Skip to content

In the News

Featured

06/13/2024

Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Read More
Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

06/19/2024

Microsoft under fire for recent cybersecurity lapses

Some observers have downplayed the degree to which Microsoft acted negligently in its handling of Harris's vulnerability reports, including Jeff Williams, co-founder and CTO at cybersecurity firm Contrast Security. Williams said the "overwhelming majority of these reports turn out to be false, unexploitable, or low risk," making it a tall order to differentiate the severe reports from the mundane ones.
 "It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government all carry huge application vulnerability backlogs," Williams said. "In most companies I talk with, the number is usually hundreds of thousands or millions of vulnerabilities that are waiting to be investigated."
 While he said that the huge pile of potentially meaningless vulnerabilities that Microsoft and its peers have likely accumulated is a problem that cannot be excused, they stem from a more fundamental issue.
 "We reward companies for new features, not security," Williams said. "Our governments have not mandated serious security transparency on companies or created a liability regime for software producers."
Read More arrow-right-tertiary

06/13/2024

Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”
“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Read More arrow-right-tertiary

06/12/2024

Why malware matters most: 6 ways to foil software threats faster

Larry Maccherone, DevSecOps transformation architect at Contrast Security said the problem with find-and-fix is there isn't enough fixing being done. He cites the theory of constraints: "A big part of the intellectual foundation of DevOps, [it] tells us that improvements made anywhere besides the bottleneck in a process are waste." So you then must ask yourself, Where are the bottlenecks? "For all of cybersecurity, it’s in the application and API security domain compared to all the other cybersecurity domains, which actually get more investment."
Within the app and API security domain, the bottleneck is not in detecting vulnerabilities — it’s in resolving them, Maccherone said. "The way we do app and API security today is fundamentally broken in large part because it focuses on detection, leaving resolution to a later exercise that we don’t get to," he said.
"You are a thousand times better off if you found fewer things but you resolved everything you found within a day of detection. Take a depth-first approach, not a breadth-first approach.”
—Larry Maccherone

Read More arrow-right-tertiary

06/04/2024

Hackers Claim They Breached Australian Logistics Company

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.

Read More arrow-right-tertiary

06/04/2024

Hackers Claim They Breached Australian Logistics Company

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said GhostR is intent on cyber extortion via doxing. "This type of cybercrime is growing in popularity. Organizations must invest in runtime security to prevent exploitation of their databases and invest in micro segmentation and modern DLPs to minimize the impact of these intrusions," Kellerman told Information Security Media Group.

Read More arrow-right-tertiary

05/31/2024

Experts Warn of Security Risks in Grid Modernization

"These technologies increase the attack surface of the grid," Tom Kellerman, senior vice president of cyber strategy for the application security software platform Contrast Security, told Information Security Media Group. "Segmentation, two-factor authentication, least privilege and runtime security are imperatives for the safety of the grid." ... "The expedited process will undermine the cybersecurity preparedness of the grid," Kellerman said. "Given the increase in destructive cyberattacks being launched by rogue nation-states, cybersecurity assessments must be performed prior to projects going live."

Read More arrow-right-tertiary

05/31/2024

Terrifying Cybersecurity Risks to U.S. Water Systems: ‘Mass Delusion We All Share’

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, a security and development company helping organizations deploy secure code, spoke to Techopedia about the issue. “The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targeting these critical infrastructures, and soon we will experience a life-threatening event.”

Read More arrow-right-tertiary

05/31/2024

Larry Maccherone Explores Several Advantages of Adding Security to DevOps

For many dev and security teams, a reset on culture and mindset is critical to begin integrating security into every phase of the software development lifecycle as a shared responsibility, as opposed to addressing security after development. In this archived keynote session, Larry Maccherone, DevSecOps transformation architect of Contrast Security, highlights ways to fundamentally transform the process of AppSec and DevOps, to a modern DevSecOps approach. This segment was part of our live webinar titled, “How to Amplify DevOps with DevSecOps.” The event was presented by InformationWeek on May 22, 2024.

Read More arrow-right-tertiary

05/31/2024

Experts Warn of Security Risks in Grid Modernization

"These technologies increase the attack surface of the grid," Tom Kellerman, senior vice president of cyber strategy for the application security software platform Contrast Security, told Information Security Media Group. "Segmentation, two-factor authentication, least privilege and runtime security are imperatives for the safety of the grid."


"The expedited process will undermine the cybersecurity preparedness of the grid," Kellerman said. "Given the increase in destructive cyberattacks being launched by rogue nation-states, cybersecurity assessments must be performed prior to projects going live."

Read More arrow-right-tertiary

05/31/2024

First American reveals data breach hit 44,000 individuals

Cybercriminals are likely to use First American's infrastructure to "island hop" to other financial services players, said Tom Kellerman, senior vice president of cyberstrategy at Contrast Security. He warned of the threat of home equity fraud, where a criminal could establish a line of credit against someone else's home.  "Inevitably the owner of the home is the one that's penalized by the system for not paying their debt," he said. "And that is increasing. That is my biggest concern regarding this breach."

Read More arrow-right-tertiary

05/28/2024

The state of AppSec: Are we getting ahead of attackers — or falling behind?

Jeff Williams, CTO and co-founder of Contrast Security, said it took 30 years of programming to build the foundation of all computing in C/C++. "Replacing the foundation with safer languages will likely take much longer. Our C/C++ foundation has the benefit of 30 years of torture to make it strong. However, perhaps a few new projects will choose safer languages from the get-go. I suppose that's a bit of progress."

Read More arrow-right-tertiary

05/28/2024

Third-party software supply chain threats continue to plague CISOs

But let’s not just blame the third-party providers because the attackers leverage the increasing complexity of today’s software supply chains. “This is a problem that will take many years for the software industry to solve. The complexity of a pharmaceutical or manufacturing supply chain pales in comparison with a modern software supply chain. Literally, everything involved in creating software can introduce malware and vulnerabilities,” said Jeff Williams, co-founder and CTO of Contrast Security. He tells CSO, “Every piece of software you use depends on many hundreds of thousands of people, any of whom has a path to introducing malware into your code. That’s not even counting hackers that find and exploit vulnerabilities.”

Read More arrow-right-tertiary

Experience Contrast today

Schedule a one-to-one demo to see what Contrast Runtime Security can do for you