Consolidate to simplify application security: Why this is a business imperative

Double exposure of Businessman hand using smartphone with world hologram in technology and social concept holding smartphone with digital graphic
(Image credit: Getty Images)

Mounting pressure from a constantly evolving cyber security landscape has pushed business leaders to look for ways to optimize and streamline their application security strategies

Consolidation has risen to the forefront of these initiatives as a practical means for achieving enhanced resource efficiency and improving the overall risk posture for an organization’s application portfolio.

A recent survey commissioned by Synopsys showed that 70% of organizations have more than 10 application security testing (AST) solutions. The pain associated with this tool proliferation is three-fold.

  • Poor AppSec ROI: Organizations are maintaining multiple, potentially overlapping solutions which increases costs and drains resources.
  • Increased complexity: Too many tools has led to friction in the development cycle which slows teams down and leads to security steps being skipped.
  • Fragmented picture of risk: More tools lead to mountains of disconnected findings, making it easy to miss critical issues.

This can create strain on development and security teams, making consolidation initiatives more appealing. Research from Gartner supports this view , stating in its Top Trends in Cybersecurity—Survey Analysis: Cybersecurity Platform Consolidation report that 75% of organizations surveyed were actively pursuing vendor consolidation in 2022, a notable increase from the 29% reported in its 2020 survey.

What's leading AppSec consolidation?

If an organization has a complex or disjointed AppSec programme, several issues can arise including unwarranted complexity, unquantifiable or obscured levels of risk for the business, and inefficient resource allocation. 

This presents several challenges and paints an unclear picture of the overall risk landscape, making it almost impossible to make decisions or report on risk at any point in time. 

Digging deeper, there are three elements forcing many organizations down the consolidation route.

Poor AppSec ROI

The myriad security tools now acquired by organizations has resulted in a hike in operational costs which involve maintenance, support, and licensing. Naturally, with more tools in use, more time and resources are required to ensure effective deployment and upkeep. 

There is then the requirement for the development teams to be familiar with the multiple user interfaces; yet this will often lead to reduced productivity and potential for security steps being skipped. 

When evaluating these tools, in most cases, they have similar or even overlapping capabilities which increases the likelihood that critical findings are missed, thus hampering the testing and remediation process.

Increased complexity

When teams implement too many tools into the development cycle it can lead to friction which slows teams down at a time when everything needs to move faster. 

RELATED WHITEPAPER

In addition, when tools are purchased and implemented by individual teams in silos, the overall application security programme runs the risk of being run inconsistently. If policies are being implemented and managed differently across tools and teams, there is no standard way to assess and report on risk. 

Moreover, there is the duplicated effort of implementing and enforcing policies multiple times across multiple tools and multiple development teams.

Fragmented picture of risk

Furthermore, due to the number of security tools, there will be a higher volume of tests which will produce an avalanche of results to analyze. Much of the time the test results remain confined within their respective point tools. 

Developers who try to take action on these issues end up with duplicates or inefficient remediation guidance and little understanding of what needs to be fixed first, wasting already constrained time and resources. 

And when results live within their respective point tools, there’s no single source of truth for reporting on overall business risk.

Consolidate tools and vendors to improve ROI

With organizations already using 10 or more AST tools, teams must find a way to optimize the tools they already own. Start by identifying the critical security testing your business requires and ensure you have it covered. 

Then you are in a position to reduce the number of vendors by finding a strong application security partner that can offer strong solutions across multiple of your critical testing needs. This will reduce the operational strain on your procurement, implementation, support, security, and development teams

Sourcing multiple tools from one vendor can solve part of the problem, but isolated implementations can fall short of achieving the benefits consolidation offers. Seek solutions that offer strong integration points across tools to make the entire implementation more streamlined.

Consolidate effort to reduce complexity

Multiple implementations of point tools within single teams leads to duplicated effort and inconsistent AppSec programmes. By centralizing policy management, your organization can set security policies once and enforce them consistently across all applications and teams, regardless of the tools in use. 

This streamlines policy enforcement, reduces duplicative effort, and ensures a standardized approach to security. 

By centralizing policy management, you also enable teams to automate testing and the enforcement of SLAs for issue remediation. This ensures security testing is performed when needed, reducing unnecessary scans and avoiding bottlenecks in the development process.

Consolidate insight to enhance risk management

With a consolidated approach to vendor selection and tool implementation and centralized policy management, you set your organization up for a consolidated and consistent picture of risk. 

This enhances visibility into your security posture by providing a single source of truth for what was tested, what was found, and what was fixed. 

Having this unified view empowers your decision-makers to mitigate potential threats, shorten time to audit, and resolve new threats quickly.

How to evaluate vendors for consolidation

Once an organization decides to pursue a consolidation initiative, the next logical step is to begin vetting and evaluating potential partners. The logical starting point is to look for a vendor whose portfolio can cover most or all of your AppSec needs. 

In addition, the ideal vendor should also display a few specific attributes.

  • Its vision should be continuous innovation to keep with the latest development techniques and threats in the cyber landscape. 
  • The vendor should have a wide scope of coverage with its offering and be easily adoptable by the development teams. 
  • The portfolio of AST tools should be strong across the board and shouldn’t require any sacrifice in functionality. Can the vendor showcase its staying power (stability and longevity) so that the organization sees a return on investment? 
  • It should be flexible with its pricing and licensing options to meet the growth and timing of the organization. 
  • The vendor should display a degree of openness, in that it has the capability to aggregate test findings from multiple products to provide a clear view of software risk and to protect your existing AppSec investment.

To conclude, organizations should push towards AppSec consolidation as a means to reduce the complexity and inefficiencies within their current application security programme. 

This will enable resource optimisation and improve risk posture. In the end, decision-makers should seek out a vendor that maintains a comprehensive portfolio of best-of-breed solutions, to fully reap the benefits and ROI of their consolidation strategy.

Jason Schmitt
General Manager, Synopsys

Jason Schmitt brings more than 20 years of experience in security and enterprise product development and management. Jason most recently served as CEO of cloud security startup Aporeto, where he led the company from pre-revenue through a successful acquisition by Palo Alto Networks. He has a deep background in software development and application security – leading Enterprise Security Products at Hewlett Packard as Vice President and General Manager of Fortify and ArcSight. Jason is a Louisiana native, who completed his Bachelor’s in Mechanical Engineering and Master’s in Computer Science at the Georgia Institute of Technology, and his MBA at Georgia State University’s J. Mack Robinson College of Business.