Cybersecurity Awareness Month: How Contrast & the threat landscape have evolved

This year marks the 20th year for Cybersecurity Awareness Month (CSAM), and the National Cybersecurity Alliance (NCA) marked it by extending its typically month-long campaign to raise awareness about digital security to a full year, with a new, year-round awareness campaign and an evergreen theme cooked up by  the Cybersecurity and Infrastructure Security Agency (CISA): Secure Our World.

New threats emerge constantly, but the main themes of cybersecurity practice have remained pretty much the same over the past several years. Namely, CSAM — a collaboration between government and private industry that seeks to teach us all how to stay safe online — has been educating people about these four core security practices: 

1. Understanding the benefits of using a password manager and dispelling existing myths around password manager security and ease of use.
2. Turning on multifactor authentication (MFA) on personal devices and business networks.
3. Recognizing and reporting phishing — still one of the primary threats used by cybercriminals today.
4. Installing updates on a regular basis and turning on automated updates.

At Contrast, we say “Bravo” to these steps, which are the basics of protecting consumers.  But we believe that the NCA should extend beyond educating consumers and encourage companies to produce secure software in the first place: Secure applications protect those consumers, even if they make mistakes. That’s what Contrast is all about: We work to get secure code flowing at companies so that consumers face less danger. 

Keeping people safe online is exactly why Contrast Security was founded nine years ago, in 2014. So to mirror the NCA’s 20-year milestone, we thought we’d ask Founder and Chief Technology Officer Jeff Williams to discuss how Contrast, the threat landscape and the market have evolved since the company was founded. Here’s what he had to say:

Q: Why was Contrast originally founded?

A: I started the company after running an Application Security (AppSec) consultancy for 12 years, working with big companies to secure some of the most critical applications in the world. Over and over I saw organizations failing at AppSec.  They would use all the traditional tools, but they would end up with huge backlogs of unfixed vulnerabilities and minimal protection. In some companies, those backlogs would be hundreds of thousands — or millions — of unfixed, untriaged security issues. That’s expensive, and it’s dangerous. It was the same pattern over and over. In response, we did a lot of manual pen testing and manual code reviews, but ultimately, those processes require a lot of experts and don’t scale well. 

From an automation perspective, there are really two kinds of tools people use for AppSec: scanners to find vulnerabilities and web app firewalls to surround applications and application programming interfaces (APIs) and try to protect them. Neither of them is particularly accurate. Neither of them has enough context to be accurate. Static scanners just look at the source code, while dynamic scanners only sort of pepper apps from the outside. Neither of them really understands how the application works, how it processes data, what it talks to. 

AppSec still isn’t working effectively in many companies. The traditional AppSec tools are just too slow and hard to configure, and they generate far too many false positives. We invented new techniques to assess and protect software better, and Contrast was founded to bring these technologies to market.

Q: How is Contrast’s approach different?

A: Contrast offers a new and better approach to app/API security called “Runtime Security.”  Rather than scan and firewall from the outside, Contrast works from the inside out to tackle the root cause of insecurity: dangerous and unprotected methods.

Here’s how it works: The app/API stack is composed of hundreds of thousands of powerful methods. Many of these methods do potentially dangerous things, like parse XML documents, execute queries, make connections, etc.  The problem is that these dangerous methods are completely unprotected. There are no compiler warnings, no documentation, no attack detection, no exploit prevention. I think of these methods like a chainsaw with no labels, no chain brake, no kickback protection, no documentation and no training. Actually, imagine an entire workshop full of thousands of tools and parts with no way to find out how to use them safely. 

Given this environment, it’s inevitable  that developers will use these methods unsafely and inadvertently create vulnerabilities.  It’s not their fault — there are over 1,000 classes of vulnerabilities, and each one is difficult to understand. Even worse, they’re different in every language, platform and framework. We can solve this problem by automatically enhancing these methods with the protections they need.

So Contrast automatically instruments these methods with protections that we call “trust boundaries.” These protections do two things that are really two sides of the same coin.  First, they check to see if the developer has used the method safely.  If not, they instantly get a detailed alert that shows them what happened and how to use the method safely.  In production, the trust boundary detects attempts to exploit the method and prevents the exploit from succeeding.  

This approach solves many of the problems that legacy tools introduce, and everyone can practice it themselves. You don't need an expert like me messing up your development process. Really, most of the work of AppSec ought to be done as part of the normal development process. And so we're trying to bring application, security and development together. And I think we've been pretty successful at that.

Q: How has the company’s relevance evolved?

 A: Our mission has always been to democratize software security — empowering creators to innovate with confidence and safeguard the most important things in life.  We believe the only way forward is to ensure developers can create secure code on their own.

However, AppSec itself has steadily become more important. Every single day, we trust everything important in our lives to software applications and APIs — our finances, healthcare, governments, utilities, social life, defense, etc.  At the same time, all the danger factors for software security have increased: complexity, connections, criticality, cadence and components. This is a perfect storm for very serious consequences.

The World Economic Forum rates a cybersecurity disaster #4 on the list of existential dangers to the world, right after health epidemic and climate disaster.  And application security is the leading cause of breaches by a wide margin.  So the relevance of what we do at Contrast has never been more important.  We’re not interested in simple security check marks.  We protect hundreds of thousands of critical applications and APIs for some of the world’s biggest companies, and we take this responsibility very seriously.

Q: How has the market evolved?

 A: The most interesting thing is that the government has finally caught on. They started asking questions, like, ‘What's in that software? What libraries are in there? What ingredients are in there?’ Some of this was the result of a long push by me and many others to help fix the software market. Breaches like SolarWinds and Log4Shell forced them into action.

President Biden’s Executive Cybersecurity Order directed a handful of U.S. government agencies to create of new standards, including:

• Cybersecurity and Infrastructure Security Agency’s (CISA’s) Federal Binding Operational Directive 22-01, which instructed federal agencies to fix hundreds of known vulnerabilities in their networks and to fix them by specified dates
• Office of Management and Budget (OMB) memo 22-18 (PDF) that sets expectations for federal agencies when it comes to using software that’s potentially hiding buggy libraries or other threats
• New guidelines about  Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) guidelines in the National Institute of Standards and Technology (NIST) Cybersecurity Framework 800-53
• Securities and Exchange Commission’s (SEC’s) new requirements for cybersecurity knowledge on the board of directors
•   Similar legislation has been enacted by the European Union

The bottom line of all this is that you’re going to have to be much more transparent about security. You’re going to have to disclose your dependencies, your security processes, vulnerabilities and breaches — in days, not years.  And if you’re the CEO, you’re going to have to attest that you’ve done the basic stuff in the NIST Secure Software Development Framework (SSDF).  If this sounds like Sarbanes-Oxley (SOX), you’re on the right track.

To find out more about how Contrast can help you meet OMB 22-18 and NIST SSDF requirements, read our advisory. 

The goal of this is to fix the software market so that producers and consumers have the same information about security and market forces can encourage better security.  If you’re producing software, you should clean up and prepare to be transparent — immediately.

Q: How has the threat landscape evolved? 

A: When we started Contrast, the threat landscape was simpler. The focus of application security was on custom code of web applications and web APIs.  Since that time, attackers have evolved.  They still attack apps and APIs directly.  But they’ve identified new routes into organizations’ software.

The entire software supply chain has become a target.  Attackers might compromise an open-source library to get a lot of companies at once.  Or they might target a development pipeline to compromise a product and get to that company’s customers.  Really, almost any software that is used to build, test or deploy software has become an interesting vector for attackers.

That’s the wonderful thing about the application layer: It’s always where the most innovation happens and where new and interesting application security challenges emerge.  I’m fascinated by the novel threats that Large Language Models (LLMs) and other AI technologies are exposing. The key is to be proactive about understanding new threats.  That’s why Contrast has already deployed new policies and rules for helping developers use these technologies safely. 

Q: What does the future hold for Contrast?

A: I feel like Contrast has created the solution that we set out to create and that we’ve successfully transformed AppSec in a number of large organizations. The more complex software gets, the more important it is to base security on “runtime reality” and not just static views of software ingredients. You have to see it run.

It’s been a great journey.  We started with using instrumentation to discover vulnerabilities. A few years later, we leveraged our amazing instrumentation platform to provide excellent runtime protection for apps/APis. We also added support for runtime library analysis, so we can detect not only whether vulnerable libraries are present, but exactly how those libraries are used by the application.

We just added the final piece of the puzzle, which we call Runtime Security Observability, which creates a digital security blueprint for how the security in your application works. That's different than just finding problems: These blueprints make everything in AppSec better, including threat modeling, penetration testing, risk management, intrusion response and so on.

Of course, we will continue to innovate.  We have only scratched the surface of what can be done with security instrumentation.  And we will continue to help companies transform their AppSec programs from a hamster-wheel of pain into a cost-effective partnership with software development. Companies are discovering a new, healthy “lifestyle” where they can enjoy just innovating and creating great software and not having to wrestle with security all the time. 

The future for us is to continue making that platform great, enabling companies to use it effectively and helping companies to make that transition from the old way of doing AppSec with hand tools, and on to a modern, instrumentation-based runtime security program.

Read more: 

• Learn about the hidden dangers of traditional AppSec tools and why Runtime Security is replacing them (blog: podcast writeup)
• Meet OMB 22-18 Requirements with Contrast Security (data sheet PDF)
• How Contrast Security Supports And Improves Government Reference Designs (solution brief PDF)
• How to Secure APIs at DevOps Speed (ebook PDF)
• The Truth About AppSec False Positives: Lack of Accuracy is Burying Organizations with Erroneous Alerts (white paper PDF)
• Contrast Responsible AI Policy Project: Keeping your business safe in the AI era (blog)