Now, when you hear a phrase “application security monitoring”, what picture comes to mind? For me, nothing does…
As I said in February 2012, “the industry has not yet figured out what application security monitoring (ASM) is.” Hey, guess what? We still haven’t! And half a decade has passed.
This discussion starting point is obvious: there is no specific technology or a product type called “ASM.” Is ASM a practice? Is ASM merely a SIEM use case [many think so]? Is ASM another term for RASP, as implied here?
Frankly, I am not sure. And this makes me sad.
As we are working on our updated modern SOC paper, we are realizing that application security will again get the short stick, and be booted out into the cold, and then thrown out with the bath water….
But what can we do? Sure, we can get the application logs flowing into a SIEM and/or UEBA. And …ahem… some vendors ship some use case content, but not much. Unimpressive 🙁
We can focus on one type of application like web application (WAF –> SIEM), databases (DCAP/DAP –> SIEM) or ERP (some niche monitoring tech –> SIEM). But it would be narrowly focused on this type alone. Not great 🙁
We can go obsess about RASP, but seriously – have you even seen RASP (“Hey man, do you believe in Bible?” – Hell yeah! I’ve seen one!”… but RASP… not so much). Nope, not this one either 🙁
Perhaps you can help? How do you monitor applications for security issues? How do you detect application – level threats that bypassed your preventative controls? Does your SOC “do appsec?”
There you have it … this came out as a true #incompletethought …
Related blog posts (some half a decade old, but hey..):