Failure to Lognch
Loving our content? Subscribe now!
Get the latest content from Contrast directly to your mailbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast.
I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.
Let’s spare a moment in solidarity with the VPs of Engineering out there. They have a crucial role to play in software security. Unfortunately, they are often asked by security to deliver a policy requirement X, such that:
This is exactly the issue with security and audit logging. The requirement simply rolls downhill to the developers, where there’s lots of discretion applied. Thousands of policies don’t have the same effect as 1 line of code.
Obviously, there are huge gaps here. Many security-relevant events and actual attacks will be missed for the following reasons:
There are also more cynical reasons, like failure to care, or failure to prioritize. Developers aren’t incentivized on this in any way, so we’re really just hoping on goodwill.
Let’s talk solutions.
Instead of trying to teach developers about how to detect attacks and get logs regarding their security, Contrast Protect’s RASP technology just does it for you. Isn’t that better than arguing about it with security?
Contrast ships out of the box looking to instrument many core APIs with logging. Don’t you want to be alerted when a new .DLL or .so is loaded into your JVM process? How about when your end users authenticate with Spring library?
Here’s an example from the product. This Log Enhancer will automatically weave a message into your logs if the developer chooses to override how SSL hostnames are verified! Pretty cool!
As shown, you can control what the log message looks like and include the parameters, instance, return value, etc.
You can also add your own log enhancers to our product. You know what your APIs are -- and chances are, some of them don’t do enough logging. You can use this feature to enhance the logs without requiring a code deploy.
Our vision of RASP - Contrast Protect - is pretty different from how other vendors see it. It’s not just about SQL Injection. You have to nail that, of course, but there’s so much more to do.
We believe that a RASP product should be doing everything a team of application security consultants would do to make the software more secure. We’re going to be adding all the missing “security features” that the devs forgot about -- and some of that is the unsexy stuff, like logging.
Stay tuned for more!
Get the latest content from Contrast directly to your mailbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast.