Gartner released its latest Magic Quadrant for application security testing (AST)—naming Contrast Security as a “Challenger” for 2021. In just six short years, Contrast has grown to the top half of the MQ—challenging revenue from long-established, much larger competitors. With almost 350 employees, Contrast’s customer base includes some of the largest brand-name companies in finance, insurance, healthcare, utilities, and government and defense. We firmly believe that the status quo of application security—and the industry leaders who haven’t effectively moved the needle in terms of preventing application-based attacks—need to be challenged right now.
The Old Boring “Vision” for AppSec
The traditional methods of assembling multiple, disconnected testing and protection tools to find application vulnerabilities and detect attacks are ineffective. They were simply not designed for the speed of modern development nor the complexity and sheer scale of today’s distributed applications and application programming interfaces (APIs). More than half of organizations report that they’ve reached a tipping point where the number of security tools in place adversely impacts their security posture and actually increases risk.
But “tool soup” is not a vision. Year after year, reports show that the “tool soup” approach of having numerous stand-alone techniques to application security isn’t getting the job done—even as the attack surface expands with upwards of 111 billion lines of new software code annually. According to Verizon’s 2021 Data Breach Investigations Report, web applications continue to be a major attack vector—representing 39% of all data breaches in the last year. Clearly, the old ways are not working. After years working side by side with enterprises that struggled under the limitations of traditional application security tools, we founded Contrast specifically to challenge this tired vision.
While the increasing volume and sophistication of threats is one factor, applications themselves present easy targets for attack—irresistible opportunity and ineffective resistance. 99+% of organizations report that the average application in production has 4 or more vulnerabilities. And it may be getting worse; our recent State of Application Security in Financial Services Report found that over three-quarters of respondents indicated applications have 20+ vulnerabilities in production, and almost half reported 10 or more that are serious.
When these numbers are multiplied across an entire portfolio, they add up to a massive quantity of unremediated vulnerabilities that either need to be fixed (which is expensive) or otherwise protected. Carrying all of this security debt isn’t an option. Specifically, businesses that carry high security debt tend to fall farther behind and experience even higher volumes of vulnerabilities—1.7x higher than for organizations with below-average security debt.
The well-worn truism about doing the same thing over and over again, but expecting different results—it really is insanity in this case. The tailwinds of the market show us where software security is headed and today’s problems are only going to get worse without significant course correction. The industry leaders have a vision of running so many different tools that organizations need additional orchestration tools just to manage them. This approach also generates so many false positives that it requires a massive vulnerability management system to track alerts, and a gigantic team of experts to work on them.
Our Bold New Vision for Application Security
Our vision is different. We believe you shouldn’t have to decide between security and speed. You shouldn’t need to hire an army of application security experts to triage the output from a scanner or tailor web application firewall rules. Our instrumentation-based approach is faster, more accurate, more scalable, and easier to use than traditional tools. This results in real-time feedback loops and dramatic improvements in mean time to remediate (MTTR). Most vulnerabilities are fixed in under a week (compared to four to five months for competitors). In our world, security debt gets paid off, and the rate of new vulnerabilities decreases—showing real learning and improvement.
We’ve designed the Contrast Application Security Platform to anticipate how modern applications are designed, developed, and deployed—both today and in the years to come. There are several clear industry trends that helped define our role as a disruptor and innovator in an industry where the so-called leaders are following the path of least resistance. Their approach to application security can’t meet these challenges—but the integrated solutions that make up the Contrast platform were designed for the evolving nature of modern applications.
Below are four trends in application and API development. If you think these are likely to continue and grow, then we share your vision. Contrast has significant advantages for each one of these trends. We challenge you to evaluate how well your tools are prepared for today’s code and tomorrow’s.
The rise of DevOps and the need for speed. Enterprises are looking to build, test, and release software faster and more reliably by embracing DevOps tools and practices. Speed is the dominant measure of success, with 79% of organizations reporting that their developers are under increasing pressure to shorten release cycles. But traditional application security wasn’t designed for the ever-accelerating pace of the latest Agile and DevOps environments. The vast majority of organizations (91%) say that vulnerability scans take at least three hours—and for 35%, they take eight or more hours.
Increased use of open-source libraries and third-party code in the software supply chain. The use of open-source libraries has exploded in recent years to accelerate delivery of new software via prebuilt blocks of code. The average application today contains 118 open-source libraries. At the same time, the number of open-source vulnerabilities logged in the Common Vulnerabilities and Exposures (CVE) database is skyrocketing. This introduces opportunities for widespread attacks via the software supply chain—similar to the recent SolarWinds cyberespionage campaign. Also, CVEs only represent a small portion of the total vulnerabilities likely included in open-source libraries. It takes an average of four years for a vulnerability to be logged as a CVE—and many never even get reported.
The Future Will Be Integrated and Embedded
Contrast’s targeted vision has been clear and consistent since our inception 7 years ago. Modern applications and APIs demand a modern platform for application security, not a 15-year-old “tool soup” of technologies designed for monolithic web apps. The significant expansions to our integrated platform of solutions come from not only research and analysis but also (and even more importantly) from listening to customers and translating their needs into products and services.
Over the last several years, we’ve significantly expanded the Contrast platform by adding novel approaches to software composition analysis (SCA), runtime observability and protection, and cloud-native/serverless application security. While application security clearly requires different tools and capabilities, these solutions need to work together in order to be truly effective across the software development life cycle (SDLC). The future of application security will be connected, coordinated, and platformed. Our customers are our validation and see the value of our vision:
Challenging the Establishment
Perhaps you think organizations should continue pursuing a waterfall-based, expert-driven, siloed approach to application security that's slow and expensive and has never delivered much real value. If so, we wish you the best of luck.
At Contrast, we know there is a better way. We are all about empowering ordinary development teams to deliver awesome and secure software at high velocity. The Contrast platform enables development and security to work together in harmony—realizing the true potential of a DevSecOps approach. To learn more about how that can be achieved today, download our DevSecOps Buyer’s Guide for Application Security.
Contrast has been challenging the status quo of application security since day one. The numbers show that the industry leaders of the past 20 years have lost their way in the modern era. We will continue to challenge the old ways because we know they don’t work. And let’s be clear—we’re not a bunch of naysayers spreading fear and uncertainty about the establishment to muddy up the marketplace. We actually know that where we’re going will make a difference, and we’ll continue to blaze that path—for the benefit of our customers and everyone who uses their software. By the way, if you’re using apps from major financial institutions, insurance companies, healthcare companies, technology companies, or government agencies, then you’re already reaping the benefits of our vision.
And last, but not least, we’re just at the beginning of our journey. We will continue to challenge the AST market, challenge ourselves, and innovate, to force meaningful change to achieve the outcomes our customers expect.