Press Release

Contrast Security Provides Application Security Leadership And Direction For Software Supply Chain Risk In Support Of White House Executive Order

Application security is the most critical priority within the executive order, and Contrast leads the charge for software supply chain transparency via the generation of SBoM.

LOS ALTOS, Calif., September 1, 2021 - Contrast Security, a leader in modernizing application security, today announced it enables organizations to make the software bill of materials (SBoM) mandate a reality. By leveraging its influence in the market and relationship with the National Institute of Standards and Technology (NIST), Contrast — and its Application Security Platform — directly supports the majority of the goals of President Joe Biden's executive order to improve the nation's cybersecurity. Application security is the most critical priority in the executive order, and preparing for stricter guidelines and higher levels of security in applications and the broader software supply chain should begin today. 

In the fallout of a successful ransomware attack on a pipeline that supplies nearly half the East Coast's gasoline, the executive order places strict new standards on the cybersecurity of any software sold to federal agencies. It should be no surprise that improvements to application security are a recurring topic throughout the executive order's various sections. Specifically, President Biden calls for greater software supply chain transparency via SBoM, which removes the need to assess procured software source code.

Third-party software presents a variety of organizational risks that must be managed. For instance, some third-party libraries use risky licenses that could require an organization to open-source an entire application. In response, application security teams need an automated means to baseline their open-source security (OSS) posture while legal and compliance teams track licensing risk by building an SBoM that scales with their application portfolio. 

"Contrast invented an entirely new technology to analyze the security of libraries with the full context of the application that uses them," said Jeff Williams, CTO and co-founder at Contrast Security. "We built Contrast OSS, the first product to embed software composition analysis (SCA) and open-source security within an application. This approach makes Contrast the only product that delivers SCA in real time, continuously and accurately, across an entire application and API portfolio."

Contrast customers can generate an SBoM directly in a way that meets the specifications of the OWASP's CycloneDX SBoM standard and the Presidential Executive Order. The capability is available through a simple API or a command through the Contrast command-line interface (CLI). 

Contrast's history with open-source security began when its founders conducted the first large-scale study of insecure open-source use and later championed adding it to the OWASP Top 10. Currently, Williams serves on the board for OWASP's CycloneDX SBoM standard, an SBoM standard designed for use in application security contexts and software supply chain component analysis. CycloneDX enables developers, consumers, legal teams, and other stakeholders to quickly and accurately understand exactly what open-source libraries are in use in the applications and APIs they use.

Contrast has also been working closely with NIST on the implementation of the executive order on cybersecurity. The executive order directs NIST and the National Security Agency (NSA) to jointly publish guidelines covering the definition of critical software, software security testing, software labeling, and SBoM use. Contrast has been an active participant in the NIST workshops process and submitted six separate position papers on various issues. Currently, Contrast is working with NIST to help implement the software labeling program called for in the executive order. Contrast is thrilled to work with NIST to make its vision a reality.

To learn more about software supply chain transparency with Contrast, visit https://www.contrastsecurity.com/software-supply-chain-security.

About Contrast Security:

Contrast Security provides the industry's most modern and comprehensive Application Security Platform, removing security roadblock inefficiencies and empowering enterprises to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection in production.