Contrast Assess rescues Snap Finance from drowning in vulnerability flood

It’s enough to make your eyes cross: Floods of vulnerabilities pour in from disparate sources and tools. 

Can’t there be one, single platform that helps you identify vulnerabilities and tells you what and how to remediate them? That’s what Snap Finance is looking for in a security tool, says Kiran Sharma, senior privacy program manager and security program manager. 

Well, praise the Lord and pass the ammunition: There is, in fact, one, single platform to do all that.

Sharma met up with Contrast Security at the April 2023 RSA Security Conference to chat about how he’s finally stopped the madness of tool proliferation with Contrast technology — specifically, with the use of Contrast Assess, Contrast SCA, Contrast Serverless and Contrast Scan. To hear what Snap loves about Contrast from Sharma himself, check out the video from RSA. For some of the highlights from our RSA chat, read on.

Finally, some security tool sanity

Sharma said that what Snap loves about Contrast technology is getting, all in one package, everything the company would otherwise have to stitch together from a bunch of disparate security tools. That means Contrast SCA, a tool that enables businesses to protect their software supply chain by identifying real threats from third-party components across the entire Software Development Life Cycle (SDLC) — from code, through test, to production. 

Then too, there’s Contrast Scan, a Static Application Security Testing (SAST) tool built from the ground up to make security testing as routine as a code commit while focusing on the most imperative vulnerabilities to deliver fast, accurate and actionable results. Assess, Contrast’s IAST tool, also provides Snap with the feature of a Dynamic Application Security Testing (DAST) tool, he said. 

He also sees value in Contrast Serverless: a serverless security tool that finds and fixes security issues across cloud-native environments in just three clicks, delivering comprehensive serverless application observability for AWS Lambda and Microsoft Azure Functions. Serverless uncovers security vulnerabilities in custom code, open-source code and overly permissive functions.

“We can completely [avoid having to buy] another tool,” Sharma said. “And at the same time, IAST also provides us with the [cloud] coverage and the flow map for that application, [from] which we can understand what are the other areas that that application is connecting to, and what we should concentrate on.”

A welcome respite from the deluge of legacy tools

Sharma noted that some of the legacy tools he’s used in the past were suitable for one, narrow area of Application Security (AppSec). It’s been a relief for Snap to move to Contrast, he said, where he and his team have been able to combine multiple areas of AppSec into a single platform, including source code analysis, static code analysis and dynamic AppSec testing. 

That includes Contrast Serverless, which gives Snap a unified platform to look at all the vulnerabilities “in one single pane of glass,” he said. 

“That provides us the ability to kind of concentrate on the highest, or the critical vulnerabilities that we need to work on,” he said. “That helps us a lot, because it becomes a single platform for our development teams to look at and work with.”

To check out the chat from RSA, you can watch the video here.