This is the second in a three-part series describing the thought process and functionality behind SaltMiner, our enterprise dashboard for Application Security management. To read the first installment, see SaltMiner – Delivering AppSec Program Visibility at Scale.
From our years of experience in application security consulting with a vast array of organizations, we knew enterprises needed a better application security data management solution because we needed one. So, we decided to build the solution that we’ve needed to help enterprises reach their best possible security outcomes. But, we’ve done it from a user perspective.
To solve these problems, we knew we had to meet several key design objectives including:
Aggregation
Any enterprise-level application security management solution needed to be able to aggregate vulnerability data and performance metrics from all measurable areas of an AppSec program. Vulnerabilities can’t be filtered in the ways that are needed to answer different business questions unless they are correlated, analyzed, and ultimately searchable/query-able. Static results must be cross-referenced with dynamic results, manual pen-testing results have to be viewed in conjunction of each, and open source components must be included, among other things.
Instead of forcing users to check several databases to gain a full picture of their AppSec posture, SaltMiner displays all vulnerability data in one place
On-Demand Focused Reporting
For a true picture of their risk, and progress in managing it, enterprises need to be able to ask “what if” questions of their application security data. For instance, imagine the strain of managing 5,000 applications and needing to find all the vulnerabilities across that range that have a specific compliance component, like PCI does. Now, imagine dealing with five different tools that report meaningful results for this. By the time the information is gathered, correlated, and analyzed, it’s likely already out of date. So instead of a true picture of risk, these separate reports become a snapshot of a past state. We needed to change that and make the data accessible and on-demand– flexible enough to answer specific business questions.
SaltMiner can break down data to be as big-picture or detailed as needed. See trends across time frames, business units, applications, and more
Scalability
We knew that SaltMiner needed to rapidly ingest enterprise amounts of application security data from several different sources, and also provide that data to other applications and processes at scale. In addition, we realized that scalability is not just an architectural challenge for enterprises, but can be financially challenging because of how most security products handle licensing. Many reporting systems charge by the user or by the amount of data. For enterprises with a large number of developers and applications, that can quickly become financially prohibitive (unless you want to spend thousands of dollars to generate each report). We knew there had to be a better way to provide security data to the other tools and processes that require it.
Customizability
SaltMiner comes with integrated support for a wide range of web application security data, so it’s easy to import testing data from a variety of products, services, and initiatives. However, every enterprise AppSec program needs customization, both in how they represent their data and in the business questions they want to ask. We knew that we needed a management tool capable of handling unique and proprietary scenarios, with minimum complication.
Accessibility
Most products design their API for own use, and not to integrate with other processes. In other words, once you’ve committed to a tool, it’s very hard to break free from its reporting structure without significant effort and pain. Every tool wants to be the “one ring to rule them all”. We knew we were going to change that, and free the data. Reducing data acquisition to one query was a fundamental goal.
Vulnerability data, before and after Application Name filters are selected. Data gets pulled from across several of the enterprise’s tools and services
BEFORE:
AFTER:
Next up:SaltMiner – True Enterprise AppSec Program Management