In a Nutshell

Business Impact

• Increase awareness among developers about application security risk and safe-coding practices
• Enable discovery and remediation of vulnerabilities with minimal delays to the development process
• Reduce the backlog of unaddressed high-risk vulnerabilities (i.e., security debt)
• Roll out a global solution to all internal business units and groups

Solutions

• Shifted application security further left in development with Contrast Assess
• Contrast Customer Success team aided onboarding and provides ongoing support
• Contrast Professional Services helped with implementation and rollout of the solution

Results

• Improved developer productivity by shifting security left in development and reducing amount of time needed to trace source of vulnerabilities and remediate each one
• Enhanced productivity of application security team by virtually eliminating false positives
• Improved trust and engagement between development and security teams
• Augmented security risk posture of applications by reducing mean time to remediate (MTTR)
• Reduced the number of software vulnerabilities and risk and hence reduced overall security debt

Awareness Helps, but Requires Automated Action

One early priority in the effort to advance application security was to generate greater awareness among developers. “We have hundreds of developers, and we found that many of them did not know that our policy requires vulnerability scanning before every release,” recalls the information security director at the insurance provider. “In other cases, developers found that the policy resulted in release delays. As a result, compliance with this policy was sporadic at best.”

These awareness efforts helped somewhat, as the percentage of required scans that were actually completed increased. But the team realized that application security would not move to the next level with their current suite of manual application security tools. “Our developers face constant deadlines—feature requests, enhancements, upgrades, and patching,” the information security leader describes. “Developers were reluctant to stop software releases for the sake of application security.”

Moving Beyond Unsustainable Application Security Practices

Unfortunately, too many of the organization’s application security processes did just that. Vulnerability scanning with the legacy static application security testing (SAST) tool often took hours at a time—meaning they were out of date from the minute they were printed out. Once the results came back, application security professionals spent hours analyzing the complex reports and trying to trace reported vulnerabilities back to their source, before sending the results of that work back to the development team for remediation. And many of the alerts in each report turned out to be false positives, wasting precious time and potentially delaying release cycles.

Fortunately, the global organization made Contrast Assess available to all the regions, and the North America team began using the product on a pilot basis two years ago. Over time, they installed the Contrast agent within dozens of external-facing applications, and are now embarking on a project to deploy Contrast Assess on a group of applications used internally. “As we deployed the Contrast agent on specific applications, we discovered new high-risk vulnerabilities that were not detected with our legacy tools, and we’re finding new vulnerabilities much more quickly,” the information security director relates. “Having accurate and timely results is helping our security and development teams to collaborate more closely, and this bolsters our application security posture.”

Contrast Assess uses instrumentation to embed continuous security scanning within each application, with real-time feedback for developers that gives them guidance on how to remediate problems as they occur. The company also leverages the Contrast platform’s built-in integration with Microsoft Teams to manage vulnerability notifications within the company’s primary collaboration tool.

Achieving Tangible Business Value

The business benefits of Contrast became apparent early on. “We found that getting a tool into the hands of developers that they like to use makes a huge difference,” the information security director relates. “Results now come in real time, and easy-to-understand recommendations for how to fix the problem are clearly delineated in the user interface. As a result, developers can now analyze, debug, and verify the fixes before they cause further problems. And they no longer need to spend time scanning and waiting for those results and then getting a huge data dump all at once.” Application security team members save significant time each week by catching vulnerabilities in real time and reducing the number of SAST scans required.

Another way that Contrast saves staff time is by virtually eliminating false positives. “We have noted only three false positives in the two years we have been using Contrast,” the information security director reports. “In talking with developers, they saw multiple false positives every time they ran a scan with our SAST solution. This really improves developer productivity.”

Another expected benefit is the reduction in the time it takes to remediate vulnerabilities. “We are quickly paying down our security debt—the backlog of vulnerabilities that need to be addressed—and have now reached a plateau in new vulnerabilities,” the information security leader says. “As a result, we expect our mean time to remediate (MTTR) to decline quickly in the coming months.”

Another benefit is Contrast Security’s customer support. “It is one of the best support experiences I have had,” the information security director contends. “Every issue I have called about has been addressed quickly. With other vendors, you open a ticket and often wait days for a resolution. The support team has been instrumental in helping us optimize the platform.”

Building a Culture of Application Security

The deployment of Contrast Assess is a big step in the maturation of the company’s application security technology, but it has also been a catalyst for cultural change at the organization. “Security scans used to be perceived as an annoying checkbox that had to be checked, rather than an opportunity to make our software safer,” the information security director says. “Now developers are able to participate actively in the delivery of secure applications, and many of them are excited about it.”

In fact, developers are so excited that they have formed an internal application security community that meets online regularly to discuss ways to write more secure code. “Having a developer community that focuses on avoiding vulnerabilities in the first place will improve our results even more,” the information security leader remarks.

The security and development teams are also getting better at prioritizing vulnerabilities. “We now categorize applications in Contrast according to their importance within the organization, along with the severity scores for each vulnerability,” the information security director explains. “Because Contrast is context-aware, continuous, and accurate, we can prioritize vulnerability remediation to focus on those that pose the greatest risk.”

“Our developers face constant deadlines—feature requests, enhancements, upgrades, patching. Developers were reluctant to stop software releases for the sake of application security.”

– Information Security Leader

Looking Toward Investment and Innovation in the Future

While most applications at the company are currently managed on-premises, the development teams are now embarking on a project to deploy a cloud-first strategy for application development, including the use of application containers. Application security will naturally be a big part of that initiative. “We are looking to extend our Contrast Assess deployment to the cloud to support the new infrastructure,” the information security leader says.

The information security director sees Contrast as an essential element of the new cloud strategy. “Contrast takes an innovative approach to application security that enables our developers to work smarter and focus on threats that pose the greatest risk,” he concludes.