-300x300.jpg&w=640&q=75)
Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialWhy modern AppSec tooling is essential to ASPM's effectiveness
Application security posture management is only as good as the technology it depends on. Here’s why modern software supply chain security tooling is key.
At first glance, application security posture management (ASPM) software platforms sound like enticing additions to your AppSec workflows: The vendors promise everything from an end to tool sprawl to the delivery of multiple code-scanning capabilities, broad software supply chain insights, and reductions in nagging security alerts. In other words, they’re the answer to some of IT’s biggest security management hassles.
But ASPM has glaring shortcomings. In particular: an inability to take on some of the most common, stealthy, and destructive modern threats — including hard-to-find malware like the recent Shai-hulud worm on npm.
Here’s what you need to know about the limitations of current ASPM platforms — and why modern software supply chain security controls are essential to making ASPM effective.
Download: The 2025 Software Supply Chain Security Report
What’s needed to make ASPM effective?
ASPM cannot find, isolate, and remove modern threats such as malware without help from binary analysis and reproducible build techniques, which are used to assure that code has not been targeted and changed by attackers. Being based on simpler, traditional code-scanning methods, ASPM does not offer adequate software supply chain security, said Jasmine Noel, senior product marketing manager at ReversingLabs (RL).
Jasmine NoelMalware is a fundamentally different thing than a code vulnerability. Malware gets down into the software code. Code vulnerabilities are accidental, an overlooked thing, a mistake or something. With malware, attackers are attacking with their tools, and it is not just incorrect coding.
Noel said attack vectors have changed dramatically since 2020, when SolarWinds’ Orion IT monitoring and management source code was modified by attackers who injected malicious backdoor code allowing them to conduct surveillance and execute arbitrary commands on affected systems. Since then, people have realized that coding mistakes and vulnerabilities are not the only way malicious actors can attack software, Noel said.
Jasmine NoelIt is much broader than that. Another way attackers can attack software that does not involve vulnerabilities is that they break into the software development pipeline and they insert some malware in there, then they go their merry way. And then if nobody is testing for malware in the code in the binary or in the package that they have produced, they do not know that they are about to ship something that is dangerous.
She said that If all you are using to review your code is ASPM that is based on traditional AppSec testing (AST) tools, then such dangerous situations will be missed because simple code scanners cannot find things like malware in the binaries. “ASPM is looking for the wrong thing. It is actually hard to find malware,” Noel said, and classic application security tools do not even look for it.
How does complex binary analysis work?
To fill this significant protection gap, enterprises and development teams can bring in binary analysis tools, which can be integrated with ASPM platforms to provide broader security analysis, said Noel.
Binary analysis searches the binary code in software packages to look for dangerous and destructive components such as malware. As it analyzes the binary code, it validates its configuration and code provenance while seeking out hidden payloads, nefarious functions, and undocumented features such as backdoors that may have been secretly installed by attackers.
Because it allows developers to gain visibility into production code, binary analysis is especially useful when looking for potential hidden attacks in commercial applications.
How can binary analysis bolster ASPM?
By merging binary analysis capabilities with ASPM, developer teams can discover and fix code vulnerabilities and receive notifications when malware is detected in development pipelines, Noel said.
Jasmine NoelWe call it binary analysis to differentiate it from code-scanning tools. Binary analysis tools will connect with any sort of application and security testing tool, combine all the different vulnerabilities that are reported from these tools, de-dupe them, and then prioritize them so that developers know what to fix.
For developers, the presence of stealthy and dangerous malware that has been injected into an enterprise application by cyberattackers must be the focal point of efforts to find and remove it, said Noel. People have to broaden their perspective on what constitutes risk in software.
Jasmine NoelWhat should my developer fix first? They should go hunt down this piece of malware that was found in there and kick that component out and replace it with something that is not tampered with. They should do that before they fix whatever other vulnerability that they have next on the list. Vulnerabilities that have malware built to take advantage of them should always be higher on your fix-it list.
Bob Shaker, chief product technology officer at ActiveState, said that many security tools, including code scanners, are insufficient for complete supply chain security.
Bob ShakerWe often say that partial solutions create partial security. Most security tools are great at detection, but they stop there. They hand your developers a long list of vulnerabilities, leaving them to manually sort through fixes, which is a critical gap we call ‘the last mile of remediation.’
How do reproducible builds deliver additional security?
Along with binary analysis, reproducible builds are considered a crucial component in software supply chain security, Noel said.
Reproducible build techniques allow developers to compare two versions of their code to be sure that both are identical and secure and that neither has hidden, destructive features that might have been injected by attackers. By being able to detect and flag any unauthorized changes, reproducible builds help developers to ensure that their production code is untainted, increasing its safety, trustworthiness, and reliability.
The state of ASPM — and what’s next
While noting that code scanning alone is not sufficient for modern supply chain threats, Katie Norton, research manager for DevSecOps and software supply chain security at IDC, said that that reality is part of the reason why ASPM is gaining traction.
Katie NortonIt can bring in a wide range of signals — which could include binary analysis results, SBOMs, or even evidence of provenance — and correlate them into a single risk picture. Rather than replacing those controls, ASPM provides the context and prioritization layer that helps organizations make sense of them.
Norton said that her research of the ASPM tools market identifies them as a broader control plane that unifies signals from across the software development lifecycle — code, dependencies, pipelines, repositories, and even runtime telemetry.
Katie NortonSo I would not say that ASPM is flawed, but rather that it is only as strong as the sources of data it ingests.
Using ASPM that leverages binary analysis and reproducible builds, teams can create two build pipelines for the same software package, RL’s Noel said. “Once that package is built, they will compare them. And if they are the same, then they passed the reproducibility test, and we know that someone has not tampered with our infrastructure or interfered with the build process,” she said.
But she reiterated that using ASPM alone will not provide adequate software supply chain security for business-critical enterprise needs.
Jasmine NoelAnd so developers are not seeing this full picture. You are blind to the fact that you are actually at risk.