SECURITY INFLUENCERS BLOG

Security Influencers provides real-world insight and “in-the-trenches” experiences on topics ranging from software application security to DevOps and cloud security.

START FREE TRIAL

Application Security: Faster, Cleaner, Smarter.

Our release notes are all always available, but I wanted to highlight the progress we've made since the end of last year on making a faster, cleaner, smarter vulnerability detection agent. Our goal is to be entirely invisible, continuously on, always passive, and, incidentally, the best security tool ever created.

Application Security Faster

The most important way to measure Contrast's effect on performance is the round-trip time difference. When we started building Contrast, people told us we'd never get below 500% performance impact. We were already a lot better than that, but I'm happy to announce we've recently gotten even better.

This graph shows the cost of running Contrast on a simple JSP page. You can also see the reduced effect that comes with running Contrast in sampling mode, which is sometimes needed in high performance situations.

rtt

This test page doesn't issue any SQL queries or call any Web Services; things that typical pages do. This means that Contrast's penalty is exaggerated on this page, because the real world cost of page fetching is often dominated by talking to those external interfaces.

Our real world data suggests that apps usually pay a 2.2x cost of Contrast without any optimizations, but with sampling and other features, that cost can be reduced to 1.2x. The good news is that for most apps, this penalty is completely in the noise anyway - a 2.2x penalty on 20ms is 44ms, well within the "nobody cares" range. Aside from sampling, there are plenty of other knobs and switches to help you find what works best for your security and performance needs.

Application Security Cleaner 

Contrast weaves security sensors into the bytecode loaded into the JVM. We keep a cache of the small number of classes we actually have to alter. Until this quarter, this cache was kept in-memory. While blazing fast, it tended to add ~20MB of heap space per application running on the container. There are some good performance reasons for running without a lot of extra, unnecessary heap, so it shouldn't be surprising that many users were running pretty close to the limit -- and Contrast pushed it over.

To make sure we stayed invisible, we moved this cache to disk. We traded a few more CPU cycles during classloading to save potentially hundreds of MB in heap utilization. This graph shows the idle heap utilization with and without Contrast. The numbers are really exciting.

Here's what a monitored app looks like before our changes:

before

After our changes, you can see Contrast adds practically zero memory overhead to what an idle server automatically accrues. So please, run with your normal memory settings! 

after

Application Security Smarter

Our focus is on performance, stability, and and integration -- everything it takes to be a seamless addition to your Continuous Integration. Keep an eye out for some blog posts from the engineering team on our new REST API -- another way to consume what Contrast has to offer.


Developing a robust application security program does not need to be a daunting task...

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program. 

continuous-application-security  

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

SUBSCRIBE TO THE BLOG