Platform
Contrast Secure Code Platform

Contrast Scan (SAST)

Contrast Assess (IAST)

Contrast Protect (RASP)

Contrast Software Composition Analysis (SCA)

Contrast Serverless (Cloud Native)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Automating Application Security in Modern Software Projects

By Jeff Williams, Co-Founder, Chief Technology Officer

January 19, 2017

Today, it seems like every organization has become a software company.

The increasing dependence on automation demands that software survive and thrive despite an increasingly hostile environment.

Insecure code has become the leading security risk and, increasingly, the leading business risk as well. It’s irresponsible at every level to ignore this risk while doubling- down on anti-virus solutions and firewalls — neither of which protects applications.

Modern software development requires continuous application security to go along with continuous integration, continuous delivery, and continuous deployment. Unfortunately, even well-established application security programs often can’t operate at the speed and scale required.

The challenge in a nutshell is enabling an existing development pipeline to reliably produce secure software without creating roadblocks or even speedbumps.

The reality is that if security slows down innovation, it will be bypassed. Here are my 5 best practices for automating application security in modern software projects:

1. Choose application security tools for speed, ease-of-use, accuracy, and scalability.

Instant feedback and ease of use are critical. Application security tools need to be usable by people in development and operations without any security experience. Any inaccuracy will require an expert to resolve, and experts don’t scale.

2. Integrate security directly into your pipeline.

To shorten those feedback loops, look for tools that deliver results directly into tools you’re already using, like Slack, HipChat, JIRA, Maven, Jenkins, SIEM, and PagerDuty. Security issues should look and feel like any other kind of development or operations issues.

3. Detect vulnerabilities.

Modern software development demands high-speed feedback on vulnerabilities. Legacy static (SAST) and dynamic (DAST) scanners are difficult to automate and generate false alarms. Investigate the use of newer interactive (IAST) tools that assess your applications from within, using the latest instrumentation technology.

4. Protect against attacks.

Application attack protection isn’t just for defense against known attacks, it provides a fast and flexible way to block novel attacks that emerge. Legacy web application firewalls (WAF) create network architecture complexity and aren’t very accurate. Fortunately, runtime application self-protection (RASP) is gaining wide adoption for its flexible deployment and impressive accuracy.

5. Use threat intelligence and security research to improve your security architecture.

Using generic tools that search for “negative” coding patterns is a good start. But as you mature, you may want your tools to automatically enforce the security patterns you’ve chosen. This is a “positive” approach to security. Ultimately, you want to be able to automatically verify that all your applications have the right security defenses in place, that all the defenses are correct, and that they have been used in all the right places.

The good news is that it is possible to create a software pipeline that can enable you to reliably secure code and protect applications in operations. Modern application security tools can give you instant feedback on both vulnerabilities and attacks.

Application Security

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

WOO HOO... Contrast Security a Finalist for RSA Innovation Sandbox 2017

An Executive Viewpoint in 2017: Fighting an Uphill Battle for Cybersecurity

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub