Skip to content

Contrast Incident
Response Hub

The latest news, solutions and best practices for vulnerability management and incident response.

Leverage modern-day solutions to defend against modern-day attacks and deliver cyber-resilient applications across your business. 

blog-icon-01

our blog

lab-icon-01

contrast labs

podcast-icon-01

code patrol podcast

ciso-icon-01

Weekly CISO Update

Incident Response

OPEN ssl

CVE-2022-3602 AND CVE-2022-3786

Nov 4, 2022

On Nov. 1, 2022, OpenSSL released OpenSSL 3.0.7, which patches the high-severity vulnerability CVE-2022-3786. Exploitation of the vulnerability results in a crash (denial of service) and can also lead to remote code execution. For a few days prior to Nov. 1, a number of security news outlets and security researchers warned about the potential high impact of the vulnerability to OpenSSLv3, whose details had not yet been publicly released. Upon learning about the potentially high impact of the vulnerability, Contrast Labs took immediate steps to investigate our susceptibility. After a thorough internal investigation, it was determined that Contrast is not susceptible to CVE-2022-3786 and CVE-2022-3602 at this time. The Contrast team continues to actively monitor the situation regarding the OpenSSL vulnerability.For additional inquiries, please contact support@contrastsecurity.com.

Screen Shot 2022-11-04 at 1.37.29 PM

DHS Warning - Imminent National Cyberthreats

Contrast Labs has been monitoring the new CVE, Apache Commons Text interpolation CVE-2022-42889. While there was some initial concern from the industry that it is at the caliber of log4shell, the reality is that it is not nearly as widespread or exploitable. The class/method involved in this vulnerability is rarely used and a quick GitHub search shows very few open source programs using the vulnerable method. From what we’ve seen so far, this CVE seems more like a developer adding a backdoor, more than anything. I’m not as concerned that this will amount to much, as it's not like log4j where an application is gathering user controlled input and logging it, which could result in exploiting the log4shell vulnerability. - David Lindner, CISO at Contrast.

spring4shell-logo-(1)

Spring4Shell
Zero-Day Vulnerability

On March 29, 2022, a Chinese cybersecurity research firm leaked an attack that could impact most enterprise Java applications, globally.

Ukraine

Heightened
Cyber Risk

Contrast Security Works with Global Businesses to Strengthen Security Controls and Increase Transparency Amidst Heightened Cyber Risk ...

critical-infra-act-

Cyber Incident Reporting For Critical Infrastructure Act of 2022

Share on Email Cyber Incident Reporting For Critical Infrastructure Act of 2022On March 15, 2022...

Apache_Log4j_Logo

Log4J Vulnerability
Resource Center

Log4j is a programming library (ie. pre-written code) that appears in millions of computer applications globally. It is free, open-source, and has been widely-used since 2001.

dhs-logo

DHS Warning - Imminent National Cyberthreats

Due to the ongoing degradation in Ukrainian and Russian relations, today, intelligence agencies from major NATO member nations have issued a warning against imminent...

2021 AppSec Observability Report

A "Can't Miss" report based on real-world data from thousands of applications that highlights vulnerability and attack trends, security debt, benchmarks on the vulnerability escape rate, and much more.

Get Report
Screen Shot 2022-02-15 at 12-59-26 PM

Contrast Labs

Contrast Labs provides analysis of real-world application security data. This section highlights the reports interpreted from various months of researching application vulnerability and attack trends. Every Application Security Intelligence Report highlights investigations on these two datasets to compile the Contrast RiskScore for each vulnerability type.

Screen Shot 2022-02-15 at 1.04.39 PM

March - April 2021: Contrast Labs' Application Security Intelligence Report

This report is based on aggregate vulnerability and attack telemetry for custom code from customers whose applications are covered by Contrast Assess and Contrast Protect

Labs_Aug 2020_Reband-1

July - August 2020: Contrast Labs' Application Security Intelligence Report

This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.

Screen Shot 2022-02-15 at 1.05.29 PM

May - June 2020: Contrast Labs' Application Security Intelligence Report

This report leverages aggregate data from Contrast Security customers to provide insights about the vulnerabilities in software that we protect—and attacks on those applications.

Screen Shot 2022-02-15 at 1.06.24 PM

March - April 2020: Contrast Labs' Application Security Intelligence Report

This report leverages aggregate data collected by Contrast Assess and Contrast Protect for insights around both application vulnerabilities and targeted attacks.

Screen Shot 2022-02-15 at 1.03.10 PM

January - February 2020: Contrast Labs' Application Security Intelligence Report

This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.

Screen Shot 2022-02-15 at 1.03.10 PM

May - June 2021: Contrast Labs' Application Security Intelligence Report

This report analyzes composite data from Contrast Labs to update readers on vulnerability and attack trends as observed with applications covered by Contrast Assess and Contrast Protect.

Incident Response Solutions from Contrast

contrast-protect

Contrast Protect

Always-on application and API protection from targeted attacks with no code changes required.

contrast-sca-02

Contrast SCA

Automatically catalogue your third-party software risk across the software lifecycle - from build, to test, through production.

contrast-assess

Contrast Assess

Flag underlying vulnerabilities in applications before it becomes a disclosed CVE or major incident - all without having to launch a single scan.

contrast-scan

Contrast Scan

Code analysis that’s tailor-made for modern CI pipelines that delivers 10x faster scans, and actionable findings to ensure rapid fixes.

contrast-serverless

Contrast Serverless

Identify custom and open-source vulnerabilities embedded in serverless applications in just three clicks.

Code Patrol Podcast

Code Patrol scrutinizes the month’s tech scene with code-colored glasses. Computer security industry veteran Lisa Vaas chats with guests about all things security — be it cybercrime, hacking, DevSecOps and beyond — that collide with the code that runs the world. Follow us wherever you find podcasts.

Listen Now
code-patrol-logo-1