Contrast Security just won the highly competitive 2024 PwC Luxembourg Award for Cybersecurity & Privacy Solution of the Year with a simple premise:
We trust software with everything important in our lives. That trust is, all too often, misplaced, as evidenced by constant news about massive data breaches that should scare our phones and networks right out of our hands.
If you ask “what software,” the answer would be “all of it.” As in, the applications that run our military; the country’s water, gas and electricity utility grids; the ones that your bank uses to handle your money; the apps that you trust with your actual, physical health and well-being.
Take the ‘How big is your vulnerability backlog?’ challenge
“I dare you to ask your organization about the size of your application vulnerability backlog. In most companies I talk with, it's hundreds of thousands or millions of vulnerabilities that aren't getting fixed,” Contrast Security Founder and Chief Technology Officer Jeff Williams proposed during his 9-minute presentation at PwC’s Cybersecurity & Privacy Day 2024, where companies pitched their solutions to an executive audience and distinguished jury.
What, exactly, is the problem? From whence comes the Miracle-Goo sprinkled onto the vulnerability backlogs to turn them into festering compost heaps? One word: complexity.
“Modern software is so complex, every application now is spread across dozens of repos, hundreds of libraries, lots of [application programming interfaces, or APIs], back-end connections, containers, cloud, etc.,” he explained.
Williams has been talking about software complexity for a very, very long time. He spent decades as a professional hacker, breaking into software at some of the world’s largest companies and helping them to set up programs to improve security. In 2002, he took what he had learned and helped to start OWASP. He wrote the OWASP Top 10, all to help raise awareness of Application Security (AppSec). Unfortunately, after 20 years, “the situation's gotten worse,” he said, due to this software complexity.
The complexity is simply too much for old-school tools to handle. As it is, traditional tools such as scanners and firewalls only see one piece of that complex puzzle at a time. Meanwhile, “we're really focused on the symptoms of vulnerabilities and attacks, not the root cause,” Williams said, that being dangerous functions (see below). “That leaves us in the dark.”
Our AppSec tools are broken: Read here to find out what actually works
The old security way, the old security tools
This is how software pipelines should work, he said: They should be able to quickly deliver fast and reliable innovation so that customers see value quickly. Instead, when security gets introduced into the mix, traditional tools — such as web application firewalls (WAFs), static or dynamic scanners (SAST/DAST), or Software Composition Analysis (SCA) — make mistakes. Their inaccuracy leads them to spew highly inaccurate results that include false positives and, even worse, missed positives.
False positives are burying organizations with bogus alerts:
Read the white paper
The only way to clean up this mess is by hiring expensive experts, which in turn leads to bottlenecks, delays and silos — all the elements that cause massive vulnerability backlogs.
The root cause: A minefield of dangerous functions
We’re focusing on vulnerabilities and attacks, but that’s not the root cause that leaves us in the dark. That root cause is dangerous functions: a term that applies to the typical software stack’s runtime platform libraries, frameworks, custom code, open-source libraries, etc.
Really, that stack is “just a huge pile of functions” that do dangerous things such as querying databases, parsing XML, and starting native processes and deserializing objects, Williams explained.
“Every stack has thousands of these functions. So developers are facing this minefield that's laced with thousands of dangerous functions, and they get zero guidance on how to use them securely. This makes insecure software basically inevitable,” he continued.
How do we cut through software complexity?
We can't just rewrite all the millions of libraries, frameworks and applications out there, Williams said — that would amount to trillions of lines of code. Fortunately, there's a better way: to inject security checks directly into these dangerous functions using runtime instrumentation.
Learn about the hidden dangers of traditional AppSec tools
and why Runtime Security is replacing them
“This is exactly the way [Application performance monitoring (APM)] tools inject performance checks just for security,” he pointed out. “That's how we can solve the root cause of application security problems.”
Contrast Security invented this technique and holds multiple patents in the technology.
Watch the video to see how it works
You can view Williams’ full, award-winning presentation, along with his slides, at the top of this post. There you’ll hear:
- How Contrast Security handles SQL injection: a perennial OWASP Top 10 topper that’s plagued us for 20 years.
- How Contrast Security Runtime Platform can be installed on servers without changes to your pipeline.
- How the distributed technology enables you to secure all applications and APIs in parallel instead of scanning them one by one.
- Results from an IDC report on Floor and Décor’s use of Contrast Security, including:
- A 92% reduction in the retailer’s AppSec backlog
- $776,000 in savings
- A 12% productivity increase from development
- Contrast Security’s roadmap:
- Security Observability: A newly invented Contrast Security technology that extracts a security blueprint directly for running software, automatically creating architectural blueprints to reveal an application's attack surface.
- Security Observability enables organizations to easily start activities such as security architecture and threat modeling and to achieve the tenets put forth in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design pledge.
Contrast Security: Dragging AppSec out of the Dark Ages
In closing, Williams summed up security instrumentation this way: “Industrial factories instrument their machines for everything, like vibrations, sound, temperature, smoke, and so on,” he described.
They do so because instrumentation allows them to predict problems in a machine just by a change in the sound it makes. “Instrumentation is how we prevent problems before they become disasters,” he continued.
“Contrast is using the science of runtime security to drag AppSec out of the dark ages,” he said. By focusing on the root cause of all AppSec issues, we can consolidate tools and achieve the speed, accuracy and scalability required for modern software. With Contrast, you really can recognize the benefits of DevSecOps at a massive scale.”
Request a “Secure from within” demo.
Read more: