Is Your AppSec Tool Truly Scalable?

Many businesses are trapped in a dilemma, a Morten's Fork – should we rely on automated tools to assure the application portfolio and overlook false positives and missed vulnerabilities? Or should we use expert consultants to get the level of assurance we require? You can pick scale or quality, not both.

In most organizations, a small team of security experts is charged with securing a massive application portfolio. In many cases, their expertise is squandered on chasing down false positives and coordinating meetings with development teams. They spend more time learning how to work application security tools than they do fixing application security code. And that's a problem. Because until you actually fix your code, you're not actually more secure.

Scaling AppSec Automation 

The obvious solution to scaling application security is to automate. Unfortunately, the traditional application security tools simply don't scale. There are a variety of reasons, but the fundamental problem is that they require experts to drive them. There simply aren't enough application security experts, so these tools inevitably create bottlenecks.  They appear to work when you use them on a single application, but fail dismally at portfolio scale.

In a recent report, the NSA’s Center for Assured Software demonstrated the need for a new approach to automating application security. Their scientific study revealed that the seven leading static analysis products combined could not correctly discriminate 85% of the vulnerabilities in their test suite of over 13,800 Java test cases. This result matches Aspect’s extensive real-world application of static analysis, as well as the SAMATE program at NIST.

Getting great results one application at a time isn’t good enough. To help organizations meet application security challenges, technology has to scale to the entire application portfolio. And unless you've got unlimited manpower or unlimited funding, you have to choose between tradeoffs. And that's frustrating. Some organizations attempt to deal with scaling problems by limiting their efforts to just the critical applications (many organizations mistakenly think this is the external facing ones). Other organizations attempt to dumb down the rulesets so that they don't false alarm as much. Unfortunately this is definitely a case of throwing the baby out with the bathwater. You'll get System.out.println() findings (which never false alarm) but are totally useless and will miss many critical vulnerabilities. Crippling your appsec automation program isn't scaling.

Instrumentation Enables AppSec at Portfolio Scale

Consider Google Analytics, a powerful analysis tool used by millions of large websites. It works by instrumenting web applications as they are running in the browser, sending usage data to a server, and using that data to create useful reports and dashboards. Contrast provides application security analytics using a similar model.

Contrast leverages instrumentation to easily scale to hundreds or thousands of applications. When you install the Contrast security plugin into your application servers, it automatically and invisibly instruments them with sensors and a powerful rule engine. We recommend putting it on test servers and development machines. 

As you exercise your applications with your normal QA activities, Contrast silently reports vulnerabilities in your code to the Contrast Team Server in the cloud. At any time, you can log in to view an up-to-date dashboard of critical security information and vulnerabilities across your applications.

Your Contrast account displays charts, trends, metrics, and full vulnerability traces for security, development, and test teams. Your developers get feedback much more quickly, and your security experts can focus on designing and building security controls, instead of chasing vulnerabilities. Each application receives an easy-to-read and understand letter grade for security based on both security and analysis coverage. Having access to this information shouldn't require a security specialist, and it certainly shouldn't be contained to an "expert" at a managed solution.

Contrast represents a reinvention of how applications are secured. It doesn't require extensive security expertise, a lot of time to setup, or frankly, a lot of money. Contrast provides all of these services:

• Continuous and accurate vulnerability detection. We find more real vulnerabilities with far fewer false positives. And because Contrast is a passive plugin to your server, it continuously monitors your Java EE applications. This means you always get an accurate, up-to-the-minute snapshot of your vulnerabilities.
  
  
• Expert guidance...without the experts. Contrast's experts have been doing code review and penetration testing for over 10 years, and we've built that expertise into the Contrast engine. That means you get expert guidance without hiring expensive outside consultants or time-intensive training for you and your staff. 
  
  
• Speed and Scalability. Because Contrast analyzes your applications passively in minutes and can be deploy with complete automation, it can scale to your entire application portfolio with little effort.  Just drop the plugin onto an application server, and Contrast automatically analyzes every application on that server. Contrast can analyze even a portfolio of thousands of apps automatically.
  
  
• Library Analysis. Contrast examines third party libraries, potentially hundreds of .jar files downloaded when you run a build. Contrast tells you which libraries have known security problems, which are out of date, and intelligence on why you may want to upgrade.
  
  
• Run-Time Architectural Analysis. Want to make sure your off-the-shelf app isn't phoning home? Want to see what databases, web services and directories your app is connecting to at runtime?  Run-time analysis gives you that clear picture.

You've read this far, so take a moment to learn more about Contrast, the web application security tool that increases scalability AND quality. 

Developing a robust application security program does not need to be a daunting task...

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.