Significant Advances in Continuous Application Security

It seems impossible to explain Contrast Security without first talking about the company’s Co-Founder and CTO, Jeff Williams. When we met recently to discuss application security, I asked Jeff to share a bit about himself. He casually mentioned having helped to co-found OWASP, creating its foundation and then serving as its chair for nine years. He also mentioned having chaired the group that created the SSE-CMM, which you might know as ISO 21867.

These are not insignificant achievements, and they provide an awesome experience base on which to create cyber security technology solutions. After an hour with Jeff, it became obvious that this was indeed what he had done: Contrast Security has developed a unique and effective approach to protecting your applications dynamically. Their software runs alongside your application, actively searching for vulnerabilities, and taking commensurate mitigation action.

Let me try to briefly summarize my learning: Jeff first helped me understand better the power of continuous application security in contrast to traditional static application security testing (SAST), which offers little more than anecdotal evidence of problems at some given time. Providing continuous security instead requires that special software instrumentation be integrated with your application so that proper visibility is provided in real time.

Jeff emphasized that when application security testing is done periodically – as is true in most of the environments I am aware of – that findings are inconsistent with the speed and scale of modern software environments. Furthermore, such testing usually relies on the availability of trained, skilled human beings, which significantly reduces the scale of coverage. “Modern software organizations don’t employ enough experts to protect their entire application portfolio,” Jeff explained. “This results in only a subset of applications being secured.”

The Contrast technical solution involves an exciting concept known as “security as code,” where security policy is enforced through a collection of distributed agents that are embedded into the full range of applications in an enterprise. These agents automate continuous application security by integrating directly with applications, which implies that the software development and operations teams can provide security assurance without the need for separate testing.

The first functional control Jeff discussed is best described as Interactive Application Security Testing or IAST. This active detection method is all about quickly identifying both well-known and zero-day vulnerabilities in code during all phases of the software development lifecycle. “With the community moving to Agile dev/ops models,” Jeff said, “the potential for instantly finding vulnerabilities is consistent with the speed of software development processes.”

The second functional control in the Contrast platform involves Runtime Application Self-Protection or RASP. This method is all about stopping cyber attacks in real-time through active mitigation capabilities. As you would expect, this standard defensive approach to stopping cyber attacks requires all the familiar threat research, information feeds, and response orchestration that one finds in any modern attack detection platform.

One of the truly unique aspects of the Contrast offering is the easy-to-deploy methodology developed by the team for enterprise CISOs to establish a world-class application security program. Contrast recommends that eight continuous activities be put in place to properly protect applications: Threat intelligence, security architecture, security research, security integration, standard defenses, attack protection, security orchestration, and security training.

I will be the first to admit that application security still has a long way to go before we can declare full victory against advanced persistent threats, layer-seven denial of service attacks, nation-state destructive malware, and the like. Furthermore, software engineering remains an immature discipline that continues to confound both users and experts with its ability to continue creating an unlimited supply of coding mistakes, bugs, and errors.

But the advances in the Contrast Security offering and supporting methodology look to me as significant contributions. This claim is not made lightly, but if you take the time to consider the background of Jeff Williams and the highly experienced executive team at the company, it all seems to make sense. I recommend you have a look at their solution, if only to understand the possibilities of continuous security and what such protection will look like in the future.

Let me know what you think.