Skip to main content

aspm

Application Security Posture Management (ASPM)

The ASPM domain within Kscope KDefend secures your software supply chain — from code repositories and dependencies to container images and CI/CD pipelines. It aggregates findings from SAST, DAST, SCA, secrets scanning, and IaC analysis through the context graph to deliver prioritized, business-aware vulnerability management.

How It Works

Application Blueprints

  • GitHub / Bitbucket
  • Snyk / Checkmarx
  • SBOM
  • DAST / AI-DAST

Context Graph

  • Repo, Package & App Topology
  • Vulnerability Correlation

ASPM Analyzers

  • Application Risk
  • Code & SCA
  • Secrets & IaC
  • Artifacts

Insight Feeds

  1. Application Blueprints ingest repository metadata, dependency trees, scan results, container manifests, and CI/CD configurations
  2. Context Graph maps relationships between repos, packages, applications, environments, and owners
  3. ASPM Analyzers correlate findings across code, dependencies, containers, and infrastructure-as-code
  4. Insight Feeds surface prioritized findings scored by business criticality and exploitability

Analyzers

AnalyzerWhat it coversBlueprints
ApplicationApplication-level risk scoring, security profile tracking, API vulnerability detection, DAST findingsGitHub, DAST, AI-DAST
RepositoryRepository configurations, branch protection, 2FA enforcement, admin permissions, visibility settingsGitHub, Bitbucket
CodeCode-level vulnerability scanning (SAST), risk scoring per repository, production risk assessmentGitHub, Snyk, Checkmarx
Software Composition AnalysisPackage dependencies, vulnerable packages, license compliance, SBOM analysisSBOM, Snyk
Secrets and PIIExposed API keys, passwords, tokens, and personally identifiable information in code and containersGitHub
IaCInfrastructure-as-code misconfigurations in Terraform, CloudFormation, and Kubernetes manifestsGitHub
ArtifactContainer image vulnerabilities, base image risks, OS-level CVEs, container misconfigurationsGitHub
Engineering OperationsPull request activity, commit patterns, repository throughput, net code changesGitHub, Bitbucket
GCP DevOpsGCP Cloud Build, Artifact Registry, deployment pipelines, and DevOps securityGCP

What It Detects

Code Vulnerabilities

  • SAST findings across repositories, scored by production risk
  • Repositories with high/critical vulnerabilities deployed to ECS, EKS, or container apps
  • Top 10 riskiest repositories by production risk score

Dependency & Supply Chain Risks

  • Vulnerable third-party packages with exploitability context
  • Package version analysis and dependency impact mapping
  • License policy violations across the software supply chain
  • SBOM completeness and accuracy

Secrets & Sensitive Data

  • Hardcoded API keys, passwords, and tokens in source code
  • PII exposed in code repositories and container images
  • Secret types distribution and remediation tracking

Infrastructure-as-Code

  • Terraform, CloudFormation, and Kubernetes manifest misconfigurations
  • IaC vulnerabilities by provider and severity
  • Repositories with the highest IaC risk exposure

Container Security

  • Container image vulnerabilities from OS packages, user code, and base images
  • Container misconfigurations and security posture
  • Top 10 riskiest containers by package vulnerability count

Repository Posture

  • Repositories without default branch protection
  • Organizations missing 2FA enforcement
  • Repositories allowing unsigned commits
  • Shell injection risks in GitHub Actions

Key Metrics

MetricDescription
Apps ProtectingTotal applications monitored across all environments
Vulnerable ReposRepositories with unresolved high/critical vulnerabilities
Total VulnerabilitiesAggregate count across code, dependencies, containers, and IaC
MTTRMean time to remediate across vulnerability categories
Pipeline CoveragePercentage of pipelines with active security scanning
ASPM Security Risk ScoreComposite 0–100 score dynamically weighted across all active ASPM analyzers. Only analyzers with a configured blueprint contribute to the score.
  • CSPM — Cloud misconfigurations affect the runtime environment where applications are deployed. A vulnerable app on a misconfigured EC2 instance compounds risk.
  • DSPM — Secrets detected in code (ASPM) may correspond to database credentials monitored by DSPM, creating a correlated risk path.