What’s a basketball got to do with Application Security instrumentation?

It's not just any basketball — it’s a sensor-packed basketball. 

We have an Instrumentation Glossary entry dedicated to instrumentation via sensors, but we can also turn to a nifty basketball — there are a bunch of them on the market at this point, such as this one or this one — to help explain how security instrumentation works. 

So hi, hoopheads, and a happy March Madness to you all!

Some questions: How’s your cross-over? How’s your dribble? If you’re a player looking to refine your game, you’re probably aware of sensor-packed basketballs that critique your every move and give you contextual feedback on what needs improving. The instrumented basketballs are fairly standard balls, but they’re stuffed with sensors that send data to your smartphone vis-a-vis the arc of your shot, your shot speed and your number of dribbles. 

The sensors tell you how the ball spins and how it leaves your hand. Then, calculations compare your motion with that of anybody who uses the ball, including the amount of force needed to get past another player or how much hand speed you need for a cross-over. 

As one manufacturer stressed, the key innovation of these instrumented balls wasn’t just to pack in powerful processors, with enough memory and perfect sensors, into a ball that’s sealed up tight to use indoors or outdoors, wherever and however you’d use a normal basketball.

Real-time security: Detecting fast, acting faster with security instrumentation

No, the insertion of sensors wasn’t the most important breakthrough. Rather, the real breakthrough was that the information is processed in real time. 

Similarly, security instrumentation embeds sensors within applications so they can protect themselves from the most sophisticated attacks — in real time. 

This is radically reimagined security. Security instrumentation sensors that actively reside inside applications can uncover vulnerabilities in real time, prevent data breaches and secure web-based applications and application programming interfaces (APIs)  throughout development and testing, deployment, and maintenance, largely without human intervention. 

As it is, these days, we’re already surrounded by instrumentation. To name just a few examples, there are digital sensors in your HVAC system that measure ambient temperature, sensors in your digital camera that measure light, and motion detection sensors in your security and home automation systems. 

Putting sensors in your code to give an instant readout of real-time security issues is a no-brainer, and it’s what instrumentation is all about. 

How application instrumentation works

The easiest way to think about our way of application instrumentation is to think of it as a watcher. We observe the runtime behavior of the application/API and look for anomalous activity that indicates a vulnerability or an attack. Besides watching data flow, many other rules also  deal with headers, configuration, encryption, hashing and more.  

Our Contrast sensors are absorbed by the application and in return are able to continually and automatically observe all the faulty code in that application that could be exploited. By instrumenting all layers across the entire application, Contrast Runtime Security can trace data and execution through custom code, libraries, frameworks and even the runtime platform, all without requiring any changes to the build-test-deploy cycle. We have a sensor for each of the languages we support, which removes language as a barrier. 

“We just tag data that's coming into your application,” according to Bryan Beverly, Contrast’s VP of Engineering Runtime Security. 

Our sensors run within a running application, meaning that they load and instrument — i.e., they add sensors — when the application we're protecting starts up. We tag data that comes into the web application, and we flow through the application until it reaches a final destination (a "sink") such as being put into a database, written to a log file or being sent to another application.

Sensors are the watchers

Every time new data comes in, instrumentation flags it, then the software sensors follow that data — on through the entire application, all the way until it's finished, wherever it goes. We follow data as it enters a database, for example, or we watch data if it goes into a log file, or we watch as data gets sent off to another application. 

When it comes to our data-flow rule, “All we're doing is following it and watching,” Beverly explains. We watch it, and then we wait. 

Is the data integrity being verified? If so, great. 

If the data’s not being verified, that’s not so great. At that point, “We’re looking for bad things that could be happening,” Beverly says. “If someone is allowing data to come straight through an application and go straight into a database without being validated, that strikes us as concerning; that's a vulnerability waiting to happen.”

Unlike other tools, Contrast doesn’t have to see an attack. It doesn’t have to see malicious data. Contrast can tell, just by following the data through the code, whether it has a vulnerability or not.

This is the kind of instant feedback that changes the security game, just like it changes your b-ball game. You’re shooting flat? OK, that’s good to know. You’re shooting flat precisely by an angle of 38 degrees? Now that’s feedback you can use — immediately. 

Similarly: You’re dealing with potentially vulnerable applications? Fine. That’s nothing new. But how about if you’re dealing with application vulnerabilities that get stopped dead in their tracks because instrumentation flagged the bugs in development or bugs that cropped up later in production only to hit a brick wall of instrumented protection?

… in real time. 

As in, don’t worry about zero days like Log4j. We blocked that one and a gallery full of other zero days before they even bounced onto the scene. 

Security instrumentation crushes, kills & destroys zero days

You want to up your basketball game? Go buy an instrumented basketball. You want to avoid this gallery of zero-day horrors? 

Zero Days Blocked Before Discovery Hall of Fame

Contrast detects & prevents exploitation against entire classes of
vulnerabilities via embedded detection rules.

Examples of zero days that Contrast mitigated before
they were discovered (before CVEs were issued):

• Atlassian Confluence — Server Site Template Injection opens risk to Remote Code Execution - CVE-2023-22527
• Spring/Kafka — Deserialization opens risk to Remote Code Execution - CVE-2023-34040
• Spring4Shell — Command Injection/ClassLoader manipulation - CVE-2023-22965 
• Log4Shell — Expression Language Injection - CVE-2021-44228
• Confluence OGNL Injection — CVE-2021-26084 
• Apache Struts2 — CVE-2020-17530
• Python Salt CVEs — CVE-2020-11651 & CVE-2020-11652
• Tomcat Server — CVE-2020-9484
• WebLogic Remote Code Execution (RCE) — CVE-2019-2725
• Apache Struts2 — CVE-2019-0230
• Apache Struts2 — CVE-2018-11776
• Jenkins XStream — CVE-2016-0792

This is the power of Runtime Security: Runtime Security automatically blocks attacks in production and prevents insecure programming early in development.  Runtime easily scales to continuously protect your entire software portfolio, including applications, APIs, and even third-party applications.  And it covers the whole stack at once, instead of scanning pieces separately and overlooking major components. The result is a highly effective Application Security operating model that delivers a high level of security without compromising innovation.

Runtime Security changes everything

“It’s not just about better detection,” says Contrast Co-founder and Chief Technology Officer Jeff Williams. “It changes the whole operating model. Now players can teach themselves. And one coach can handle more players and give them more individualized instruction.  

“The whole economics of coaches and players is disrupted for the better. It’s the same for healthcare. The relationship between doctors and patients is different when patients get real-time telemetry and can do things for themselves. Doctors can continuously monitor patients and get alerts, instead of seeing them for five minutes once a year. And we can track pandemics and public health to enable better response to disease.

“For security, it’s about developers and security teams. With instrumentation they aren’t spending their time with manual scans and analysis. Instead, developers are empowered to write secure code themselves. And in addition to accelerating development teams’ ability to deliver innovation, security experts can focus on more strategic issues, like security architecture, threat modeling, and threat intelligence.”

Use the power of Contrast’s Runtime Security to improve the security and efficiency of your application operating mode.

We can show you why instrumentation is a slam dunk for security: Join us on a no-pressure, no-commitment demo call. 

Read more:

• Instrumentation | Contrast Security Glossary
• Changing the AppSec Game with Security Instrumentation | Contrast Security blog
• Using Security Instrumentation to Analyze and Protect Software | Contrast Security eBook
• Contrast extends instrumentation expertise to serverless applications | Contrast Security blog
• AppSec Instrumentation Addresses AppSec Skills Shortage | Contrast Security blog
• Using Instrumentation to Find Web Application Vulnerabilities | Contrast Security blog
• 4 Reasons to Automate Security Testing with AppSec Instrumentation | Contrast Security blog
• How to Build Awesome Security Instrumentation to Automate AppSec Testing and Protection | OWASP whitepaper (PDF)