The Contrast platform secures the world’s largest organizations against applications using Log4j without patching while protecting against future vulnerabilities.
LOS ALTOS, Calif., Dec. 17, 2021 — Contrast Security, the leader in next-gen code security, today shared information on how global organizations are successfully using the Contrast Secure Code Platform to protect against attacks targeting applications using Log4j.
Sándor Incze, CISO at CM.com said, “We were able to analyze whether our own built software would be vulnerable to the Log4j zero-day, using the Contrast Secure Code Platform, and got the answer within 30 seconds by just looking at the Libraries menu! How fast is that!”
Contrast has demonstrated that its unique, in-app, runtime protection has been stopping Log4j attacks in their tracks since Day-Zero. The Contrast Code Security Platform:
Stops attacks against the Log4j vulnerability immediately, without updating or patching.
Lets developers quickly target applications that are vulnerable to the Log4j vulnerability to allow them to quickly update vulnerable code.
Detects and defends against other “injection” vulnerabilities that may occur in the future – either in custom-developed, or open-source code.
“We can expect more attacks similar to Log4j because attackers will continue to target commonly used open source code. Many organizations are struggling to respond to Log4j because it can be difficult to identify all of the instances where Log4j is running, and they may also be taking steps to isolate possible instances until they can determine where it is running and apply the needed patches. Contrast Security has been able to help customers immediately respond with attack detection and blocking, making it a valuable tool in protecting against these types of attacks and helping security scale with the speed of modern development,” said Melinda Marks, senior analyst at ESG.
The advantage of a platform that integrates Application Security Testing (AST), Software Composition Analysis (SCA) and RASP like Contrast is that it allows organizations to respond instantly to zero-day vulnerabilities like Log4j, but also future-proof their stack against the many emerging threats to come.
The Contrast Platform provides three layers of defense:
Contrast Protect defends applications against the underlying vulnerability with sandboxes that separate exploitable operations from exploiting targets. This immediate protection allows customers to schedule permanent fixes without being exposed.
Contrast SCA is able to establish which of a company’s many applications are using Log4j in a manner that makes them vulnerable to attack, so that teams can fix the most urgent issues first.
Finally, Contrast Assess detects the underlying vulnerability in applications. This means Contrast will find the next vulnerability like Log4j, before it becomes a disclosed CVE or major incident.
“This kind of thing happened before and will happen again,” said Steve Wilson, Chief Product Officer at Contrast Security. “In 2017, Equifax announced a data-breach that exposed personal, confidential information and was very similar to this situation in many ways. It was based on a similar attack technique in a common open source, free software library called Apache Struts. However, today Log4j is far more common than Apache Struts was at the time of the 2017 incident. This means that the exposure is far, far broader. Organizations will struggle to find all the instances of Log4j in their environments as many organizations do not have effective, automated tracking on data like this. The best strategy is to use Runtime Protection, like Contrast Protect, to defend immediately without patching.”
To learn more about how Contrast can protect your Java applications against exploits like Log4j please visit our website or register for our Log4j webinar on December 21st with guest speaker Melinda Marks from ESG.
About Contrast Security:
Contrast Security secures the code that the world economy relies on. It is the industry’s most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprises to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world’s largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection to cloud and on-premise applications in production.