“Contrast Scan revolutionizes static application security testing”
Contrast Security announced Contrast Scan, a new tool that will help teams improve team’s security by quickly finding and identifying vulnerabilities and insecure code. We spoke with Steve Wilson, Chief Product Officer at Contrast Security about the release and security best practices.
JAXenter: Contrast Security announced the newest release of Contrast Scan. Can you give us a brief introduction to what Contrast Scan is?
Steve Wilson: Contrast Scan is a new tool designed to help teams improve the security posture of their applications by quickly identifying security vulnerabilities and insecure coding practices.
This kind of static analysis testing harmonizes the objectives of development and security teams to enable both faster development cycles and higher quality code. Contrast uniquely offers a pipeline-native approach to scanning that integrates into DevOps/Agile workflows, tooling, and systems.
Contrast Scan revolutionizes static application security testing (SAST) with pipeline-native static analysis to analyze code and detect vulnerabilities early on in the software development life cycle (SDLC). The release of Contrast Scan extends the DevSecOps capabilities of the Contrast Application Security Platform to the entire SDLC, empowering security teams to run scans up to 10x faster and remediate vulnerabilities up to 45x faster while meeting compliance requirements of an organization’s security policy.
JAXenter: How will Contrast Scan help increase security?
Steve Wilson: Incumbent legacy static scanning approaches employ outdated, noisy rule sets to look for code quality issues. This outside-in approach generates immense volumes of security findings that increasingly create new technical debt, but often don’t lead to improved application security. This is exacerbated due to the number of distracting false-positive alerts that kill productivity—upwards of 85% in many instances. Some other, code scanning tools aimed at the developer persona can exacerbate the problem of false positives and leave developers with no context on prioritization or how-to-fix guidance. In response, two-thirds of practitioners who rely on legacy static scanning indicate they are looking for a different approach to application security.
Contrast Scan aims to solve these challenges with a pipeline-native approach that achieves dramatic improvements in speed, accuracy, and developer experience, accelerating digital transformation by removing inefficiencies and roadblocks that slow release cycles. Onboarding with Contrast Scan is quick and easy—requiring zero configuration and literally three clicks to get findings. Further, as Contrast Scan is integrated as part of the Contrast Application Security Platform, organizations have a unified, developer-friendly view of vulnerabilities and attacks with harmonized security profiles across SAST, interactive application security testing (IAST), runtime protection and observability, and software composition analysis (SCA), all in one DevSecOps platform.
By integrating pipeline-native static analysis security testing into the Contrast Application Security Platform, application security teams can improve scan, triage, and remediation efficiencies by up to 30%. Contrast’s comprehensive DevSecOps approach bakes security into rapid-release cycles that are typical of modern application development and deployment environments. It also offers complete coverage of the DevSecOps life cycle with application tools optimized from build to production. This streamlines compliance reporting—often shrinking the time to demonstrate security policy compliance from days to minutes.
JAXenter: How can developers deliver results faster, while also maintaining good code quality throughout?
Steve Wilson: Most of the old static analysis testing solutions don’t offer friendly guidance geared to help developers quickly find and fix vulnerabilities without involving security experts. This directly contributes to a growing backlog of unremediated vulnerabilities; it takes the average organization 121 days to fix only 50% of issues. Businesses with higher security debt tend to fall even further behind with progressively higher volumes of vulnerabilities—1.7x higher than for organizations with below-average security debt. And because these tools predate modern environments, they also usually don’t integrate with today’s DevOps-native tooling such as ticketing systems, chat tools, and continuous integration/continuous deployment (CI/CD) pipeline systems.
A breakthrough demand-driven algorithm powers the static analysis engine in Contrast Scan, enabling teams to pinpoint exploitable vulnerabilities while ignoring those that pose no risk. As a result, based on real-world scan results, Contrast Scan can shrink the amount of time to run scans by 10x. Faster scans remove DevOps security roadblocks that slow innovation, improve the efficiencies of security and development teams, and reduce the operating expenses (OpEx) of scanning.
When used in concert with the broader set of capabilities in the Contrast platform, Contrast Scan accelerates remediation times by an astounding 45x. This is achieved by enabling developers to focus on exploitable flows, prioritize routes with entry points based on runtime and production traffic analysis, and leverage actionable remediation guidance. All of this pays down security debt, which results in reduced application security risks.
JAXenter: It often feels like there is a tradeoff between speed and security. What are some of the best practices to help ensure both?
Steve Wilson: Today’s organizations should not be forced to choose between speed and security. With the addition of Contrast Scan, the Contrast Application Security Platform now offers a path to DevSecOps that allows organizations to secure any application anywhere—from a developer’s desktop, at a release gate, or in instances of production. The Contrast platform was purpose-built to deliver true DevSecOps with SCA, application security testing (AST), and exploit prevention capabilities using instrumentation across the entire SDLC.
JAXenter: How important is observability in regards to application security?
Steve Wilson: Observability is critical to security. Unfortunately, particularly at the application layer, organizations have almost no visibility into where they are vulnerable, what attackers are doing, or even the operation of their own defenses.
Organizations need to prioritize the vulnerabilities that matter most. This enables them to efficiently manage their limited application security staff resources. To support this objective, pipeline-native scanning provides highly accurate results that focus on critical vulnerabilities that can lead to exploitation. This provides high confidence in risk-prioritized findings that focus on remediation. It also supports a single set of harmonized results across all facets of application security and across the software development life cycle (SDLC), including application security testing (AST), software composition analysis (SCA), and runtime application protection and observability.
At Contrast, we believe that enhancing this visibility is the key to both creating more secure software as well as protecting it against attacks. If organizations focus on this then they are taking a step in the right direction.
JAXenter: What is the most common security roadblock you see and how can we avoid common pitfalls in our organizations?
Steve Wilson: Legacy scanning tools cannot be retrofitted into the modern development pipeline. The underlying scanning technology must be built from the ground up to adapt to modern pipeline configurations, have an experience that is familiar to those using and supporting the development pipeline, and not “break the process.”
To help eliminate the security analyst bottleneck, pipeline-native scanning should also provide developer-friendly “how-to-fix” guidance. Accurate results that include contextual information enable development teams to quickly find and fix vulnerabilities without waiting on security experts. This not only accelerates remediation times, but it also educates developers and helps them avoid similar issues in the future.
The poor accuracy seen with traditional scanning tools comes from the fact that they attempt to build a model of the application in order to project its behavior at runtime (and subsequently its vulnerabilities). As much as 85% of the alerts in each scan are false positives—and noisy results quickly lead to alert fatigue among staff. These traditional scan results also inhibit an organization’s ability to correlate, prioritize, and remediate potential application risks. As a result, developers often waste time on things that pose no risk at all. Critical vulnerabilities may not get fixed in a timely manner—or they may be missed entirely and make their way into production. Pipeline-native scanning also provides a step function improvement in scan time. Focusing only on exploitable flows in the application runtime is not only faster, but it also improves overall security performance. It allows organizations to fix issues earlier in the development pipeline, which reduces remediation costs—fixing a vulnerability gets more expensive the further from where the error was introduced in the development process.