Contrast Security was named a “Visionary” in the 2020 Gartner “Magic Quadrant for Application Security Testing.” Vendors are evaluated based on their completeness of vision and ability to execute.
Differentiation is an important criterion for anyone in business—and “vision” is something that rings true especially in the technology space when innovation and vision are key factors to consider. Leading technology companies that are able to transform traditional legacy-based business processes are typically the ones that earn industry recognition and create sustainable business value for customers.
Founding AppSec Principles and Vision
Contrast Security was founded on these principles and based on the belief that traditional manual approaches to application security (AppSec) are broken and a new automated approach is needed. Of course, like most digital innovation, we did not start from scratch but leveraged a proven model in an adjacent space—in this case software instrumentation, which had been used for application performance monitoring (APM). Our DevOps-Native AppSec Platform shifts AppSec from an outside-in exercise to one that is inside-out by using security instrumentation to embed security testing inside software in development. And when the conversation shifts to “right,” it means the same AppSec approach follows the application into runtime production.
It is with this in mind that we are pleased to be named a “Visionary” in Gartner’s 2020 “Magic Quadrant for Application Security Testing.” Gartner evaluates vendors based on their completeness of vision and ability to execute.
Reasons an AppSec Paradigm Shift Is Needed
In our view, there are a number of reasons why traditional AppSec testing models require a transformational approach to deliver modern software. At the heart of the problem is the fact that software functions that reside outside of the application are replete with inefficiencies, inaccuracies, and ineffectiveness. Static application security testing (SAST) and dynamic application security testing (DAST) employ an outside-in security approach that simply lacks the contextual intelligence that is needed.
Because Contrast Security embeds instrumentation in the form of sensors and telemetry within the software and employs application routes to identify vulnerabilities and verify their remediation, this contextual intelligence serves as the basis for what vulnerabilities are flagged during the software development life cycle (SDLC)—namely, inside-out security. Further, unlike legacy-based SAST and DAST solutions that provide point-in-time views of security status, Contrast Security enables continuous real-time security status that mirrors the continuous integration/continuous deployment (CI/CD) process.
In the case of applications in production runtime, continuous observability of the application routes being executed enables Contrast Security to identify and block attacks—both known and unknown threats—in real time based on contextual information about how an application is configured and how transactions and flows move inside the runtime environment. Once again, this inside-out AppSec approach—also known as runtime application self-protection (RASP)—stands in stark contrast with outside-in perimeter defense security models based on web application firewalls (WAFs) that must guess at whether a requested transaction or data query is malicious or not.
Digital transformation initiatives are pushing DevOps teams to code more and to release code faster. Release cycles are no longer measured in months or weeks but in days and even hours. Traditional AppSec approaches are not able to keep pace with the new digital paradigm and rapid pace of change. Many require constant code halts for testing, which becomes a bottleneck for development teams. Additionally, false positives generated by SAST and DAST models become a huge burden that lead to alert fatigue—which, in turn, ratchet up risk. Finally, complexities associated with using third-party code via open-source software (OSS), such as intertwined library dependencies, make it difficult to use OSS with full assurance, as legacy software composition analysis (SCA) tools fail to disclose a full view of the interdependencies.
Understanding the Contrast AppSec Vision
So, what are the key attributes of this paradigm shift that Contrast Security is instigating?
- Software instrumentation. Accurate and efficient AppSec cannot be achieved without security instrumentation. AppSec must be embedded within the software and enable developers to identify and remediate vulnerabilities as they are coding. Instrumentation achieves a level of contextual awareness and accuracy that traditional outside-in AppSec approaches cannot achieve.
- Continuous security. Due to the velocity, volume, and sophistication of the threat landscape, continuous and real-time AppSec is a requisite. Legacy AppSec simply provides a point-in-time confirmation of security and compliance that becomes outdated as soon as it is completed. CI/CD processes are done continuously and in real time. AppSec must do the same to keep pace—from dependencies, to vulnerabilities, to project security status.
- From development to runtime. Piecemeal AppSec approaches and what can be called the AppSec “tool swamp” incur significant inefficiencies and introduce risk. Rather, AppSec must span the entire life cycle using a platform approach by following the application from development into runtime.
Reconciling the DevOps and AppSec Differences
Digital transformation initiatives will continue to be hampered by security issues and processes until an AppSec paradigm shift occurs. The C-suite and board of directors demand greater speed when it comes to DevOps. And development and security leaders are on the “firing line” to ensure AppSec enables rather than inhibits digital transformation. Development leaders, on the one hand, are measured in terms of speed and agility. Security leaders, on the other, are evaluated based on risk mitigation. The friction and strife between their two teams today can be resolved, but this requires a shift to inside-out AppSec—which Contrast Security is pleased to be leading by offering the industry’s only DevOps-Native AppSec Platform.
To read the full 2020 Gartner “Magic Quadrant for Application Security Testing,” download a copy today.
Also, check out the Inside AppSec Podcast, “A Look at the AppSec Marketplace and Contrast Security in 2020.”
Gartner, “Magic Quadrant for Application Security Testing,” Mark Horvath, Dionisio Zumerle, and Dale Gardner, April 29, 2020.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.