“High-profile application attacks have continued and perhaps ramped up”
Jeff Williams, CTO and Co-founder at Contrast Security, answered our questions about application security, the newest executive order in the US, where vulnerabilities are most likely to occur, and more. Learn more about the Contrast platform and how it works to ensure software security.
JAXenter: Application security is critical and with the new executive order in the United States, improving application security is the first priority for many organizations. Can you tell us a little more about the executive order, application security transparency, and how this will benefit security?
Jeff Williams: High-profile application attacks have continued and perhaps ramped up over the past year. The SolarWinds attack—revealed last December—impacted 17,000 networks, including those of federal agencies that handle top-secret material. That attack compromised the code in a scheduled software update that went out to customers. I think that event in particular convinced the incoming administration that something needs to be done quickly to make software—and every organization’s software supply chain—more secure.
The executive order (EO), issued in May, directed NIST (the National Institute of Standards and Technology) to publish guidelines on things like the definition of critical software, a minimum standard for software security testing, software security labels, and software bill of materials [SBoM] use for organizations that do business with the federal government. The Contrast Security team has been working closely with NIST, and most of their standards have now been released. Although I think the EO was quite well done, I am disappointed in the NIST response. I appreciate the aggressive schedule with which they held workshops and issued new standards. Unfortunately, I believe their initial releases missed the mark pretty badly and they haven’t shown any interest in updating them.
SEE ALSO: “Observability is critical to security”
JAXenter: How can the Contrast platform help ensure software security? What are its use cases?
Jeff Williams: Contrast believes in a platform approach to application security, where custom code, open-source components, frameworks, application server, and language platform are analyzed and protected when fully integrated together (not separate pieces), across the software development life cycle (SDLC). Understanding security requires full observability of the state of application security across the entire application—and across an organization’s application inventory. This observability is extended even further through Route Intelligence, which understands the full attack surface of the application and helps organizations prioritize repairing the vulnerabilities in the code that are actually invoked.
JAXenter: How does the Contrast platform work under the hood?
Jeff Williams: We use instrumentation to embed both security testing and runtime protection in the application code to enable continuous scanning, exploit prevention, and immediate feedback on both vulnerabilities and attacks. This feedback provides specific guidance to developers and operations on how to fix a problem right away, before adding further layers of code that complicate future remediation.
JAXenter: What happens in the case of a zero-day threat that doesn’t match any known malware signatures? How do we detect it and what’s the next step?
Jeff Williams: Contrast’s Application Security Platform is an application layer behavioral security solution. So Contrast can identify vulnerabilities that have been catalogued (CVEs) as well as vulnerabilities that have not previously been identified in both custom and open-source code. This is accomplished by the sophisticated behavioral rules we have in place to detect different kinds of vulnerabilities. If a CVE is published at a later date—after the impacted library was added to an application, or even after the application has gone into production—the continuous scanning enabled by Contrast agents will pick those up as well. For customers taking advantage of the runtime protection in Contrast Protect, even novel examples of vulnerability classes will be detected and blocked. For example, Contrast fully protected customers against the recent Confluence OGNL injection vulnerability.
JAXenter: Where are vulnerabilities most likely to occur in the supply chain?
Jeff Williams: The answer to that question is “anywhere.” Most people do not even have a complete idea of what the software supply chain is. It includes four broad areas:
- What you write: Software created by your DevOps team with both custom code and open-source libraries, and customizations to third-party software packages
- What you build with: The myriad tools that developers use to do their jobs
- What you run: Commercial off-the-shelf (COTS) software used by an organization and/or by connected partners and suppliers
- What you import: Third-party libraries contained in internally developed software
All four of these areas have a shocking level of vulnerability whenever you examine them closely. Attackers are opportunistic, and are likely to focus on flaws that are easiest to find and exploit that have the most devastating consequences.
JAXenter: Is it enough to simply meet the “minimum standard” for security testing?
Jeff Williams: It depends on how stringent that standard turns out to be in practice. Organizations using instrumentation for their application security efforts will not be burdened by any standard, because testing is automated and continuous. The testing itself does not slow development cycles, and remediation is much more efficient because it can occur in real time—rather than days, weeks, or months after the fact.
JAXenter: Can you share any future plans for the Contrast platform? What is currently being worked on that we can look forward to?
Jeff Williams: Contrast is the only fully integrated application security platform on the market that can analyze and protect the entire application instead of separate pieces. Recently, we’ve expanded our platform to include a highly innovative “pipeline-native” static analysis tool to help development teams start early and go fast. We are also in the process of releasing a new cloud-native security product for our customers using serverless functions.
Contrast will certainly help you meet these new standards and guidelines. But our platform is laser-focused on helping organizations get past simply servicing the technical debt on years of rapid application building. We’ve helped huge organizations achieve what we call “trusted flow”—where development teams can build and deploy innovative solutions at high velocity, without compromising continuous, real-time, high-assurance security testing and protection.