Skip to content

Waiter… there’s a fly in my appsec tool soup!!!

Waiter… there’s a fly in my appsec tool soup!!!

fly-in-my-appsec-soup.jpgBrace yourself. Recent advances in application security are about to spawn an onslaught of application security tool vendors who think you absolutely must have their "complete" solution to protect your applications.

They want to sell you the old stuff... static analysis (SAST), dynamic analysis (DAST), and web application firewall (WAF).  They might include a library analysis tool. And they're going to want to sell you the new stuff... interactive analysis (IAST) and runtime self-protection (RASP).  And they're going to tell you that you need all of this stuff in order to meet the needs of DevOps!

They're basically saying that "tool soup" is the best approach.  I couldn't disagree more. Tool soup not only doesn't address the key speed, scalability, and process fit problems in appsec, it won't solve critical false positive and, even more importantly, false negative problems. It's a monster all right.

What security tooling does DevOps need?

Let's just step back from the madness and think for a second about what DevOps projects actually need. These projects are relying on automation to move code from development to production very quickly, so security has to work at DevOps speed and portfolio scale.

  1. Non-Disruptive - Maybe this is obvious, but security tools shouldn't require tailoring, tuning, or customization to produce great results. You shouldn't need an expert to install, run, or interpret the results. And they shouldn't add steps or disrupt modern software development. Or wreck environments with scan load or hacking attempts.
  2. Instant - DevOps projects need security feedback to be essentially instant. Anything else (hours, days, weeks, months...) creates delays in getting that code to production. And instant feedback is the most cost-effective way to deal with vulnerabilities because they get fixed even before code gets checked in -- no downstream vulnerability management costs. 
  3. Accurate - DevOps projects don't have time to deal with false positives and even more dangerous false negatives (real vulnerabilities that are missed by the tool). And DevOps absolutely need tools that work with REST APIs... but that's a different post. So ask your vendor to show you their results against the OWASP Benchmark.
  4. Scalable - What's the biggest problem scaling application security? <spoiler alert> Like Soylent Green....  it's people. Using a warehouse full of people to clean up results from inaccurate tools just moves the problem. And adding more tools to the soup exacerbates the problem. You don't want six (or more) different tools to manage, each with its own configuration and experts.  DevOps demands a solution that can scale to hundreds or thousands of applications and still provide instant, accurate results.
  5. Unified - For 15 years, people have attempted to create "hybrid" application security solutions that merge the results of different tools. DAST + WAF.  SAST + DAST. And so on. None of them have worked. You end up taking two small piles of noisy results and smashing them together into one big pile of noisy results. Instead of running separate analyses and attempting to merge the results, DevOps needs a unified tool that leverages multiple different forms of analysis as one.

My advice?  Don't order the "Tool Soup" -- it will just make your application security problems worse.

A better approach...

Ditch the old stuff that doesn't really do the job. Contrast is the world's first and only unified IAST and RASP platform. Just add a single application-layer agent to your application stack... that's it.  From that point forward, Contrast continuously protects your apps from both vulnerabilities and attacks.

Using deep security instrumentation, Contrast takes advantage of the elements of static and dynamic analysis that actually work well, and adds the power of configuration analysis, library analysis, runtime analysis, attack protection, log enhancement, CVE shields, and bot blocking. That's all in the single easily deployed agent.

This unified analysis has access to the "context" (code, HTTP traffic, libraries, data flow, architecture, etc...) needed to produce amazingly accurate results in real time. And Contrast is a distributed solution that scales to hundreds or thousands of applications in parallel. Imagine controlling application security policy across your entire portfolio from the first line of code all the way through production.

This isn't just what DevOps needs... it's what every enterprise that's betting their future on software needs.




Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.