You’ve learned that it takes more than one application security tool to secure your code. As you add software vulnerability testing tools to examine your application from every possible angle, the number of results you have to manage grows. It’s great that you can identify these threats, but the data alone won’t help you manage and fix the problems.

That’s what application vulnerability correlation (AVC) is for. AVC tools streamline software development application vulnerability testing and remediation. AVC tools help you tame the unruly mass of data created by growing numbers of testing tools, and provide one set of correlated results.

Consolidating the results from all of your testing tools dramatically improves communication and coordinates activity between your development, testing, and security teams. This greatly enhances the overall effectiveness and efficiency of your DevOps, and helps you get your product out the door faster.

The emergence of application vulnerability correlation

According to Gartner’s Hype Cycle for Application Security 2017, published July 2017, AVC products have “secured wider interest and are advancing to the peak phase of Gartner’s Hype Cycle.”

Gartner’s business impact of AVC is stated as:

The most important business impact is that application security testing programs can realize tangible operational efficiencies in their efforts to manage remediation workflows, and they can prioritize scarce resources for the most critical efforts. . . .  By increasing the visibility of the vulnerabilities contained within applications, senior management also gains perspective and an understanding of this critical source of risk — which is likely to enhance overall risk management efforts and potentially lead to increased funding of and prioritization for application security efforts.”

Gartner also named Code­ Dx as a Sample Vendor for Application Vulnerability Correlation and Application Security Testing Orchestration in the AVC market. The complete report is available to Gartner clients here.

So many tools, so much data

It’s now generally accepted in the industry that in order to thoroughly test for vulnerabilities, you need to use multiple testing techniques, such as static analysis, dynamic analysis, manual penetration testing, component testing, and threat modeling, to name a few. These are all elements of a good application security testing process. In addition, you have to use multiple tools within these techniques to improve your vulnerability coverage. No tool covers every language, and some are better at finding certain classes of vulnerabilities than others.

Unfortunately, most of the testing tools export their results to a document of some kind, usually a PDF, that you have to send back and forth between the development and security teams to resolve the problems. These lists generally have tons of false positives, and lots of duplicate reports, all with varying ways of expressing vulnerability identification and prioritization. PDFs also require lots of coordination to keep the lists up-to-date. Tracking who is working on what, and which vulnerabilities have been fixed and which haven’t, is difficult to do with PDFs. Not to mention the inevitable differences in versions, with countless copies with slightly different file names floating around your company’s network. This practice is not only time-consuming, but ineffective.

Communication between teams is critical to vulnerability management. PDFs don’t offer enough usability and interaction to really allow solid communication. Accurate, trackable data—in formats and terms familiar to the organization—allows for less back-and-forth communication between teams and quicker resolution, leading to a faster release. Any AVC tool worth the investment will provide that. No PDFs required.

What should application vulnerability correlation actually do?

AVC tools make all of your testing tools work together to provide one set of correlated results.  They can de-duplicate and normalize test results to a consistent, customizable definition and level of risk. Using your own vulnerability policies, the AVC tool should then prioritize and manage the mediation of the vulnerabilities, and even integrate them with your application lifecycle management tools. The Code Dx vulnerability correlation and management software suite does exactly that.

Code Dx lets you manage all of your tools right from its central console, correlates the results with one another, and gives your security team a concise list of issues that need attention. The normalizing feature adds common terminology, and displays all results in the same format. It also links the weaknesses with an issue tracker such as Jira so your development team can work with your security team to manage each vulnerability’s remediation progress, all from the same, highly readable, easily understood list. It can even automatically check your code to make sure it’s compliant with regulations and standards such as HIPAA, PCI, and the DISA-STIG. See the complete list of plugins and supported tools here.

Why application vulnerability correlation?

As application security testing becomes more widely accepted, companies will need to implement a vulnerability management and correlation system. It is the only way they will be able to reap the benefits of their tools, fix their vulnerabilities in a reasonable amount of time, and improve cohesion between the security and development teams.

AVC tools give management a single vantage point into the growing amount of data generated by a variety of AST tools, and increases your visibility into the vulnerabilities affecting your application. With this organized, easy-to-understand tool, you can stop wasting valuable time managing the tools, and begin focusing on managing the vulnerabilities in your application. Your teams can concentrate on fixing problems before they can be exploited.

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.