Platform
Contrast Secure Code Platform

Contrast Scan (SAST)

Contrast Assess (IAST)

Contrast Protect (RASP)

Contrast Software Composition Analysis (SCA)

Contrast Serverless (Cloud Native)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Failure to Lognch

By Arshan Dabirsiaghi, Co-Founder, Chief Scientist

November 9, 2016

I had to fight tooth and nail to get this blog title -- I hope it made you shoot air out of your nose with a little more thrust than usual.

Let’s spare a moment in solidarity with the VPs of Engineering out there. They have a crucial role to play in software security. Unfortunately, they are often asked by security to deliver a policy requirement X, such that:

X is not well-specified
X is not practically testable
X is not part of stakeholder functionality
X is not used by engineering
X is not reflected in KPIs for engineering
X does not come with budget

This is exactly the issue with security and audit logging. The requirement simply rolls downhill to the developers, where there’s lots of discretion applied. Thousands of policies don’t have the same effect as 1 line of code.

Obviously, there are huge gaps here. Many security-relevant events and actual attacks will be missed for the following reasons:

the developers don’t know about that type of attack
the attackers evaded the developers’ simple approach to attack detection
the developers didn’t think an event was important
the developers couldn’t possibly log it (e.g., it happens in library or runtime)

There are also more cynical reasons, like failure to care, or failure to prioritize. Developers aren’t incentivized on this in any way, so we’re really just hoping on goodwill.

Let’s talk solutions.

Automatic Log Enhancers

Instead of trying to teach developers about how to detect attacks and get logs regarding their security, Contrast Protect’s RASP technology just does it for you. Isn’t that better than arguing about it with security?

Contrast ships out of the box looking to instrument many core APIs with logging. Don’t you want to be alerted when a new .DLL or .so is loaded into your JVM process? How about when your end users authenticate with Spring library?

Here’s an example from the product. This Log Enhancer will automatically weave a message into your logs if the developer chooses to override how SSL hostnames are verified! Pretty cool!

As shown, you can control what the log message looks like and include the parameters, instance, return value, etc.

You can also add your own log enhancers to our product. You know what your APIs are -- and chances are, some of them don’t do enough logging. You can use this feature to enhance the logs without requiring a code deploy.

RASP: It’s More than XSS and SQL Injection

Our vision of RASP - Contrast Protect - is pretty different from how other vendors see it. It’s not just about SQL Injection. You have to nail that, of course, but there’s so much more to do.

We believe that a RASP product should be doing everything a team of application security consultants would do to make the software more secure. We’re going to be adding all the missing “security features” that the devs forgot about -- and some of that is the unsexy stuff, like logging.

Stay tuned for more!

DevOps

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Arshan is an accomplished security researcher with 10+ years of experience advising large organizations about application security. Arshan has released popular application security tools, including AntiSamy and JavaSnoop.

The DevOpsification of Security

The Impact of Fake Retail Apps Hitting the Apple App Store this Year

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub

Failure to Lognch

Automatic Log Enhancers

RASP: It’s More than XSS and SQL Injection

Arshan Dabirsiaghi, Co-Founder, Chief Scientist

Loving our content? Subscribe now!