Contrast and NowSecure Discuss Application Security Challenges and Best Practices
In a recent webinar, “Accelerating DevOps with Autonomous Security Observability,” Brian Reed, chief mobility officer of NowSecure, spoke with Jeff Williams, co-founder and CTO at Contrast Security, on how autonomous security can power DevOps teams and take continuous integration/continuous deployment (CI/CD) pipelines to the next level. I highly recommend listening to the full webinar—it has many insights both for developers and security teams. In the following, I will tease out the highlights of their conversation and extract some key takeaways.
While Contrast focuses on application security for web applications, NowSecure specializes in protecting apps that run on mobile devices. In this conversation, Brian and Jeff discuss the unique challenges of mobile apps and their web-based back ends.
Background: Mobile App Security Status Quo
Brian, who has been working with mobile apps for 15 years, spends a lot of time talking to customers about mobile technology’s role in their digital transformations. He laments what he sees as a mismatch between the huge investment in securing software and the less-than-stellar security outcomes. For example, organizations spent $3.2 billion on application security in 2020 and are projected to spend $4.5 billion in 2024 (according to this Gartner report) and yet …
Jeff echoes those sentiments when he talks about web applications. Scanning the data from the tens of thousands of applications monitored by the Contrast Security Platform, Jeff found that almost all of them (96%) have at least one vulnerability; the average is 35 per web application! Vulnerabilities come from both custom and open-source code. Some of the latest research from Contrast Labs confirms his assertion. A few highlights include:
Takeaway: Vulnerabilities put applications at risk; few are entirely safe.
The Challenge: Keep up With Development Pipeline
Due to the adoption of DevOps and Agile development processes and a plethora of open-source libraries and application programming interfaces (APIs), development teams are “steamrolling” their applications through the pipeline, as Brian puts it. As a consequence, both the front end and the back end of applications are riddled with vulnerabilities that hackers readily exploit.
Security teams need to detect these vulnerabilities, but Jeff says security is still somewhat in the dark ages. Beyond the manual intervention required for tools like code scanners and modifying web application firewalls (WAFs), which are significant problems themselves, legacy application security tools have a variety of challenges. Here are just a few:
Takeaway: Application security tools that take too long to work and require manual intervention thwart efforts to deliver secure, high-quality mobile/web applications.
Why Inside-out Security Is a Better Approach
How Instrumentation Works
Takeaway: Making application security observable enables you to make informed decisions about risk, without incurring risk.
Takeaway: Empower developers to do security testing as part of their normal pipeline. This keeps security experts out of the critical path and gets clean code to production faster
Observability in Runtime Is Essential for Mobile Apps
Reducing Friction and Improving Cost-efficiencies
Takeaway: Removing the roadblocks to security best practices increases the chance that everyone will adopt them, creating a culture of security across the organization.