also about a tool which integrates closely with other security products and how it can collect applications’ data and act on various security signals.
Gartner divides ASPM into four tasks:
Vulnerability event correlation
Prioritization and triage
Code scanning orchestration
Risk management
“With the proper configuration of the ASPM tool, you can obtain meaningful ratings to effectively triage and prioritize security vulnerabilities identified by application security testing tools and other monitoring assets throughout the application life cycle,” Gartner writes. This means that at the heart of any software pipeline the ASPM should be calling the shots and directing the overall security response.
That may or may not be what a typical enterprise wants or needs. On the plus side, if you have purchased numerous security products that operate independently, your defenders might be tired of manually tying these together to weed out false positives and prioritize their remediation. But on the other hand, if you already deploy a workable orchestration tool that is your go-to central hub, you may not want to touch that with an ASPM and have to rework some or all the working integrations and automations.
Questions to ask when considering ASPM
How many and what kind of integrations are offered? As mentioned earlier, ASPM touches a lot of different bases, that could range from cloud storage to code scanning to identity management and development environments. One way to evaluate their effectiveness is how they connect to different security products. Each of the tools mentioned here has at least 100 different integrations, with ArmorCode and Wiz offering more than 250 integrations. All the vendors reviewed are busy adding new ones, an indication of the importance of this attribute.
Many vendors that don’t have a fully featured cloud posture product integrate with Wiz or other CNAPP or CSPM software. A few vendors (most notably ArmorCode, Ivanti and Nucleus) give dynamic software testing short shrift integrate with third-party dynamic scanning tools.
What is discovered with a built-in application scan? Second only to integrations is the kinds of metadata discovered with the built-in scanning tools provided by the ASPM itself. How the product classifies, visualizes and searches this data collection is also important. Typically, vendors lean on various AI enhancements to extract meaningful data patterns from these scans.
How many clouds and container repositories are covered? Most of the tools reviewed cover the three cloud leaders (Google, Microsoft and AWS), with some, such as Nucleusk, taking deeper dives into other cloud services. Others — most notably ArmorCode — add support for containers and serverless circumstances. Ivanti doesn’t yet support Google Cloud and uses integrations with third parties to scan containers.
Does the vendor have its own vulnerability/threat analysis team? Many of the ASPM vendors have teams that enrich and correlate the metadata collected from their tools. The key points here are how this information is incorporated and how actionable it is when this data is mingled with details from your own infrastructure and applications.
How is the ASPM packaged and priced? Like many other posture management tools, getting the exact price is a tedious exercise for many potential customers requiring a custom quote. Some vendors, such as ArmorCode, offer a single platform that includes application and other posture management tools in one place and for one price. Some have multiple modules or different tools (such as CrowdStrike and Wiz) that are priced separately, with bundled discounts. One piece of advice is from Vikram Phatak, CEO of CyberRatings.org, an independent tester. “Vendors offering high-performance products are generally eager to ensure transparency regarding their products. Purchasers should be cautious of vendors that do not promote this transparency.”
ASPM pricing
Vendors are making it harder to evaluate overall product costs and many of them don’t have public pricing but use various complex formulas to arrive at a price. Sadly, this trend continues in the ASPM space.
At the low end are two vendors which reflect their AppSec heritage: Legit Security has $50 per month per developer instance, and Cycode sells on AWS Marketplace for $30 per month per developer. Both offer quantity discounts.
CrowdStrike’s ASPM can be purchased separately or as part of a number of other posture and CNAPP software bundles. Pricing is based on factors such as the size and number of cloud assets and is quoted specifically per customer. On the AWS Marketplace, it is priced $1,500 per asset annually.
Wiz prices its products based on two schemas: either by workloads covered or by active developer users, along with how many individual modules (Cloud, Code, and Defend) are required.
Armor Code prices its product based on the number of infrastructure assets (applications, containers, and hosts, for example) and developer users, with a typical starting price below $100,000 annually. Ivanti has a similar and perhaps more complex pricing strategy. Nucleus Security has a starter price of $20,000 annually and sells its platform on AWS Marketplace for an annual subscription of $100,000. The price is based on the number and type of assets
No Responses