Security debt — the backlog of known and unresolved vulnerabilities in an organization’s applications — is a drag, literally. It creates a real burden on organizations when it gets too high. The founder of Contrast Security, Jeff Williams, has written in Forbes that “It is like a weight that DevOps and security teams carry around, limiting what other burdens they can carry at the same time.”
When an organization has a large security debt, it must prioritize which vulnerabilities are most urgent to fix. But since most teams lack an automated way to do this, they find themselves spending significant time doing risk rating and managing the backlog. This leaves them with little time to actually remediate the vulnerabilities — which is the whole point of finding them. Vulnerabilities start to pile up — just like clothing in the closet or junk in the garage. —Contrast Security CTO Jeff Williams
The first step in reducing an organization’s security debt is to get to the point where new vulnerabilities are resolved in a timely manner, rather than adding further to the backlog. In this respect, Contrast burns the competition, getting a blistering Mean Time to Respond/Remediate (MTTR) of eight days, according to Contrast metrics — compared with Veracode’s published figure of 298 days MTTR.
A quicker MTTR means that Contrast customers are shouldering a far lighter security load than those using other cybersecurity products, thus making them able to shorten time to remediation and to reduce security debt per application.
How we do it
Contrast’s superior MTTR rate boils down to our technology’s guts.
Contrast Security blends the best of static code testing instrumented Interactive Application Security Testing (IAST) to ensure quality code moves through your Software Development Life Cycle (SDLC) — a far superior approach to Dynamic Analysis Security Testing (DAST) or Static Analysis Security Testing (SAST). With Contrast Security, you’ll experience:
Scalability of your Application Security Testing (AST). Given that Contrast doesn’t have a heavy initial build, transferring to the platform isn’t a large lift. Instrumenting an application just takes a couple of minutes Contrast can very easily and quickly scale, from just a few apps to thousands of apps. Proofs of Value (POVs) and initial onboardings can show immediate results, with more accuracy and efficacy.
Dramatically fewer false positives. Veracode’s platform and AST approach generates considerably more false positives, causing delays and slowing down innovation. Contrast Assess helps find actual vulnerabilities while actively testing the product. The vulnerabilities are coded according to severity and where they’re located — down to the exact line of code — along with remediation guidance.
Faster time to remediation. Veracode publishes its stat on MTTR as 298 days. Contrast’s average is eight days: vastly different due to the technologies Veracode uses. Contrast’s instrumentation with an IAST approach is far superior to DAST/SAST in that it replaces a lot of workflows, allowing for development teams and QA teams to start working together. Veracode’s average scan times require days, and its Veri-inaccurate results bring in a lot of noise. These efforts require a considerable amount of effort, which ultimately breaks the SDLC and bogs down MTTR.
Median time to remediate 37.25x faster
The superiority of the Contrast platform is evident when looking at how long it takes the typical organization to resolve half of its custom code vulnerabilities — the MTTR. Among vulnerabilities that are ultimately fixed, Veracode reports that its customers take 298 days on average to reach this milestone — 37.25 times the eight days reported for the Contrast customer base.
Traditional SAST scans are time-consuming, and the reports require triaging and analysis by the security team before they can be handed back to developers for remediation. Contrast research has found that for a clear majority of organizations, SAST scans take at least five hours. This means that it can be days or weeks after a vulnerability is created before developers have a chance to fix it with traditional approaches.
Veracode falls into that slowpoke category: Its scan speeds often frustrate customers, with scan times averaging 45 minutes or more and, in some cases, taking hours and days. That's Vera-slow. It leads to sticker shock. That’s just not what customers expect from a pricey platform such as Veracode’s, and the results often aren’t what the sales engagement has led them to anticipate.
Namely, along with slow scan times and lengthy MTTR, the key areas where Veracode falls down are inability to scale and an immense number of false positives that slow things down.
Contrast, on the other hand, does continuous scanning from within the application and provides immediate, detailed feedback as soon as a vulnerability is created. This enables a developer to fix the problem before many layers of new code are added to complicate things. It also keeps time-to-remediate metrics very low.
You don’t have to settle for Vera-inaccurate, Vera-slow code — you can get Contrast-fast, Contrast-accurate instead. Contrast is making it easier than ever to make the switch, and when we say “easier,” we mean “more affordable.”
As it is, Contrast understands that a big reason for not switching from a platform revolves around cost — cost of change, cost of resources and cost of security.
That’s why Contrast is offering three years of Contrast Assess, Contrast Scan and Contrast SCA at the price of two years of Veracode — a considerable cost savings that we’re offering in addition to all the professional services support needed to deploy. As a new customer, your billing cycle starts once you’re fully integrated on Assess and Scan.
We are Vera-confident that you’ll love this offer. Ready to make the switch? Get started today.