Unpacking ASPM Demystifying buzzwords: A Guide to Application Security for Product Security Engineers in the Digital Age

You’ve heard terms like ASPM (Application Security Posture Management), surface management, code to cloud, reachability analysis, attack path, traceability, lineage, attribution and more terms related to vulnerability management and surface management. I’m here with Phoenix Security to demystify It’s easy to get lost in this jargon, yet these concepts remain at the heart of our cybersecurity strategies. As someone deeply entrenched in the ASPM category, I’ve witnessed its rise to prominence. 

In an era where application security is more crucial than ever, demystifying the jargon—ASPM, traceability, reachability analysis, and lineage—is key to strengthening our cyber defences. Application Security Posture Management (ASPM) has emerged as a critical strategy, transitioning from the reactive stances of yesteryears to proactive, full-spectrum defence mechanisms. This article aims to clarify these concepts and elucidate how ASPM is pivotal in navigating the complexities of modern software security, stripping back the layers and returning to the core of securing assets throughout their lifecycle. Let’s delve deeper.

We covered ASPM in a previous article and the intricacies of runtime environment and application security

ASPM Demystified – remove buzzwords and act on what matters most

The concept we will unpack

  • ASPM – Application Security Posutr management 
  • Traceability analysis
  • Reachability analysis from a code perspective
  • Attribution of vulnerabilities and code
  • Contextual reachability 
  • Code to cloud and traceability analysis 
  • Asset lineage and tracing where the assets have been formed and come from

The Core of ASPM in Cybersecurity Strategy

ASPM is the fulcrum in today’s application security, providing a panoramic view that extends beyond code vulnerabilities to include the infrastructure and data flow. The essence of ASPM lies in its capacity to offer traceability from code to cloud, enabling a robust reachability analysis that ensures vulnerabilities are not only identified but also contextualized within the application’s operational environment.

Traceability and Reachability in Code Analysis

Traceability in ASPM is the ability to follow the journey of a vulnerability from its origin in the code to its manifestation in a library or dependency. Reachability analysis complements this by evaluating if and how a vulnerability can be exploited, providing a clear view of potential attack paths. This dual analysis is crucial for security teams to prioritize vulnerabilities based on actionable intelligence, such as evidence of active exploits in the wild.

Get an analysis of your contextualized application risk

Keywords to evidence if a vulnerability is going to be exploited

  • Reachability analysis in code is the ability to trace a particular set of calls from code all the way to the library where an issue is. The analysis enables application security professionals to determine if a particular vulnerability is going to be exploitable. 
  • Traceability describes the journey an application does from the time is written (code), built (built file) and deployed. 
  • Attribution describes the association of the right team to the right repository, the piece of software being built and the right bill of material (BOM, Cbom, etc…) 
  • The lineage of assets express the concept of deployed artefacts (like container images, cloud assets) and how those artefacts were created (container build file, cloud build file/ terraformation file) 

A great reference for the complexity of the process and the threat modelling can be is the post from Jonathan Meadows

Exploitability of vulnerabilities in software and forecasting what’s the next vulnerability to be exploited 

distinguishing between actual and potential exploitability is crucial for prioritizing responses to vulnerabilities. Actual exploitability refers to vulnerabilities for which an exploit exists in the wild, confirmed by evidence of active use by attackers. This scenario signifies a higher risk, as the means to exploit the vulnerability are not only developed but are actively being utilized, posing an immediate threat to systems. For comprehensive insights into the dynamics of exploitability, including the nuances of actual exploits being utilized by attackers, a valuable resource can be found at Phoenix Security’s exploration of exploitability.

To demystify the terms

  • Exploitability – the verified presence of an exploit in the wild with evidence of the exploit being used in the wild 
  • Potential Exploitability less likely that a vulnerability is exploitable as the exploits are not used in the wild, also referred as proof of concept
  • Network reachability analysis – the ability to reach the particular host where the application is deployed. Usually, this is called attack path mapping, an interesting approach to the subject (check this interesting article from neo4j)
ASPM, Vulnerability, exploitability, application security

On the other hand, potential exploitability deals with vulnerabilities that, while theoretically exploitable, haven’t been observed being exploited in real-world attacks. These are often referred to as Proof of Concept (PoC) exploits. A PoC exploit demonstrates the feasibility of an attack but doesn’t necessarily indicate that it’s being used maliciously. This distinction is critical because it helps security professionals assess the immediacy and likelihood of a threat materializing. While actual exploits demand immediate action, potential exploits require monitoring and assessment to determine if they evolve into more significant threats. For a deeper understanding of Proof of Concept exploits and their role in cybersecurity, this definition by TechTarget offers detailed insights.

By understanding the difference between actual and potential exploitability, organizations can prioritize their security efforts more effectively, focusing on neutralizing immediate threats while preparing for possible future vulnerabilities. This approach ensures that resources are allocated efficiently, bolstering defenses where they are most needed and maintaining a robust security posture against both current and emerging threats.

We at phoenix have complied a list of sources as part of the threat intelligence work that powers phoenix security cloud platform 

The Significance of Attribution and Lineage

ASPM, Vulnerability, exploitability, application security, recheability, recheability analysis, app traceability, attribution, lineage, cloud recheability

Understanding who is responsible for what and where within an application’s lifecycle is the cornerstone of effective ASPM. Attribution ensures that vulnerabilities are assigned to the right teams, facilitating a quicker resolution. The lineage of an asset, on the other hand, provides a historical record of its evolution, from development through deployment, enabling better governance and control over the application ecosystem.

Get an overview of your asset lineage

Application security ASPM and the engine light 

ASPM, Vulnerability, exploitability, application security, car

Application security is nowaday like understanding the myriad threats and vulnerabilities can feel as daunting as a driver deciphering the inner workings of their automobile. Just like a driver relies on their vehicle’s performance without a detailed knowledge of every nut and bolt, individuals and organizations expect their digital systems to function securely without needing to understand each underlying detail. When the ominous glow of the check engine light—or in cybersecurity terms, an alert—illuminates the dashboard, it offers little more than a vague indication that something is amiss, lacking the specificity needed to address the issue directly. Typically, this scenario would necessitate a visit to a mechanic, where the car undergoes a thorough examination to pinpoint the problem, much like the detailed analysis required when a generic security alert is triggered.

Imagine, however, a scenario where your car’s diagnostics go beyond the ambiguous warning of the check engine light. Instead, a sophisticated alert system precisely identifies problematic components, such as specific bolts—bolt 123 and bolt 221—critical to the engine’s performance. This level of detail would not only expedite the repair process by directing attention to the exact issues but also alleviate the uncertainty and stress associated with vague warnings. Furthermore, if the diagnostic tool indicated that the issue with the bolts wouldn’t immediately compromise the vehicle’s operation, allowing for an additional 20-40 miles of safe driving, the driver could make an informed, risk-based decision on how to proceed—whether to address the repair immediately or plan for a visit to the garage at a more convenient time.

This analogy beautifully illustrates the value of precision and context in cybersecurity, especially within the realm of Application Security Posture Management (ASPM). By providing detailed, actionable insights into specific vulnerabilities and their potential impact, ASPM empowers organizations to make informed decisions on prioritizing and addressing security threats. This not only streamlines the remediation process but also enhances the overall security posture by focusing efforts on the most critical issues, thereby making the management of cybersecurity as straightforward and efficient as maintaining a well-running car.

Addressing the Complexity of Application Security

The complexity of securing applications in diverse environments can be likened to the intricacies of automotive engineering. Just as a driver relies on clear signals to understand their vehicle’s health, businesses require detailed and context-rich indicators to navigate the security landscape. ASPM serves as this sophisticated dashboard, offering precise alerts that enable swift and targeted interventions.

Phoenix Security’s ASPM: The Holistic Solution

Phoenix Security’s ASPM solution embodies this integrated approach by correlating applications with their deployment environments and establishing a risk-based framework for security management. It empowers application owners and developers to connect the dots between where applications are built and where they reside, streamlining the decision-making process regarding security interventions.


In conclusion, ASPM is not just another buzzword; it is a transformative approach that addresses the intricacies of modern application security. With its emphasis on traceability, reachability, attribution, and lineage, ASPM enables organizations to make informed, risk-based decisions that are crucial for maintaining a robust security posture in today’s complex digital ecosystems. Phoenix Security’s ASPM solution stands as a testament to the power of this comprehensive approach, providing the tools necessary for businesses to navigate the cybersecurity challenges of the digital age effectively.

How Phoenix Security Can Help

attack graph phoenix security

Phoenix Security helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

Get an overview of your asset lineage

The Role of Application Security Posture Management (ASPM):

ASPM plays a vital role in managing and securing applications like those built with Apache Struts, Log4j and other vulnerabilities. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

  1. Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
  2. Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
  3. Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
  4. Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains current and focuses on the key vulnerabilities.

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
Explore the interplay between the MITRE ATT&CK framework and EPSS for effective vulnerability management. Learn how these tools help predict and prioritize cyber threats, with deep dives into the most and least exploited techniques. Stay ahead in cybersecurity with Phoenix’s advanced analysis.
Francesco Cipollone

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.