APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Contrast Challenges the AST Status Quo in the Gartner 2021 AST Magic Quadrant

Gartner released its latest Magic Quadrant for application security testing (AST)—naming Contrast Security as a “Challenger” for 2021. In just six short years, Contrast has grown to the top half of the MQ—challenging revenue from long-established, much larger competitors. With almost 350 employees, Contrast’s customer base includes some of the largest brand-name companies in finance, insurance, healthcare, utilities, and government and defense. We firmly believe that the status quo of application security—and the industry leaders who haven’t effectively moved the needle in terms of preventing application-based attacks—need to be challenged right now.   

The Old Boring “Vision” for AppSec 

The traditional methods of assembling multiple, disconnected testing and protection tools to find application vulnerabilities and detect attacks are ineffective. They were simply not designed for the speed of modern development nor the complexity and sheer scale of today’s distributed applications and application programming interfaces (APIs). More than half of organizations report that they’ve reached a tipping point where the number of security tools in place adversely impacts their security posture and actually increases risk.

But “tool soup” is not a vision. Year after year, reports show that the “tool soup” approach of having numerous stand-alone techniques to application security isn’t getting the job done—even as the attack surface expands with upwards of 111 billion lines of new software code annually. According to Verizon’s 2021 Data Breach Investigations Report, web applications continue to be a major attack vector—representing 39% of all data breaches in the last year. Clearly, the old ways are not working. After years working side by side with enterprises that struggled under the limitations of traditional application security tools, we founded Contrast specifically to challenge this tired vision.

While the increasing volume and sophistication of threats is one factor, applications themselves present easy targets for attack—irresistible opportunity and ineffective resistance. 99+% of organizations report that the average application in production has 4 or more vulnerabilities. And it may be getting worse; our recent State of Application Security in Financial Services Report found that over three-quarters of respondents indicated applications have 20+ vulnerabilities in production, and almost half reported 10 or more that are serious.

When these numbers are multiplied across an entire portfolio, they add up to a massive quantity of unremediated vulnerabilities that either need to be fixed (which is expensive) or otherwise protected. Carrying all of this security debt isn’t an option. Specifically, businesses that carry high security debt tend to fall farther behind and experience even higher volumes of vulnerabilities—1.7x higher than for organizations with below-average security debt.

The well-worn truism about doing the same thing over and over again, but expecting different results—it really is insanity in this case. The tailwinds of the market show us where software security is headed and today’s problems are only going to get worse without significant course correction. The industry leaders have a vision of running so many different tools that organizations need additional orchestration tools just to manage them. This approach also generates so many false positives that it requires a massive vulnerability management system to track alerts, and a gigantic team of experts to work on them.

Our Bold New Vision for Application Security

Our vision is different. We believe you shouldn’t have to decide between security and speed. You shouldn’t need to hire an army of application security experts to triage the output from a scanner or tailor web application firewall rules. Our instrumentation-based approach is faster, more accurate, more scalable, and easier to use than traditional tools. This results in real-time feedback loops and dramatic improvements in mean time to remediate (MTTR). Most vulnerabilities are fixed in under a week (compared to four to five months for competitors). In our world, security debt gets paid off, and the rate of new vulnerabilities decreases—showing real learning and improvement.

We’ve designed the Contrast Application Security Platform to anticipate how modern applications are designed, developed, and deployed—both today and in the years to come. There are several clear industry trends that helped define our role as a disruptor and innovator in an industry where the so-called leaders are following the path of least resistance. Their approach to application security can’t meet these challenges—but the integrated solutions that make up the Contrast platform were designed for the evolving nature of modern applications.

Below are four trends in application and API development. If you think these are likely to continue and grow, then we share your vision. Contrast has significant advantages for each one of these trends. We challenge you to evaluate how well your tools are prepared for today’s code and tomorrow’s.

The rise of DevOps and the need for speed. Enterprises are looking to build, test, and release software faster and more reliably by embracing DevOps tools and practices. Speed is the dominant measure of success, with 79% of organizations reporting that their developers are under increasing pressure to shorten release cycles. But traditional application security wasn’t designed for the ever-accelerating pace of the latest Agile and DevOps environments. The vast majority of organizations (91%) say that vulnerability scans take at least three hours—and for 35%, they take eight or more hours.

Contrast Assess and Contrast Protect approach application security from inside the application to support both development and operations in a single integrated platform. Contrast is ideal for DevOps as it works in real time and allows fully automated operation without experts.

Increased use of open-source libraries and third-party code in the software supply chain. The use of open-source libraries has exploded in recent years to accelerate delivery of new software via prebuilt blocks of code. The average application today contains 118 open-source libraries. At the same time, the number of open-source vulnerabilities logged in the Common Vulnerabilities and Exposures (CVE) database is skyrocketing. This introduces opportunities for widespread attacks via the software supply chain—similar to the recent SolarWinds cyberespionage campaign. Also, CVEs only represent a small portion of the total vulnerabilities likely included in open-source libraries. It takes an average of four years for a vulnerability to be logged as a CVE—and many never even get reported.

Contrast OSS ensures open-source software does not have known vulnerabilities—including CVEs, outdated versioning, and critical licensing issues. Unlike other tools that report many false positives, Contrast knows exactly how each library is used by the running application.

APIs. Vulnerabilities in application programming interfaces (APIs) have become an exceptionally popular target for attackers, due to the limitations of traditional security solutions. By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII). Rapid application innovation depends on secure APIs. But organizations currently struggle to assemble a complete and accurate inventory of all APIs in use—let alone ensure that they are free of vulnerabilities. Only 3% of organizations have full visibility across all APIs, and only 34% have visibility across most APIs. API abuse is an ongoing problem and is expected to escalate in the coming years, as the number of API implementations continues to grow.

The entire Contrast Application Security Platform fully supports APIs with highly accurate application security testing as well as runtime protection to prevent exploits. Our instrumentation-based approach is ideal for APIs and their complex frameworks and protocols.

Cloud-native and serverless. Serverless computing serves the dual purpose of providing technological advancements and reducing infrastructure costs—obviating the need for a server room or a roomful of infrastructure engineers. Forrester predicts that cloud-native technologies will spike, with 25% of developers using serverless technologies by the end of 2021 to help accelerate pandemic recovery. But as organizations rush to embrace serverless/cloud-native application development, legacy AST tools are failing. Specifically, because traditional AST solutions weren’t built for serverless, they don’t have sufficient visibility of all the contextual parts of these applications. This results in blind spots that greatly diminish traditional AST accuracy.

Because the Contrast Application Security Platform is embedded in the code itself, all our solution capabilities scale with an application wherever it resides—including the cloud.

The Future Will Be Integrated and Embedded

Contrast’s targeted vision has been clear and consistent since our inception 7 years ago. Modern applications and APIs demand a modern platform for application security, not a 15-year-old “tool soup” of technologies designed for monolithic web apps. The significant expansions to our integrated platform of solutions come from not only research and analysis but also (and even more importantly) from listening to customers and translating their needs into products and services.

Over the last several years, we’ve significantly expanded the Contrast platform by adding novel approaches to software composition analysis (SCA), runtime observability and protection, and cloud-native/serverless application security. While application security clearly requires different tools and capabilities, these solutions need to work together in order to be truly effective across the software development life cycle (SDLC). The future of application security will be connected, coordinated, and platformed. Our customers are our validation and see the value of our vision:

  • Director, Application Security: "If I had to pick one application security tool, it would be Contrast Assess... The platform is mature, developer friendly, easy to deploy, [and] easy to integrate. The customer service has consistently been top notch as well."   
  • Senior Principal Software Engineer: “Amazing service, great product, easy to use… The product is really easy to install and has tons of integrations with other CI/CD tools. The UI is very clean and reporting features are very helpful. It's been more than a year now and we have also integrated slack and our developers are very happy with the integration as they get instant notification about the vulnerabilities.”
  • Senior Architect: “Contrast Security gives the power to developers to improve [the] security of applications... Another great advantage is giving visibility into route coverage which helps to identify the routes that are not exercised or having a high number of vulnerabilities. Ease of implementation works great for both SDLC/DevOps models.”

Challenging the Establishment

Perhaps you think organizations should continue pursuing a waterfall-based, expert-driven, siloed approach to application security that's slow and expensive and has never delivered much real value. If so, we wish you the best of luck.

At Contrast, we know there is a better way. We are all about empowering ordinary development teams to deliver awesome and secure software at high velocity. The Contrast platform enables development and security to work together in harmony—realizing the true potential of a DevSecOps approach. To learn more about how that can be achieved today, download our DevSecOps Buyer’s Guide for Application Security.

Contrast has been challenging the status quo of application security since day one. The numbers show that the industry leaders of the past 20 years have lost their way in the modern era. We will continue to challenge the old ways because we know they don’t work. And let’s be clear—we’re not a bunch of naysayers spreading fear and uncertainty about the establishment to muddy up the marketplace. We actually know that where we’re going will make a difference, and we’ll continue to blaze that path—for the benefit of our customers and everyone who uses their software. By the way, if you’re using apps from major financial institutions, insurance companies, healthcare companies, technology companies, or government agencies, then you’re already reaping the benefits of our vision.

And last, but not least, we’re just at the beginning of our journey. We will continue to challenge the AST market, challenge ourselves, and innovate, to force meaningful change to achieve the outcomes our customers expect.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

SUBSCRIBE TO THE BLOG