Frankenstack is real. How do you get the monster back under control without compromising on cybersecurity?
Almost 80% of U.S. tech decision-makers report moderate-to-extensive levels of tech sprawl. It feels like a safe bet that security teams are leaning towards the “extensive” end of that spectrum: The average team now monitors 129 applications and over 119,000 alerts. Zoom into AppSec, and over 70% of organizations report using 11 or more individual application security tools.
To be fair, new threats and attack surfaces emerge all the time; when the goal posts keep moving, adding defenders to the pitch feels like the right thing to do, even if they don’t always fit in with the overall game plan. And many of these tools have been genuinely transformational.
So why are we still shipping code and applications with known vulnerabilities? Are we managing AppSec risks, or managing tools? And what are you supposed to do when the very tools designed to make life easier become a big part of the problem?
AppSec Complexity is Costly
For AppSec practitioners, tools like DAST, SAST, and SCA have enabled a holistic approach that integrates security into DevOps practices, helping to prevent silos. But they don’t often “talk” to each other. Reality check: Many current AppSec tools lack sufficient context to manage growing software supply chain risk, meaning that defenders are staring down the barrel of a coverage and visibility gap that is in no small part created by tech sprawl.
Before we look at where we’d like to be, it’s worth having a quick overview of where we currently are. It’s not pretty:
Infrastructure complexity creates opportunity – for attackers: Too many tools, often with overlapping functionality, create a perfect storm of alert volume, manageability, and data correlation challenges. The result is fragmented visibility, missed threats, and slower response times.
Loss of control: Loss of visibility feeds into loss of control. You can’t manage a blind spot, nor can you enforce policies consistently across highly fragmented estates.
Integration issues: Many security teams operate with a mix of legacy, acquired, and new technologies that can’t/won’t work together. Tools that can’t integrate with existing processes or critical technologies reduce overall effectiveness and create complexity.
Cybersecurity skill gaps: For every tool added, there’s a need for additional expertise, management, and maintenance. Security gaps emerge when end users lack the skills to maximise insights or correlate data. And that’s before we consider what happens when “The One Person who knew how to run X in conjunction with Y without breaking A” leaves the organization.
Increased costs: Operational inefficiency and security gaps are costly. Tool overlap and/or redundancy mean many organizations are paying multiple vendors for functionality they already have or don’t need. Similarly, buying new tech without retiring older tools can create costs around integration and compatibility.
Ultimately, the answer to the question “Can you have too many security tools?” is “Yes.” The challenge is determining how to trim the fat without undermining your overall strategy.
Here are some tips to help you get there.
1. Double Down on Asset Discovery
You can’t protect what you don’t detect. And you can’t retire or integrate software you don’t know you’re running. IDC research places discovery at the heart of fixing tool sprawl. Because missing even one tool can have serious implications for your overall security posture, IDC recommends doubling (or even tripling) the discovery part of your process.
Following the discovery process, periodic audits will help security teams identify under-used/overlapping tools, as well as gaps in coverage – and rationalize accordingly. This not only streamlines processes but frees up resources to invest in more impactful technologies or processes.
2. Consolidate Tools to Reduce Complexity
Security practitioners looking to consolidate their tech stack essentially have two obvious choices: Use fewer tools or work with fewer vendors – a.k.a., “Best-of-breed vs platform strategy”. Many best-of-breed tools do a great job at one or two things, but at what cost? Team8 CISO-in-residence Ross Young’s recent comparison is revealing:
You can trim your stack to run only a select, small number of best-of-breed solutions – and still potentially face integration and correlation challenges. Or you can adopt a consolidated approach, such as Application Security Posture Management (ASPM), which mitigates many of the obstacles caused by tool sprawl, by unifying Application Security Testing (AST), software supply chain security, and security management tools into one management plane.
3. Centralize Visibility and Control
The logical extension of steps one and two above, this approach breaks down the silos between tools and data, giving defenders comprehensive visibility into their AppSec environment. A centralised plane or dashboard that aggregates data from all tools – including DAST, SAST, SCA, SBOM, SSCS – enables more efficient risk-based threat identification, prioritization, and remediation. This approach helps AppSec teams focus on the 5% of threats that really matter to their organization.
4. Automate for Simplicity and Efficiency
Automation plays a crucial role in eliminating AppSec tech sprawl, supporting everything from visibility to resource allocation. As we saw earlier, the average application security team monitors over 100 applications, with over 119,000 security alerts generated annually. OX Security’s Katie Teitler-Santullo says the only way AppSec teams can cope with the volume is to use automation to correlate which alerts relate to the same core issue. “That level of contextual analysis reduces the volume of overall alerts by more than 97%,” she says.
It’s not just about gaining clarity; automation enables centralized policy enforcement and orchestration, helping reduce the need for multiple, overlapping tools. Automated workflows ensure consistent standards and configuration across developer and AppSec teams, while driving the kind of collaboration that underpins seamless workflows.
5. Implement Application Security Posture Management (ASPM)
For AppSec teams, ASPM is the point around which wider tech sprawl reduction and consolidation converge. It removes the historical siloes between application and vulnerability scanning tools, providing more context and giving AppSec practitioners the ability to prioritize, fix, and track issues throughout the software development lifecycle (SDLC). Because it integrates directly into CI/CD pipelines, ASPM significantly reduces the need for multiple standalone scanners at different stages of the SDLC, bridging the gap between developer and AppSec teams and converging around shared solutions.
With ASPM, AppSec and developer teams can evolve from simply finding CVEs to understanding and flagging libraries that are badly maintained/ have poor hygiene/are out of date. This adds the contextual component missing from siloed, traditional AppSec and DevOps processes – allowing teams to focus on the threats that have the most business impact, rather than trying to chase and fix everything.
Cutting Through the Chaos: OX Security
OX Security’s ASPM Platform integrates with over 100 open-source and commercial security tools to give AppSec teams a single, comprehensive view of the software supply chain. Our AppSec Data Fabric normalizes data from multiple sources into a consistent format, overcoming the challenge of fragmented data from siloed tools, and enabling AppSec teams to correlate insights from across their application portfolio.
OX Security empowers organizations to eliminate tool sprawl, while confidently enabling scalable and secure development. It streamlines application security practices, mitigating risks across the software supply chain by providing end-to-end visibility, contextualized prioritization, and automated response and remediation.
Learn more about how OX automates your application security posture management.
)
