Contrast Security Announces Breakthrough Solution for Serverless Application Security

ByContrast Security Oct 19, 2021 12:16:27 PM

Contrast extends its application security platform with Contrast Serverless Application Security that will initially support AWS Lambda as survey finds two-thirds of respondents say security is critical or very important to their serverless application strategy.

LOS ALTOS, Calif., Oct. 19, 2021 — Contrast Security, the leader in next-gen software security, today announced the upcoming release of Contrast Serverless Application Security, a breakthrough application security solution designed specifically for serverless application development that will initially support AWS Lambda. The new purpose-built security solution taps a global serverless architecture market that will reach a reported $25.49 billion by 2026.

The breakthrough addition to the Contrast Application Security Platform empowers developers to automatically detect security vulnerabilities directly within serverless environments and validate and prioritize alert test results for remediation. Using context-based static and dynamic engines, Contrast can improve the operational efficiencies of serverless security by 50% while accelerating development release cycles.

Rapid Growth of Cloud-native and Serverless

According to Contrast's new State of Serverless Application Security Report, serverless computing is the next step in the two-decade-long process of removing friction from the software development life cycle (SDLC) to improve the speed, scalability, and cost efficiency of software development. With serverless computing becoming mainstream during the COVID-19 pandemic, the survey found that more than 70% of respondents report that 6 or more of their development teams now work on serverless applications.

The survey results also show that organizations are concerned about application security, specifically for the security of their serverless applications, with two-thirds of respondents saying serverless security is critical or very important to their cloud-native strategy. However, 54% said they failed an audit indicating they do not have full observability into their organization's serverless security. Additionally, nearly 60% of respondents admit the lack of purpose-built security tools is a major problem.

The primary reason is that serverless security issues are fundamentally different from those of web applications. Specifically, serverless risks go beyond code-level vulnerabilities because every serverless function is self-contained with its own perimeter and permissions. Combined with a high number of functions typically used in applications, the attack service is broad. Traditional application security tools were built for web applications and miss these key risks unique to serverless applications.

"We've seen a few startups that focus on protecting serverless environments at runtime, but Contrast appears to be the first vendor offering to secure serverless in the development pipeline, a requirement that is just as important, but that has so far gone largely unaddressed," said Rik Turner, Principal Analyst for Cybersecurity at Omdia. "The fact that it also tracks least privilege usage is another key feature."

Contrast's Serverless Application Security Approach
The Contrast State of Serverless Application Security Report also found that almost every organization makes some use of the four major cloud container services, although those offered by Amazon rank highest in importance at most organizations. On that note, half of the respondents report that the typical application has more than 10 AWS Lambda functions. Customers need solutions and tools to help them secure their codes in using serverless technologies. Recognizing that many developers are embracing AWS Lambda for application deployments, the new Contrast Serverless Application Security solution initially supports AWS Lambda deployments and takes just minutes to get up and running.

The complimentary, purpose-built solution for serverless application security ensures that security and development teams get the testing and protection capabilities they need without legacy inefficiencies that delay release cycles. Contrast's solution harnesses the power and data of serverless architectures to map all the resources within the environment, execute static code scans, and simulate tailored dynamic attacks. It automatically validates and prioritizes test results with accuracy that eliminates false positives and alert fatigue that plague traditional application security approaches—with upwards of 85% of alerts turning out to be false positives.

Three-click installation, zero configuration, and automated operations all support developer-friendly deployment. Solution features include:

  • Dynamic Environment Scanning. Automatically initiates tailored, dynamic security assessments based on any specific updates introduced to the testing environment in real time. This greatly improves the ease of pentesting versus manual approaches. Dynamic scans are based on the interpretation of OWASP Top Ten benchmarks, including SQL injection, code injection, command injection, and local file inclusion.
  • Resource Mapping. Automatically discovers all resources (e.g., S3 bucket, API Gateway, DynamoDB) and their relationships within tested environments in a few short minutes per session.
  • Code Scanning. Automatically executes assessments of relevant code and configuration to discover new vulnerabilities in near real time with recommended context-rich remediation guidance. Vulnerability types covered include:
    • Least privilege: Identity and access management (IAM) vulnerabilities (over permissive functions) within serverless workload prior to deployment
    • Software composition analysis (SCA): Analysis of open-source libraries using Contrast's unique open-source security engine

"Traditional application security approaches were not built for serverless applications," said Steve Wilson, Chief Product Officer at Contrast Security. "Our new serverless security capabilities empower developers to detect and remediate serious security vulnerabilities easily and quickly. This unleashes the full potential of the cloud and serverless while dramatically reducing the risk of vulnerabilities in these environments." 

Related details can be found on the Contrast Serverless Application Security webpage and in the following resources:

REPORT: State of Serverless Application Security Report

PODCASTS: Key Takeaways From a New Serverless Application Security Report New Serverless Application Security Solution Is a Transformative Breakthrough

WHITE PAPER: Contrast Serverless Application Security White Paper

About Contrast Security:
Contrast Security provides the industry's most modern and comprehensive Application Security Platform, removing security roadblock inefficiencies and empowering enterprises to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection in production.

Contrast Security

Contrast Security


Jacklyn Kellick 
Public Relations Manager


Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook