ITSPmagazine Podcasts

Enhancing Security Posture by Automating and Optimizing Application Security | A Brand Story Conversation From Black Hat USA 2024 | An ArmorCode Story with Mark Lambert | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Listen to this Brand Story to discover how ArmorCode is revolutionizing application security and vulnerability management through comprehensive tool integration and AI-driven remediation. Join host Sean Martin in this insightful episode as ArmorCode's Mark Lambert shares strategies to prioritize business-critical assets and streamline security operations for enterprises.

Episode Notes

In this Brand Story episode recorded during Black Hat USA 2024, host Sean Martin sat down with Mark Lambert of ArmorCode to discuss the evolving challenges and innovative strategies in application security and vulnerability management.

ArmorCode stands out in its field by not being just another scanner but by integrating with an organization's existing tool ecosystem. Lambert explains that their platform connects with over 250 different source tools, from threat modeling to endpoint security, to provide comprehensive visibility and risk scoring. This integration is crucial for automating remediation workflows downstream and supporting various use cases, including vulnerability management and software supply chain security.

One of the core strengths of ArmorCode's platform is its ability to ingest data from a multitude of sources, normalize it, and contextualize the risk for better prioritization. Lambert notes that understanding both the technical and business context of vulnerabilities is essential for effective risk management. This dual approach helps organizations avoid the 'fire drill' mentality, focusing instead on business-critical assets first.

The conversation also touches on the breadth of ArmorCode's integrations, which include not just technical tools but also commercial and open-source threat intelligence feeds. This variety allows for a robust and nuanced understanding of an organization’s security posture. By correlating data across different tools using AI, ArmorCode helps in identifying vulnerabilities and weaknesses that could otherwise remain hidden.

Lambert emphasizes the platform's ability to streamline interactions between security and development teams. By bringing together data from various sources and applying risk scoring, ArmorCode aids in engaging development teams effectively, often leveraging integrations with tools like Jira. This engagement is pivotal for timely remediation and reducing organizational risk.

One of the exciting developments Lambert shares is ArmorCode's recent launch of AI-driven remediation capabilities. These capabilities aim to provide not just immediate fixes but strategic insights for reducing future risks. He explains that while fully automated remediation may still involve human oversight, AI significantly reduces the time and effort required for resolving vulnerabilities. This makes the security process more efficient and less burdensome for teams.

The episode concludes with Lambert discussing the significant adoption of AI functionalities among ArmorCode's customer base. With over 90% adoption of their AI correlation features, it's clear that businesses are seeing real-world benefits from these advanced capabilities. Lambert believes that the integration of AI into security practices is moving past the hype phase into delivering meaningful outcomes.

This insightful episode underscores the importance of comprehensive, AI-driven solutions in today’s security landscape. With experts like Mark Lambert at the helm, ArmorCode is leading the charge in making application security more integrated, intelligent, and efficient.

Learn more about ArmorCode: https://itspm.ag/armorcode-n9t

Note: This story contains promotional content. Learn more.

Guest: Mark Lambert, Chief Product Officer, ArmorCode [@code_armor]

On LinkedIn | https://www.linkedin.com/in/marklambertlinkedin/

Resources

Learn more and catch more stories from ArmorCode: https://www.itspmagazine.com/directory/armorcode

View all of our Black Hat USA  2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Enhancing Security Posture by Automating and Optimizing Application Security | A Brand Story Conversation From Black Hat USA 2024 | An ArmorCode Story with Mark Lambert | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

[00:00:00]  
 

Sean Martin: Alright, here we are. You're very welcome to a new Brand Story here on ITSP Magazine, where we get to cover all kinds of cool topics and new findings and new launches here at, I'll say, Black Hat, because we are at Black Hat. And, uh, yeah, I'm thrilled to have Mark Lambert on from ArmorCode. Mark, thanks for joining me. 
 

Yeah, thank you very much. Pleasure. It's always a good time, and A lot of stuff going on. Yeah, a lot of stuff going on. And I want to maybe for folks who the small number that aren't familiar with armor code. Yeah, maybe kind of the the elevator pitch of what you do and who you do it for.  
 

Mark Lambert: Yeah, yeah. So so we're in the application security and vulnerability management space now. 
 

But we're not a scanner. Uh, there are literally hundreds of scanners out there and more and more, you know, vendors entering the market every day. Um, and that's the challenge that we focus on solving. So what we do is we connect [00:01:00] into an organization's existing tool ecosystem, ingest that data into our platform, we normalize it for visibility, we prioritize it with contextual risk scoring, and then we enable, uh, Organizations to automate their remediation workbooks downstream. 
 

So the Armour Code Application Security Posture Management Platform provides all of these core capabilities across use cases such as application security, vulnerability management, risk based vulnerability management is a term that many organizations understand, um, and then also software supply chain as well. 
 

Sean Martin: So how, how broad vulnerability can be a broad topic as well? How broad does ArmorCode go with respect to that?  
 

Mark Lambert: Great, great question. So, um, we actually ingest data from over 250 different source tools. That's everything from threat modeling all the way through the application security stack, which is obviously software composition analysis. 
 

Static application, security testing, DAS, penetration testing, all the way through cloud, container, [00:02:00] infrastructure, traditional vulnerability managements, like a Tenable or Qualys, even all the way to endpoint. Uh, we bring all of that data. We integrate with threat, uh, Intel feeds. We have our own threat Intel feed as well as implement integrating with open source, such as CISA CAV, bringing in EPSS data, as well as integrating with commercial feeds like Mandiant or VoltDB as well. 
 

Um, so you, uh, you, you asked me kind of like, what's the. It's pretty broad, and it's not just CVE. So when people think of vulnerabilities, they normally default to a CVE. Um, you know, that's obviously a published vulnerability. We can leverage threat intelligence there to further do additional risk scoring of that context. 
 

Um, we also support, um, You know, vulnerabilities that are found through red teaming or pen testing or bug bounty programs as well as ingesting of weaknesses. So once we've kind of gone from our reactive mode of reacting to a vulnerability that's been discovered, we can actually correlate that data to the actual underlying weakness, and then organizations can start being proactive with their software security [00:03:00] programs and focusing on the most prevalent weaknesses that they need to address within their organization. 
 

Sean Martin: So in terms of getting visibility, uh, so all those sources, um, the breadth up and down for the, the content that you're collecting and ingesting and, and I presume painting a picture of what that looks like. To me, that's one side of the coin. The other is what does the business look like? So what's the environment, what sector are they in, what tech kind of, what their threat intelligence. 
 

That other side of the coin, how, how do you work with that?  
 

Mark Lambert: Yeah. So, so really when we talk about risk and understanding the risk associated with a finding, it could be a vulnerability or a weakness, um, there's a context that goes along with that, which is your business context. So when we talk about risk scoring, there's the technical risk of the thing that's found, and then the contextual risk or the business impact or the business importance of where it is found. 
 

Those things, two things come together to give us our risk scoring [00:04:00] that we can then use to. Understand our posture across our organization, but then also prioritize tasks as well. So we're not doing a fire drill on every system with the next log4j jobs, for example. We're focused on business critical assets. 
 

And then maybe like the back end data sciences application that's not externally facing. It's a non business critical component that can, you know, wait 24 hours or 48 hours rather than all of the front end web apps that we're running our core businesses that need to be escalated. Right.  
 

Sean Martin: I presume, I don't want to assume, but I presume you are looking at commercial apps, bespoke apps, Uh, yeah, apps that are built together, pulled together with APIs and whatever else, right? 
 

I'm thinking of things like Zapier and whatever, where somebody's building a no code application, basically, using other pieces. Um, how do you, how do you help? Organizations not just prioritize where they're [00:05:00] exposed and how, yeah, how that might impact their business, but there's a lot of teams, even just that last example, it might be somebody in marketing building an automation workflow, right? 
 

It's using stuff. So how do you then work with the business and more specifically the I. T. ops and the security ops and the app dev and the dev ops to orchestrate?  
 

Mark Lambert: Yes. All of that. Yeah. Well, I mean, I think you touched upon, like, a key challenge. The first problem is visibility, right? Being able to get an understanding of what exists in my ecosystem. 
 

And we do that by connecting to sources of information. The vulnerability scanners, you know, the, the, the, the scanners, the tools themselves, provide one set of inventory information. You can also connect to, um, CMDBs, we can connect to things like your code repositories, identify where code exists there. 
 

Start, build out a very large map of what exists in the organization, and then you can start to operationalize that, by tying that back to the teams, giving the [00:06:00] teams visibility and engaging them in the conversation. So what normally happens with an organization is we'll connect to the sources of truth, right, where the data is, where the inventories are, we'll bring all of that data together into the platform, start applying the risk scoring, identifying the things that need to be prioritized, and then it gets handed over for remediation. 
 

To the development teams, and often this is where you start getting more engagement with the development teams through things like integrations with Jira, for example, and that further refines the process and increases the escalation, and we're very fortunate to be working with a fantastic community off enterprise class organizations. 
 

I mean, this is. An enterprise problem, not an individual team problem, and that's what drives up our volume of data that we've been working on. So we caught. We often talk about the three V's and these are the things that lay the foundation for AI functionality volume. We've processed over 10 billion findings now within the platform variety. 
 

This is where we integrate with over 250 different source tools [00:07:00] again from threat modeling all the way through. Um, and then validation. Over 2, 000 security professionals leveraging the platform to support over 75, 000 developers. So, those three things together really help us, uh, or has helped us build a platform that helps organizations deploy at enterprise scale. 
 

And then further drive kind of like the advancements in the technology that we've AI capabilities. Yeah.  
 

Sean Martin: So, what I hear in there is Not only find value in what you do, but they're not pulling their hair out and losing sleep because you're there.  
 

Mark Lambert: Yeah, the whole point is to streamline that interaction, right? 
 

So, you know, we often see that, you know, organizations, you know, to address the challenge of the rising number of vulnerabilities. We just deploy another scanner. Um, and then the trouble is that's just more data and now it's more data in a siloed system and it ultimately ends up with lots of contextual [00:08:00] switching, lots of. 
 

Um, kind of like friction between the security team and development and also actually inside of the security team with the application security and the vulnerability management because you'll have to get on the same page. Um, so if we're able to bring that together, streamline the interactions, optimize triaging workflows as well as the remediation workflows. 
 

Then, ultimately, we're driving towards, you know, uh, shorter SLAs, reducing MTTR, ensure a mean time to remediation, making sure that our organizations are able to deliver in accordance with their internal mandates.  
 

Sean Martin: So what are some of the outcomes? I think anybody listening and clearly you and I can see that if you have better visibility, better context, connection to the business and the impact it might have. 
 

You can finally tune and run a program that's more efficient, more effective, and hopefully broader, [00:09:00] broader, uh, coverage as well. The other side of that though, is the benefit to the team, the benefit to the program, benefit to the business. Um, any nuggets you can share on how customers can speak to, The value that they get beyond just a mean time to detect and respond. 
 

Mark Lambert: Yeah, I mean, that usually is one of the biggest key areas, right? So, you know, um, it's not just the mean time to respond. So it's also kind of like, um, there's insecurity. We have this, uh, zero tolerance, right? It's like, hey, we have to fix everything. Um, so, but as we know, the volume of findings and vulnerabilities is just growing exponentially. 
 

So we're never going to fix it. But if we can burn down our debt, if we can proactively identify areas of opportunity for us to protect the business, we're fundamentally reducing our organizational risk. Now that's a, that's a soft benefit. It's difficult to quantify that. Um, but being able to demonstrate that progress, demonstrate the ability to, that you're burning through your backlog, [00:10:00] and that you have optimizations in place, and a lot of those optimizations are driven through the capabilities such as, you know, AI correlation and AI remediation within the platform to streamline that. 
 

Sean Martin: So this is a question I ask often, but only when I feel that the conversation lends itself well to it. And I think this one does. I have a personal belief, based on experience of stuff that I've done over decades, that security with the right information and the right mindset can actually change the business to reduce the impact on the business. 
 

The business has on security, if that makes sense. An example might be, we have these five systems that we're running. And they all, every month, they have five new patches, or ten new patches, or a hundred new, whatever the number is. And we're just spending a ton of time, over and over and over. If we could just change [00:11:00] that system, or if it might be a workflow, or a business process, or an application, or whatever. 
 

Thank you. If we can change that, we're going to reduce the number of findings, reduce the exposure, reduce the time to response, because we're going to eliminate it because we're not, we don't have this vulnerable application or system in place anymore. So your thoughts, well, do you believe that that's possible? 
 

And if so, have you experienced anything with customers that might lead to that? 
 

Mark Lambert: So, so I, I think it is, um, I think it's a goal. Okay. So, um, there are a number of things that need to be in place for us to be able to really kind of like respond in a, in almost a fully automated way. So, I mean, the, the first thing I would say is you are, we touched upon this a moment ago, right? 
 

Is. The business setting the priorities from the point of view of, Hey, this is, these are my crown jewels. And I see that in most enterprise class organizations, especially those in the financial services sector, they will have their set of crown jewels. These are the high value targets [00:12:00] that we have to protect at all costs. 
 

We're going to define our SLAs there, but everything else, we're going to like let you guys figure it out and do it in your own, in your own timeframe. That's one of the ways that business can help security without kind of like getting in, in, in the way, if you like. Um, one of the things ultimately that a lot of people talk to me about is, can you do fully automated remediation? 
 

So, can I just let the machine self heal itself? Um, and, and there's a really, you know, the short answer to that question is yes, if you had a fully functional validation, which nobody has. But what you can do is you can optimize the process to the point where the human's involved. So, you know, one of the things, for example, is, like, automated, you know, injection of, uh, you know, fixes to code, uh, which are application security centric. 
 

Not something we do at AlmaCode, but something that our partners do, like a mob security, for example. Um, you know, however, that code still needs to be reviewed by a human being. But if you can get it ultimately to the end, that review time is, is less.  
 

Sean Martin: Maybe, [00:13:00] maybe this is probably more connected to some of the stuff that you've recently released, uh, in your platform, so maybe, Yeah, highlight some of that work. 
 

Mark Lambert: Sure, sure. So I, I touched upon the three V's right? Uh, volume, variety, and validation. And that, you know, we're, as I said, we're very fortunate at AlmaCode. We've been working with some amazing enterprise class organizations, which has really kind of like set us up to have a great community. We're identifying real uses of AI that can be used to remove those bottlenecks in the process. 
 

So actually at RSA this year, we released our AI correlation, which gives us the ability to correlate findings across tools using data fusion. Um, we've done cross tool correlation in the industry for decades, you know, basically taking attributes. Find the same attribute with different tools. The problem, though, is if you're trying to cross a different scan type, so again, the variety, it's very difficult to correlate something like a DAST finding with a SAS finding. 
 

So, you know, dynamic testing and static testing. It's difficult to correlate runtime container with the underlying software [00:14:00] composition analysis data. What AI has done is it's unlocked the ability for us to understand the context of a finding and starts to do classification and labeling so that we can actually start to bridge that information together. 
 

Um, so that's what released RSA, what releasing here at Black Hat is our AI remediation, um, at a level above the individual scanner, really helping organizations with. A strategy for how to address not just this issue, but the other issues that are related to them as well. So, you know, a lot of times we talk about automated remediation. 
 

It's very tactical. It's, hey, give me the line of code that updates this thing. Um, and, you know, we give some of that information, our remediation guidance as well. But we're going beyond that to say, how can I prevent the impact of something similar to this in the future? So what's my priority two, three, and four strategies rather than just update a library? 
 

So it's a little bit. Kind of like reducing the risk of the whack, you know, playing whack a mole with the next, you know, log4j  
 

Sean Martin: Yeah. And I, I suspect if somebody or multiple really smart people sat [00:15:00] down, they might be able to do that. Mm hmm. Yeah. But it would take a heck of a long time. And, and resources are constrained. 
 

The findings are piling up. So, leveraging technology to, to do that is great. How, how involved does a human, uh, Get both on your side and customer side in this new world.  
 

Mark Lambert: Well, you know, what's really interesting is that, you know, when, when, when I first came on the scene on this lead on the most recent wave that we're having, um, you know, everybody's like, well, okay, you know, chat, um, you know, GPT is going to take my job, right? 
 

Well, it's not anybody that's used. It knows that you have to. It's a tool and it's a tool is going to make you more effective. It's also a tool that can elevate, uh, members of the team that maybe aren't as skilled, um, and really, you know, the way I view the capabilities we've introduced inside of Armour Code, it really is like a security assistant or a virtual security champion, you know, elevating and identifying, kind of like, Hey, this finding is correlated with these other ones. 
 

Rather than [00:16:00] you having to sift through all the data, it's giving you the needles in the haystack rather than the whole haystack. The remediation is like, rather than having to do Google searches or building, you're going through trainings as to how to do a remediation strategy. It's right there in the platform and it's generated based on an LLM that's contextually trained upon what these vulnerabilities and weaknesses are and what the best practices are. 
 

Um, and then that gives you a tool that ultimately is If you're an expert, it reduces your time, and if you're, you're not an expert, but part of the team, you're able to start elevating.  
 

Sean Martin: I love that term, virtual security champion. Yeah. That's really cool. That's really cool. Well, Mark, it's been a pleasure chatting with you. 
 

I don't know, is there anything else that we didn't touch on that you want to highlight? I, you know what, I I think there was some, some findings. as well.  
 

Mark Lambert: Yeah, I mean, I think that the one thing that I'll kind of like highlight is, you know, the adoption of the A. I. Capabilities have been significant within the customer base. 
 

We actually have over 90 percent adoption of the correlation functionality over six models [00:17:00] have been now being deployed, correlating different types of things. I think we're really at the point now with a I that we're beginning to see real world business benefits. We're kind of beyond the hype face. Um, and we're getting into that phase where we're actually able to leverage it for meaningful, uh, outcomes. 
 

Sean Martin: 90%. That's impressive. That's impressive. Well, Mark, thanks very much for, uh, taking this time and, uh, sharing this CodeArmor story with us. Yeah. And, uh, best of luck to you at the show. Uh, if you're listening to this while you're at Black Hat, be sure to visit, uh, Mark and team down at the CodeArmor, uh, booth. 
 

Uh, and if not Connect with Mark and team on LinkedIn. We'll, we'll of course include links to, uh, to connect with them on LinkedIn and, uh, on their website. And I know you have some campaigns running as well. So yes, all that stuff too. So thanks everybody. Thanks, Mark. Great. Thank you very much. Looking forward to the next time.