EASM: What AppSec and ProdSec Teams Need to Know

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Rickard Carlsson of Detectify offers a primer on External Attack Surface Management (EASM) and what AppSec and ProdSec teams need to know.

Managing security risks across a complex, evolving external attack surface is becoming increasingly more difficult. While organizations accelerate the pace of digitalization to meet their business goals, they’re inevitably bringing more Internet-facing assets online. Increasing the rate of development to keep up with digitalization expands the attack surface, creating further opportunities for attackers. Unsurprisingly, Gartner identified the expanded attack surface as the top security risk of 2022.

AppSec and ProdSec teams have historically dealt with this in various ways. DevSecOps, for example, is a popular solution – many organizations feel that the best way to defend their vulnerable assets is to bring security into the development process early on (so-called ‘Shifting Left’), theoretically catching vulnerabilities before they make it into production.

The trouble here is that not every vulnerability that makes it into production is present in staging or development. Additionally, application security is not static – a software component may have been considered secure at the time of development, but that may simply have been because the vulnerability hadn’t yet been discovered. No matter how much your organization prioritizes Shifting Left, you won’t catch everything, and you’ll need a plan to prioritize and address the vulnerabilities you miss.

Furthermore, not every aspect of an organization’s attack surface results from a linear development process. Even if an organization somehow meets the unrealistic goal of zero vulnerabilities in production (hint: they won’t), some assets are acquired through M&A activity, and others may be brought online by certain stakeholders (the marketing team, for example) without alerting the security team. Long story short, it’s highly likely that your organization has unknown online assets that your security team isn’t aware of. And if they don’t know about it, they can’t defend it.

External Attack Surface Management: What to Know

What is EASM?

Rather than handling everything granularly, trying to discover assets manually, and catching vulnerabilities in development, External Attack Surface Management (EASM) takes an outside-in approach. EASM encompasses both the discovery and assessment of an organization’s publicly facing IT assets. A good EASM solution not only identifies every asset but continuously monitors them for any changes. It is in the exposed environment that Initial Access Brokers (IBS) gain the first foothold.

The intelligent adoption of EASM enables AppSec and ProdSec teams to see their entire external attack surface environment and identify the risk hotspots. Prioritization and fast remediation of the issues that mean the most to the organization are also key components of best-in-class EASM solutions. EASM helps AppSec and ProdSec teams overwhelmed with vulnerability management information transition away from fighting a never-ending fire to holistically managing their organizations’ risks.

What to Look for in an EASM Solution

Many EASM products have primarily focused on discovery capabilities, but their testing capabilities amount to little more than vulnerability scanning. EASM tools that use vulnerability management as their base and CPE/CVE matching often yield high false positive rates. On the other hand, EASM solutions that go beyond CVE matching by leveraging information about the context of assets (for example, a CVE may be present but doesn’t have an associated attack path) effectively reduce noise for security teams and have much higher vulnerability assessment accuracy rates.

The best EASM solutions do more than just discover assets and scan for vulnerabilities – they continuously test the attack surface with real payloads. A vulnerability scan might uncover a few gaps in the perimeter, but that is not necessarily indicative of how a malicious actor would actually attack you. On the other hand, a real payload-based test, which not only identifies a vulnerability but outlines how an attacker could exploit it, can help you identify and prioritize the issues that actually put your business at risk.

Continuously Probe Your Attack Surface with EASM

Chasing vulnerabilities in development and scanning for them in production is all well and good. But to actually manage your external attack surface, you need a solution that tests your entire environment and yields an accurate summary of how and where a malicious actor could exploit the organization.

Doing this granularly is costly and time-consuming. You’ll never find every single vuln, and you’ll burn through valuable time and resources doing it, which are in short supply today given the economic climate. The best way to protect the business efficiently and cost-effectively is with solutions that not only monitor your entire environment but also help you prioritize so that you aren’t wasting company resources on things that don’t matter. With tight resources and limited resources, you want your security team focused on issues that could actually matter to your organization.

Suppose you know where all your assets are, which vulnerabilities can actually be exploited, and how to prioritize those that matter most to you. In that case, you’re well on your way to reducing your risk level and effectively managing your attack surface. Continuously testing the entire attack surface with real payloads that identify active vulnerabilities and highlight those that represent the most risk has to be part of the equation. That’s where EASM comes in.