Skip to content

Route Intelligence™ Enables Transformation of Traditional Application Security Testing

    

Route Intelligence™ transforms AppSec testing by providing comprehensive visibility of the entire application attack surface while saving DevSecOps resources through automated vulnerability verification.

One out of every four network breaches last year was achieved by a hacker exploiting an application vulnerability. As long as these opportunities present themselves, cyber criminals will continue to use unsecured flaws in application code as easy access points for their nefarious plans.

SAST and DAST Are Failed AppSec Models

While it seems like an easy issue to fix, this problem has plagued development and security teams for the last 20 years. For example, despite unending efforts to solve the problem, the average number of vulnerabilities per application has remained unchanged since 2000 (26.7 vulnerabilities per application). And the reason for this is that existing approaches to application security (AppSec) testing are simply not getting the job done.

Static application security testing (SAST) and dynamic application security testing (DAST) tools lack robust discovery capabilities for what’s connected to an application. They build and scan hypothetical models of source code repositories. While they claim to completely check code line by line, these processes are both slow and ineffective because of the high volume of false positives that they find and their inability to trace data flows through bulk data structures (e.g., arrays, lists, collections). This creates noise that inhibits discovery of actual problems that cause risks when the code is running.

The average number of vulnerabilities per application is the same today as it was in 2000.

Ultimately, this means that static testing methods cannot provide a clear picture or complete visibility of the application attack surface. Security teams are uncertain of the actual risks that application vulnerabilities pose, and they expend valuable energy and time dealing with false positives. Developers are frustrated by elongated code development cycles and must become security experts—or add security specialists to their teams—to overcome them.

To compensate for these limitations, human security staff must then manually verify vulnerability remediation—a process that can tally hundreds of hours each year. These sorts of cumbersome, human-dependent workflows create an undue burden on organizations—especially considering the continuing worldwide shortage of skilled security employee resources. Manual verification also impacts developers by slowing down continuous integration/continuous deployment (CI/CD) life cycles—which impacts the time to market of delivering new products.

Route Intelligence™ Introduces Groundbreaking Capabilities

With today’s agile development processes, applications are becoming much more complex. They're being dynamically loaded. They use application programming interface (API) toolsets to accelerate DevOps cycles. As a result of these changes, line-by-line code checking becomes an even less effective and outdated method for AppSec testing.

An application route represents how a user literally interacts with the application. It’s made up of three distinct data points: the URL of the route, the HTTP verb associated with the request (e.g., GET or POST), and a unique signature based on that route's controller action. Unlike other AppSec models that simply analyze lines of code, Route Intelligence observes the nature of an application as it’s actually running. Rather than testing and re-testing lines of code, AppSec testing based on intelligent observation of routes exposes all of the different points of entry into the application. Consequently, no additional specialized testing needs to happen to capture vulnerability assessments.

Route Intelligence transforms traditional AppSec approaches, shifting from tedious, time-consuming, line-by-line code testing to using an application’s route to detect vulnerabilities in both custom code and libraries.

Contrast Assess combines SAST and DAST tools with interactive application security testing (IAST) for development and testing environments. The addition of Route Intelligence capabilities to Contrast Assess uses an application’s route to detect application vulnerabilities in both custom code and libraries during normal use by gathering data from running code. Contrast Assess combines continuous and accurate assessment with instrumentation-based vulnerability assessment capabilities. Combining Route Intelligence within Contrast Assess completely changes the AppSec testing process in three ways: 

  • Unwavering Confidence. Using an instrumentation-based approach to AppSec testing, Contrast Assess directly interrogates application frameworks to determine all possible routes of the application. This provides security and development teams with full visibility of the attack surface.
  • Better Visibility. As a result of its unique route-based discovery capabilities, Contrast Assess shows developers not only a comprehensive view of actual vulnerabilities but also how much of the attack surface has been tested and which areas require high-priority remediation. This essentially eliminates the risk of deploying compromised code. 
  • Complete Automation. By tracking an application’s runtime behavior, Route Intelligence enables Contrast Assess to compare successive security assessment results for each application route. This enables developers and security specialists to automatically confirm the remediation of a previously discovered vulnerability. The ability to verify vulnerability remediation can dramatically improve the risk posture of an application. At the same time, Route Intelligence eliminates manual verification workflows, which can save hundreds of security team hours each year. This approach seamlessly fits into existing CI/CD pipelines, which helps accelerate the process from development to production.

Benefits of Route Intelligence Cascade to Development and Security Teams

Development teams are measured in terms of code releases and time to delivery. But when using traditional AppSec models—where coding is regularly halted for manual, time-consuming application testing and subsequent vulnerability remediation—developers are unable to sustain a pace commensurate with business demands. At the same time, security teams lack full visibility of the application attack surface, which makes it difficult to prioritize vulnerability identification and to verify vulnerability remediation.

AppSec approaches that test lines of code do not have a complete picture of the application attack surface. An instrumentation-based AppSec platform such as Contrast provides real-time visibility into how much of an application has been tested, how many vulnerabilities have been found, and which vulnerabilities have been remediated. In addition, policy-based auto-verification capabilities in Contrast Assess are immensely more effective than static AppSec approaches as well as more efficient. Developers win because they are able to code and deploy code into production faster. Security teams win because they are able to manage risk more effectively. 

 

Subhash Arja

Subhash Arja

Subhash is the head of product for Contrast Assess and Open Source Security and has an extensive background in creating products with an emphasis on user experience and quality. He has managed the launch of industry-leading products at companies like Apple, Cisco, and Pearl Automation. He holds an MBA from University of California at Berkley’s Haas School of Business, a Masters in Computer Science from Harvard University, and a Bachelor of Science in Electrical Engineering from UCLA.