Alex Babar and Sean Martin dive into the evolving landscape of application security, vulnerability management, and the emergence of Application Security Posture Management (ASPM). Join them as they unravel the intricacies and significance of ASPM in modern cybersecurity frameworks.
In this Brand Story podcast episode, as part of our Black Hat USA conference coverage, host Sean Martin connects with Alex Babar. Alex introduces listeners to Brinqa, a platform that centralizes vulnerability and security findings across various domains, such as infrastructure and cloud security, emphasizing the relevance of application security.
The conversation includes Sean's insights about the challenges of differentiating application systems from the past and the complexities of the modern cloud and API-driven environments. Sean emphasizes the importance of understanding the dynamics of application risk management, bringing up the distinction between security posture and application security posture management (ASPM).
As the discussion progresses, Alex highlights the increasing visibility of the term 'ASPM' within the security domain. Drawing from his experience at Black Hat, he underscores the saturation of detection tools and the challenge of streamlining vast amounts of data from different sources. Alex notes the prominence of terms like 'application security posture', suggesting a clear industry trend. He elucidates the role of ASPM, which not only centralizes data but also correlates it with business contexts, thereby aiding in risk prioritization.
The podcast takes a deeper dive as Sean probes the challenges that security professionals might face in integrating this new space into their existing frameworks and programs. Alex offers valuable advice, urging organizations to self-reflect on their risk reduction strategies and to maintain a healthy balance between detecting and fixing vulnerabilities.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest: Alex Babar, VP, Solutions at Brinqa [@brinqa]
On LinkedIn | https://www.linkedin.com/in/alexbabar/
On Twitter | https://x.com/alxbbr
Resources
Learn more about Brinqa and their offering: https://itspm.ag/brinqa-pmdp
Hear more stories from Brinqa: www.itspmagazine.com/directory/brinqa
For more Black Hat USA 2023 coverage: https://itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Application Security Posture Management with Alex Babar Brinqa Story
[00:00:00] Sean Martin: And here we are, this is Sean Martin, host of the Redefining Cybersecurity Podcast on ITSP Magazine. And, uh, I get to chat with all kinds of cool people, uh, who are at Black Hat, uh, as we cover many topics, uh, from the event and the surrounding activities all at Hacker Summer Camp 2023. And we get to hear some brand stories from...
Some organizations, some new, some old, uh, this is a relatively new company. We've spoken to a few times, good friends work there and, uh, we get to meet and chat with Alex this time from Brinca. Alex, how are you?
[00:00:39] Alex Babar: I'm doing well, Sean. Thanks.
[00:00:41] Sean Martin: And, uh, you you're melting away, but not as much as, uh, as you would be in your hometown.
So you're in Vegas, kind of melting, but not, not nearly as much, right?
[00:00:51] Alex Babar: It's, uh, that's exactly right. Very good choice of words.
[00:00:57] Sean Martin: That's right. An opportunity, a chance to, uh, to un melt later, I think. Yeah. Let's, before we get into what you're hearing and, uh, the topic of, uh, application security posture management, let's, uh, let's find out a little bit about who Alex is and your role at Brinca and what's going on.
[00:01:19] Alex Babar: Yeah. Well, so, so thanks. So, so for those listening, so I'm, I'm Alex Babar, I lead, I lead product marketing at, at Brinca. Um, joined relatively recently is, you know, Brinke recently took a large round of funding in late 2021 to, to solve some big fun problems. We'll get to that later though. Um, before that, I like, I like to joke that I'm a 5 to 10 year old in cybersecurity.
Um, that's predominantly on the vendor side, kind of spanning product marketing, product management, kind of like solution management type roles. Um, and it's been more on like kind of the startup scale up side of the world, just cause like my kind of, you know, personal, personal passion is like, how do you bring cool technologies to market, you know, that actually solve real world problems.
And so that spanned across, you know, I started identity and access management when, uh, for those of you that are in that space, like when customer identity was kind of becoming more trendy, um, moved over to, to software supply chain security, application security. And then, then Brinca found me and I heard their story and really bought in.
And we'll get to some of this later, but based on my experiences so far on the AppSec side, just how, how noisy it really was. Um, but yeah, like I think maybe, um, Sean, if you don't mind, like just very quick, like 30 seconds on, on Brinca for those unfamiliar. Sure. So, yeah, so, you know, the short version is that Brinca is a SAT.
For those of you who don't know, Brink is a SaaS platform that centralizes all your vulnerability and security findings into essentially a unified graph database. And kind of the claim to fame is that this actually spans across infrastructure, cloud and application security. Um, the application security piece, I think, is the reason we're actually here chatting today.
Sean, so I'll say, I'll say some of that for later, but just I think that'll give everyone a good sense of kind of who I am, where I'm coming from, and what Brinkit does as well.
[00:03:02] Sean Martin: Yeah, and it's harder, and continues to get harder, to keep things separate. Uh, you, in the old days, perhaps you could keep an application separate from a system, and uh, systems comprised of hardware and And software and, uh, other elements that, that make it run.
Of course, everything's together now, especially when, when things are running in the cloud and API driven and data's all over the place and it's being, uh, generated with artificial intelligence, the scenarios and use cases are intertwined. So taking a single view is tough, but sometimes necessary to get into the nuts and bolts of it for that particular area, which I think is what we're going to do today.
So we're going to look at app risk management and application, application and security posture management. And let's, uh, let's start there because I think folks probably know what security posture is and, and have spent. Decades trying to figure out how to increase and improve that. Uh, I would imagine application security posture management is similar objective, uh, with a special slice and view of, of the app stack.
So maybe describe this space. Uh, so, so we have a baseline understanding what we're talking about here.
[00:04:25] Alex Babar: Yeah. Yeah. I think, I think you put it well in like, like my, my running kind of joke, not joke in the space right now. ASPM are four letters that now, uh, my, my predictions for a variety of reasons we'll get into, you're going to become very commonly seen and heard.
Um, but the concept isn't really new. So, so like Sean, like you said, so application security posture management is exactly what it sounds like. But I think the details also, also matter of like, well, why, why is it showing up so much? Like, like no joke. I was walking the floor yesterday at Black Hat. And besides the fact that it took me.
Three hours to, to look at all the booths, like the, the amount of times I saw someone either say, you know, application security posture, prioritize, correlate, like, um, it was literally over 20 different vendors. And so Brink is obviously included in that, but, you know, um, as far as like why, so you use a term earlier app risk management.
So really at the end of the day, there was, you know, um. Application security testing tools are detecting, you know, vulnerabilities and weaknesses in your applications. Um, but as you know, there's more and more different asset types, more and more different technologies, you have more and more different scanners testing for more and more different results, and it's kind of created its own problem of just, if I even only siloed application security, forget kind of the infrastructure and the cloud side of the world, I've got too much stuff coming from too many different places.
So it's really just as simple as like, where do I put all that stuff? Um, kind of practically, but then for the security postures, I want to put it on the same spot, um, so to speak so that I can then, uh, essentially correlate that to my actual business, my actual applications, my actual software products to then understand the kind of that simple concept of what is the security posture of my application?
Um, that's, that's probably enough for right now, but the reason I think it's, it's trending is so for those that haven't heard the term. But maybe the concept resonates. So, so Gartner, um, in early May kind of, you know, place their flag in the ground with, uh, they have a piece they do called Innovation Insight.
Um, that they start off at a, when emerging technologies, when they think there's a big enough market there that they need to support, right? So they came out with a, this is their new official term, you know, for that concept. So if you've heard of, you know, app risk management, vulnerability management for applications, it's all kind of the same thing.
It's just now there's some specialness to the phrase ASPM and application security posture management. Because now it's going, that's what kind of gained traction. So like the, the good of it is that there's now this term to, to use to communicate a concept. Um, in the same way, you know, like that's great.
The, the bad of it is it's just, you know, it's right for now buzz and jargon. And, you know, it's like going to be the next zero trust, you know, before, you know, it,
[00:07:12] Sean Martin: Oh, no, that's not, let's not do that. So typically if, if there's enough excitement, uh, and, and momentum behind some activity and some conversations, uh, Gartner and fairness, um.
They do talk to a lot of organizations and CSOs and security leaders in these organizations to kind of get a view of what they're struggling with, uh, what they think they need in terms of solutions to these problems. So there must be something in there. That warrants, uh, the, the new term, the new category, and kind of collapsing perhaps multiple things into one, one phrase that we can sling around.
Um, so what, perhaps what makes this unique, what, what are the, what are the pieces, parts that come together that, that give it a little extra oomph and all the individual pieces on their own?
[00:08:12] Alex Babar: Yeah. So I'd say like, if you think about it in like the. The opposite direction of, of what, what's going on right now.
It's, it's essentially like security backlogs are just impossible, right? So it seems like kind of just the world, the security world in general is realizing like, it's, it's not a get to zero, it's a, what's posing the most risk, right? And so, um, when you kind of flip that question over, okay, if I, if I have X number of vulnerabilities and I know I'm going to essentially accept the risk of kind of the The least risky, you start having a lot of, you know, more serious questions on them, like what, you know, what product line are they associated with?
Do we have any compensating controls in place? You know, are there any kind of, um, compliance regulations tied to it, like PII or PCI or any of that sort of stuff? So, so one of kind of the key elements of ASPM is, so when you think of like, hey, a detection tool finding the, the actual vulnerability on the ASPM side, so, so this category of software is built to not only unify it, but then correlate that data with business context, threat intelligence, um, to essentially just score risk, but that's really just a prioritization mechanism.
Right? So you can now have a, let's put it this way, a documented approach. To how you're, um, planning to remediate the backlog, right? And the interesting part too, I think the documented piece is, is pretty important these days ever since, you know, um, you know, for better, for worse. The legal force too.
Exactly. You know, when, when I chat with CISO starting new roles and they're worried about the legal language on being held personally liable for, you know, the risk the business is facing, like it kind of changes that conversation, like. The level of depth I want to be able to prove and understand to make sure that I I'm doing what I can and we have capacity for here, but then even more than that piece, I think that's where one of the reasons like the time right now, um, I was speaking to someone else, a literal quote they gave me.
We were on a tear buying and then, you know, the macro headwind is coming in his eyes, all that, and kind of prove the value of what we're doing. Um, and when it's too, um, detached from this itself, the business units, So, so I think these are all kind of like the sort of, if you will, that are kind of giving some, uh, for, for ASPM to rise up, but for, um, you know, it, it, it seems like in some analysis on this Gartner has as well, it seems like it's pretty clear it's, you know, we're talking about like current 5 or 10% of the market currently.
Using this at this level of maturity, right? Um, most folks by this time had to have their tools in place, their SCA detection tools, and the next iteration on that mature of, Hey, now that we know all this stuff is here, get more sophisticated and that's. That's where the A is offering you the tool set to be more how you're actually handling and reducing the risk.
It's not just particular vulnerability.
[00:11:22] Sean Martin: Yeah, so I, I want to maybe ask this because I think to your point, I think organizations have matured over time and have processes and teams and tools looking at a lot of these things. Um, how, how would you advise? Security professionals, be it practitioners or leaders, uh, trying to navigate this new space.
Um, how, how do they figure out, well, where does this fit in? What changes do I need to make? What, what, what impact does it have on my program across those three things? People, process, technology.
[00:12:03] Alex Babar: Yeah. So I think some, some really good questions to ask is just, uh, you know, uh, at Brinco, we did a customer webinar, uh, with, with Asurion, they used the phrase.
And they're, they're a security leadership team of self identification. Um, and as there is the story, the story really resonated with me. Cause essentially they're saying, you know, there's, there's going, they called it the hamster wheel. There's the hamster wheel of vulnerabilities. They were just continue to kind of make progress on the backlog versus.
Asking the question, do we truly believe and know that we're actually reducing risk to the organization? Um, and I think, you know, thinking of those two is two different things. So, so one is kind of like, I'd say internal, like before the buzz or anything kind of catches your attention, just stepping back and asking yourself, you know, if, you know, and it's getting more topical now, like if the board or the CEO or some, some non security executive asked me some.
Simple questions, but hard to answer ones of which of my product lines are, are most, you know, uh, have the most risk associated with them from a security perspective. Right. Um, I think that's the opening and then the rest is, I think there is a maturity, right? So, um, there's steps if you're not finding anything, uh, you know, if, if, if you're still investing in detecting, you know, that that's fair.
Um, but, uh, the, the way I liked this put to me from, uh, And he's a CISO at a, at a startup kind of form or bring a customer was, you always had to be mindful of the finding and fixing ratio. Um, so like, there's no point in from his perspective. Right. And then I think that every company is gonna have a different appetite of finding more and more stuff that I can't actually do anything with or do anything about.
And that's also where I think in the last year, it's felt like. You know, before folks have wanted to know about it, even if they couldn't act on it, and now it's almost becoming a liability for better or for worse to know about something and have no plan in place to do anything about it. Right. So I think that's where, where the, the kind of places that I would encourage someone to look, you know, introspectively into their own organizations of just, you know, like, like how much are we dealing with?
How much progress are we making? How much risk is it actually reducing, um, to the business? And if, if you end up with more questions than answers, and I think like the ASPM space, like that's a tool set, um, that would start getting interesting for them. If you can see how like products were built to solve those problems.
And, and then, you know, at that point, it's. It's off to, off to the races on like technology, you know, there's a big integration play, like, does it fit, you know, but we won't go into those weeds today, but I think like, you know, conceptually folks will be able to appreciate that.
[00:14:31] Sean Martin: Yeah. So, so talk to me, I mean, cause we, we, we have.
Sliced off a silo here to, to dig in a little bit, but as I think we've both touched on, there's so much to the infrastructure that it's hard to keep things separate and broader beyond just the infra is the operations as well. And when we start talking about apps and app security and security posture management, uh, this isn't just just like system security isn't just securities.
Responsibilities, IT Ops, um, when we look at apps, we have DevOps and, uh, chances are they're running in the clouds. You have cloud ops. So how, how do you build an ASPM that takes those different ops parts to, uh, to heart and actually promotes collaboration and the process that. Can help you actually close the gap on some of this stuff and raise that posture.
Raise that bar.
[00:15:38] Alex Babar: That's the goal. Yeah, I see what you're saying. So I love that you brought the keeping things separate concept back up. Cause I heard you say in the beginning, I took a note cause I wanted to circle back on it. But, um, that's actually how Brinke got into, um, the space like ASPM. So, so traditionally we.
We helped folks, you know, prioritize and, you know, automate remediation and report on risks on their infrastructure. So think like, you know, your, your qual is rapid seven tenable findings, right? Um, cause so conceptually, um, well, tangibly from our customer, we started being asked, can we also do that for their, you know.
Checkmarks findings, their sneak findings, their verified code findings, like that sort of thing. Right. And essentially it turned into, Hey, now fast forward, you said DevOps, but into like cloud native software development, the line between infrastructure and cloud and applications getting awfully blurry.
Right. Um, the, the one thing I kinda, I want to say though, to, to, to your question is it does feel like there's a, um, an underlying challenge because there are so many, uh, risks in the business. And there's no shortage of like, I mean, if, you know, you're a blackout, you go through the, anyone has gone through kind of that startup alley of new ways to just detect all this stuff, right?
You know, the hard coded secrets in code, the misconfigurations in your CICD pipeline tool, like all this different stuff. Um, but it's almost like, Hey, if you go and implement that process. In addition to what you already have, you're really just now creating more silos of more data, right? So I'd say like, I kind of encourage like the ASPM thought to almost be like, Hey, yes, there's a lot to be done, but, you know, everyone take a step back for a second and think, Hey, would it be a good time to think about architecturally?
Should I think about kind of putting that all in one place so that I can get that macro level view, right? So I can see, Hey, this is coming from the findings, see the picture of, Hey, this is, you know, um, coming from like, like operations is coming from the cloud, but also tying it back to the business to kind of stay out of the weeds.
Um, and what I mean by that is just so, you know, it's easy to think in terms of assets and vulnerabilities, but, you know, there, there's a difference between, you know, the infrastructure is code script that's being used to, you know, deploy my flagship product and one that's being used to kind of deploy something in sandbox, right.
Just from a prioritization perspective, because those are kind of like the, the, the foundational elements. That that we're seeing it's, uh, there, there wasn't such a technology and there wasn't enough findings to, to need the technology, you know, five years ago, that's where it seems like, like we are now, it's almost like a, I think the question is like, when do you pause real quick on kind of finding more things and interject yourself into.
Hey, let's kind of create a little bit of a foundation and put all those things into that we can scale up on. If that makes sense.
[00:18:24] Sean Martin: Yeah. And, and sets the stage for, uh, handling scope as it continues to grow over time. Cause chances are you're going to add more apps and, and do hybrid multi cloud and some on, on some public.
I mean, it's just, it gets really nuts. So yeah, I think taking a moment to. Prepare yourself and to prepare your team and the flow of how you deal with this stuff. I think it's super important I want to touch on the said painting a picture and Getting into the weeds. So to me, that's the executive view and the and the practitioner view of this Which are both important, but they have to come together and, and, uh, support each other in both directions.
So how, let's maybe look at some of the conversations you've had at Black Hat as you're talking to folks. What are some of those executive level conversations like and what are some of the practitioner conversations like? And do you see that connection? Between the two in a, in a meaningful way.
[00:19:32] Alex Babar: Yeah. So, so, so yes and no.
And so, so I think I want to kind of like put the caution out there on, you know, ASPM because of being the, the kind of hyped up term that it is for better, for worse. And I do believe that there's, there's something there, um, as you could hear from me, it's, uh, you know, not all tools are created equal. And so some of that has to do with scope, right?
So you're talking about all things. Um, and just, just for context setting for, for the audience. So, so bring, bring a primarily serves like larger enterprises, right? So, so folks that already have a bunch of kind of tooling in place and looking to get that macro picture, um, the conversation we're having between the executive and practitioner level though, is, um, it's kind of twofold.
So one, no matter how you slice all this stuff, inevitably it ends up in some report, you know, that the CISO is presenting to. You know, often like non security stakeholders, right? So as we know, that trend is getting, that report is going out to more senior now. It's getting to board level organizations, right?
So we think about the report, and so, so maybe that's the problem, but you have to unpack that quite a bit, and this is where kind of that practitioner element goes into, is how are those reports actually constructed today? It's like, well, I got to export snapshots of data from a dozen different tools, and kind of like piecemeal stuff together via Excel pivot tables or Power BI.
And, and so there's like the practical challenges of that, just how inefficient it is. But then also there's like the practical challenges of that from like a time lag perspective, because now you're reporting on snapshots of data and not kind of like continuous, you know, um, slices of that data. Um, and then it was interesting from a security perspective, we hear a lot, um, there's maybe some concern that, you know, what's the source of truth?
You know, once you've exported it and you have it in, you know, now it's in Excel, it's like, well, what's actually the truth? And when you go up to... I say like what you're really trying to do is get more maybe resources or emphasis on remediating, uh, issues in an application. Um, but when the development team is working in like, you know, JIRA, for example, and the security team's working in a different tool, like keeping those tools in sync creates its own problem.
So if I'm the CSO and go to report and say, Hey, you know, I'm like banging my fist on the table. What aren't we doing about this? I lose a lot of credibility very instantly when it says, well, we already did something about it. Your tools out of date, right? So there has been a lot of value in getting all this in one tool where you can go, I call it up and down.
So you're building the reports, the executive level reports, but you can also think like click through the executive level ports to get down into the details. Because the problem with those executive level reports is they're not actionable for anyone that needs to actually remediate the issues, right?
It's like, well, what specific asset, what specific vulnerability, like you have to get down to that level. Um, so I think that's where it's coming together is having all that in one place, right? As opposed to just like, it's, it's, it's spread across. Right.
[00:22:22] Sean Martin: Yeah. Cause let's not forget that the, uh, the R& D team's having their moment at the, uh, the executive leadership team meetings telling their story.
And, uh, if they're talking about how. How, uh, crappy the security process is and the impact it has on the CICD and, uh, delivery pipeline. That's not a good, not a good thing, even if your security posture presentations is perfect.
[00:22:49] Alex Babar: It was really cool about this. And then this is again, like I've been on the vendor side, but, you know, listening to our customers, kind of practitioners, what I, what I hear, things like I hear, it's.
You know, also on the security side, it's, it's, why would I make a big fuss about this new thing that popped out when I have, and I'm going to that meeting of, look, I have a lot of known critical vulnerabilities tied to an important application that are now out of SLA. Right? So it's, it's not just, what do I need to remediate?
Where's my risk? But literally today, where do we focus our energy? Where do we focus the conversation? Um, it's like, you know, what's most urgent for the business. Uh, I've heard it phrased as kind of like next, next best action. You know, um, so, so as I've seen it used kind of both ways, kind of strategically, you know, are we doing something wrong?
Um, but also like more, more tactically, like, Hey, I just, I need to escalate this, um, and helping. And as I said, it helps the, like usually routes to a GM, you know, of a business line. That's who maybe I need to appeal to, to a development resource to answer the question of what's LA if it's a critical thing.
[00:23:54] Sean Martin: Yeah, so on that note, I think the next best action here, I think we touched on it earlier, is kind of preparing yourself for what's to come. And so having a platform in place that that has access to all this information and can pull it together in a meaningful way so that you can actually take multiple next best actions, uh, that Not just keeps the team busy, but actually improves the application security posture as well as your overall security posture.
I think that's the, that's the main goal. So, uh, next best action is to, uh, connect with you, Alex. And if folks are still in Vegas and they want to, want to catch up, uh, they should do that. Meet the team. Of course, uh, beyond Hacker Summer Camp, uh, there's always a way to connect with the Brinca team and we'll include links in the, in the show notes for that.
Um, Alex, it's been been a great chat. Thanks for, uh, enlightening me, enlightening me on the new, the new term and the new category and, and what it means. Uh, sounds like a good, good path forward to me, uh, to, to kind of set the stage and be prepared for what's coming.
[00:25:09] Alex Babar: Yeah, thank and thanks for having me, Sean. Really appreciate it. And yeah, we do have a brink of booth at the Black Hat Hall. If, if anyone's here, um, I'll be there this afternoon if anyone can . Anyone wants to come say hi. Uh, please do. I'll be staying in the AC.
[00:25:23] Sean Martin: Yes. Stay cool. Stay cool. And thanks everybody for listening.
Uh, tons of great conversations here from, uh, Black Hat USA 2023, including, uh, this one here with our good friends from Brinca and, uh, stay tuned. There's lots more, I think at least a couple more conversations, uh, heading your way from Hacker Summer Camp. So stay tuned, subscribe, share with your friends and, uh, Comment if you have some ideas on the topics we're covering.
Take care, everyone.