APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

A Single Security Platform That Actualizes DevSecOps

ByMahesh Babu May 4, 2021
Security and Development Are Out of Synch

When bringing new applications to market, speed has become a top priority. Nearly 80% of organizations say their development team is under growing pressure to shorten release cycles. Companies are increasingly adopting DevOps tools, open-source components, and cloud-native/serverless approaches to achieve more aggressive delivery cycles.

 But in many cases, faster time to market is coming at a cost of application security. And the reason for this is simple: Traditional application security tools bog down development workflows without offering sufficient and efficient risk reduction. In a recent survey, more than half of developers admit to sometimes skipping security scans to meet deadlines. Further, while investments in application security tools continue to increase, the number of vulnerabilities in applications remains steady.

 As one might expect, cyber criminals haven’t missed the expanding application attack surface. Over the last year, the average application endured more than 13,000 attacks per month searching for unremediated vulnerabilities. And while the vast majority of those attacks are simply probes that don’t find an actual vulnerability to exploit, the success rate is significant enough—nearly half of all successful data breaches can be traced back to an unsecured application.

The market demand for new and updated applications isn’t going away. Neither is the increasing frequency and sophistication of cyberattacks seeking open vulnerabilities. So the only way to address this problem is to eliminate the application security bottlenecks that often put development and security teams at cross purposes.

DevSecOps Means Security at the Speed of Development

Modern tools that build security into development processes can actually accelerate operations while improving the quality of innovations. Organizations need a different approach to application security—one that synchronizes the workflows and objectives of developers, operations managers, and security experts within the organization (better known as DevSecOps).

 Application security that supports DevSecOps must automatically see how all parts of an application perform when it’s actually running—comprehensive observability of the application runtime that can instantly spot both vulnerabilities and potential exploits.

 To gain this interior view of the code in action, organizations can add a security agent to the application code to provide continuous, complete, and accurate security without scanning. An agent is deployed once and operates throughout the entire life cycle of the application—from development through production. In addition, a single solution can replace the entire “tool soup” of legacy security solutions by providing a complete platform of integrated capabilities. These include:

  • Real-time detection of vulnerabilities and attacks. Organizations need accurate vulnerability testing results to empower developers to fix vulnerabilities in real time as they code—without waiting for security team input, subsequent context switching, and snowballing remediation backlogs. This simultaneously allows security teams to focus on strategic tasks such as vulnerability research and threat hunting.
  • Simplified security across the SDLC. An effective solution must cover the entire software development life cycle (SDLC)—from development through production. The application security platform must therefore include capabilities such as software composition analysis (SCA) and interactive application security testing (IAST). It should also include exploit prevention, such as runtime application protection and observability. And while traditional security tools typically specialize on either custom code or open-source components, a modern approach to application security should encompass both capabilities. 
  • Runtime visibility and easy-to-fix remediation guidance. An effective solution must use runtime-informed vulnerability analysis. Testing and protection through the same platform tooling allows organizations to leverage context from each phase to inform earlier phases. The platform should also use this contextual information to help development teams make fixes without dependence on security teams, workflow delays, and subsequent context switching to make repairs at a later date.
  • Measuring the volume and speed of remediation. Security teams must be able to measure the number of vulnerabilities remediated as well as mean time to remediate (MTTR). These metrics are the true way to evaluate application security effectiveness. They convey a strong indicator of the maturity of an application security program; faster remediation time translates into both lower risk and lower security debt for the organization.
  • Zero-day protection in production. The platform must offer the ability to discover and defend against zero-day exploits that do not have a patch or fix in place. Zero-day attacks are dangerous to all organizations after discovery, due to the fact that it takes an average of 59 days for vendors to roll out patches.

The Contrast Application Security Platform

To address the aforementioned challenges and requirements, the Contrast Application Security Platform uses instrumentation to embed security within the application runtime. It’s comprised of three main solutions:

  • Contrast Assess automatically identifies software vulnerabilities in real time while developers write code. It monitors code and reports from inside the application—enabling developers to find and fix vulnerabilities without involving security experts.
  • Contrast OSS detects which open-source software components are called in the application runtime and provides the ability to prioritize remediation based on which libraries are actively being used. Contrast OSS also helps organizations identify if any components expose an organization to unnecessary security risks or legal problems due to licensing complications.
  • Contrast Protect uses real-time analysis of application runtime events to confirm exploitability before taking action to block an attack. It accommodates modern application release velocity with immediate protection via built-in application sensors. That means that Contrast Protect is ready for an attack from the first line of code onward.

As these three product solutions are wrapped into one integrated DevSecOps platform, Contrast delivers customers a unique set of capabilities not available in other application security models:

  • A comprehensive application risk score that comprises every aspect of an application—from libraries, to custom code, to runtime environment, to production traffic. This enables enterprisewide reporting, assurance, and benchmarking of application security risk posture.
  • Policy orchestration allows security teams to enforce consistent, cross-SDLC software security policies across the enterprise or at the level of a business unit, specific team, or portfolio of applications.

Because of these and other capabilities, the Contrast platform provides deep observability across the entire application stack—including custom code and open-source components. It delivers accurate vulnerability testing in development and powerful protection in production through the same embedded security agent. Most of all, it helps DevOps evolve into DevSecOps by removing security roadblocks, reducing alert noise caused by false positives, and scaling security without additional staff or training.

To learn more about the drivers behind modern, platform-based application security and the specific capabilities to look for, check out the following resources:

Inside AppSec Podcast: Right and Wrong DevSecOps Metrics: Measuring What Counts

Webinar: What True DevSecOps Controls and Metrics Look Like

DevSecOps Buyer’s Guide: Application Security

 

Mahesh Babu

Mahesh Babu

Mahesh leads Product Marketing for Contrast's Application Security Platform at Contrast Security. He takes every opportunity to tell everyone how Contrast has fundamentally changed application security for the first time since he started working in security 10+ years ago. Mahesh has seen the industry evolve as a researcher, consultant, and practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large security & privacy programs a Senior Manager & architect for HSBC Information Security & Risk. He also spent time as a consultant at Deloitte and Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.

SUBSCRIBE TO THE BLOG