Historically, the IT Security team at the firm was focused on network security, and relied on perimeter security solutions to protect their applications and data. They tested pre-production applications with third-party application security scanning tools and network penetration tests, late in the software development lifecycle (SDLC). The application development team had little-to-no involvement in application security.
They received annual training on secure coding best practices, but the training didn’t keep pace with advances in application development and hacking. Code scanning tools and manual code reviews were difficult to work with and disrupted their development process. Application security reviews would occur only once the application had been fully written. The development team was left uninformed, only to be blindsided by issues uncovered in the preproduction environment. Weeks – or even months – would elapse
When it came to application security, the security team lacked the visibility needed to work efficiently and effectively. Their scanner tool reported many types of vulnerabilities in the application – mostly false positives – and the reports also lacked the information and guidance developers needed to find and fix errors. Developers needed insight into the numerous third-party libraries used in their applications, but existing tools provided very little information. Penetration tests also generated few relevant findings.
To close these gaps, the developers spent a tremendous amount of time going back and forth with the scanning tool vendor to help recreate issues – because their tool couldn’t locate vulnerabilities in the code. Once the team validated the real security issues, they then spent hours trying to research the vulnerabilities and identify fixes. They couldn’t be proactive or incorporate security into their standard operating processes, and this was frustrating.
The Security Director at the company was researching software security alternatives when he saw a Contrast Assess demo at a trade show. He and his team were impressed by the product’s unique approach to finding and presenting vulnerability data in a way that was understandable by both developers and the security team. Contrast Assess works from within the application, without requiring any configuration changes.
Its quick and easy installation, detailed dashboard, and real-time, continuous approach solved many of the application security challenges they were facing. To accelerate deployment and simplify ongoing operations, they decided to onboard the SaaS version of Contrast Assess.
Using Contrast’s continuous security testing, the application development team has improved the security of their applications and can provide predictable delivery – without adding headcount or expertise to the team. Real-time results allow developers to fix problems as they come up throughout the development process, rather than waiting until the end and hoping the scans don’t find anything. The application development manager, Garrett, now keeps the entire development team informed and in control of his applications’ security status by using the visibility provided by Contrast.
“I am not a deer in the headlights, like I used to be. Since deploying Contrast, I have been able to stay informed and keep my team on top of security.”
Application Development Manager
Access to detailed, actionable information – where vulnerabilities come from, why they are important, and how to fix them – keeps his team at the forefront of security. They are no longer consumers, but owners of their applications’ security.
The insight Contrast Assess provides into custom and third-party code helps the development team identify which libraries have vulnerabilities and whether their firm’s applications are using vulnerable code within those libraries; this had been a major blind spot with their old scanning tool.
Contrast’s code-level guidance has helped the development team nearly eliminate vulnerabilities introduced in the later stages of the SDLC. Contrast has also reduced vulnerability resolution time from weeks and months to hours.
“There is no more ‘Release. And wait. And hope,’” the Application Development Manager added.