Trust ‘zero trust’ for Application Security
By Jeff Williams, Co-Founder, Chief Technology Officer
September 7, 2023
The perimeter cybersecurity model is like the defensive walls that surround ancient cities. For thousands of years, these walls provided stout defense against invaders arriving by horse and on foot.
Those defenses are obsolete. Ancient cities have sprawled far beyond the confines of their walls, and people and commerce need to move freely through the old perimeters. Threats have changed, too — they’re arriving by motorized transport, or by air, or by terrorist attack.
Similarly, perimeter security is nearly useless for cyberdefense today, because the perimeter has disappeared. Modern enterprises use technologies distributed across cloud providers, application programming interfaces (APIs), microservices, containers, multiple data centers, software as a service (SaaS) and more. It’s impossible to wrap all those assets in perimeters.
There are no insiders anymore. Or outsiders. Because there’s no perimeter.
Instead of perimeter defense, organizations need to implement a “zero-trust” security posture.
Zero trust replaces the old model of perimeters and firewall boundaries that attempt to detect and block incoming bad behavior. The zero-trust security model means you no longer think about where workloads are running. Rather, everything is assumed to be accessible via the public internet. Even your precious internal applications are now assumed to be public to everyone.
Forrester Research defines zero trust as an information security model that denies access to applications and data by default. Access to applications and data has to be earned.
Zero trust is a powerful security model for defending enterprise assets. And it’s required by U.S. government mandates designed to vastly improve cybersecurity and agility.
Still, it’s a heavy lift for organizations accustomed to traditional, perimeter-based security.
Data is the gold
Data is the goal of hackers today, as noted by John Kindervag, the father of zero trust. Hackers target a person, network or device, but they don’t actually care about those things. What they’re really after is the data to which a targeted person, network or device has access.
Data is gold, and Application Security (AppSec) is essential to securing that gold.
Unfortunately, most government agencies aren’t prioritizing securing data and applications. Instead, because organizations historically prioritize perimeter security, they’re focused on securing networks and identity. It’s human nature to continue along familiar paths, even when faced with a new challenge.
Until recently, organizations haven’t had the tools to secure applications. Familiar AppSec companies provide Static Application Security Testing (SAST) and dynamic scans that are basically just quality assurance reports. They tell you you have a problem and how to fix it, but they don’t correct the problem.
On the other hand, Contrast Security’s runtime protections provide tools to detect and report problems and provide protection.
Implementing Zero Trust Pillar 4: Applications
Application and API security are essential to implementing zero trust, as reflected in the U.S. Cybersecurity & Infrastructure Security Agency (CISA) Zero Trust Maturity Model, which identifies five pillars to zero trust: Identity, devices, network, applications and data.
Contrast Security focuses on the fourth pillar: Applications.
Applications: It’s what we do.
If your applications and APIs aren’t secure, the rest falls apart.
|
How Does Contrast Support Zero Trust? |
| Pillar | Contrast |
| Pillar 4.1 | Application Access: Contrast helps to ensure that attackers cannot exploit application/API vulnerabilities to bypass access control mechanisms. However, Contrast doesn’t enforce access control itself. |
| Pillar 4.2 | Application Threat Protections: Contrast ensures that both known (CVE) and unknown vulnerabilities in applications cannot be exploited by attackers. This applies to both libraries (such as Log4j) and custom application and API code. Contrast provides complete threat visibility at the application layer. |
| Pillar 4.3 | Accessible Applications: Contrast is widely used to protect applications and APIs on the public internet. Many organizations add Contrast to their platform as part of a cloud or zero-trust transformation effort, so that all applications and APIs are protected. |
| Pillar 4.4 | Secure App Dev and Deploy: Contrast provides instant, accurate, and comprehensive library analysis and vulnerability testing that naturally integrates into CI/CD pipelines, along with integrations to provide instant feedback. |
| Pillar 4.5 | Application Security Testing: Contrast provides unparalleled application security testing that runs continuously during development and quality testing. Contrast’s results are reported instantly, are far more accurate than traditional SAST and DAST tools, and can scale to many thousands of applications in parallel. |
| Pillar 4.6 | Visibility and Analytics: Contrast provides extensive analytics around application security telemetry gathered from development, testing, and production environments. Contrast enables policy enforcement across an application portfolio and metrics to ensure compliance and continuous improvement. |
| Pillar 4.7 | Automation and Orchestration Capability: Contrast is fully automated and can be run continuously on many thousands of applications in parallel. Every project will have real-time dashboards, notifications, and integrations into tools already being used. All data is accessible via a fully supported REST API. |
| Pillar 4.8 | Governance Capability: Contrast enables full policy control over an entire portfolio of applications and APIs. Contrast includes numerous dashboards and reports that can be used to govern application security at scale and drive improvement. |
‘Explode, offload, reload’
Edward Amoroso, founder and CEO of TAG InfoSphere and former CISO of AT&T, uses the catchphrase “explode, offload, reload” to describe the process of moving to zero trust from traditional perimeter-based security. What that phrase means:
- First, explode monolithic workloads into multiple services.
- Then offload — as in, move services to the cloud.
- Then reload: Implement new security defenses to protect workloads, using modern technologies that work in the cloud environment.
An empty wagon that fills on the journey
Implementing zero trust is a big undertaking. Start with what you have. That’s good advice from Gerald Caron, CIO for the International Trade Administration.
- Start implementing zero trust with minor tweaks without requiring a complete overhaul.
- Take an inventory of small steps, knowing it will be a multi-year, incremental process.
- Plan, execute the plan and then revise as needed.
- Don’t rush into a big purchase that ends up not working out.
- Implement pilot projects early, assemble teams and transform a few apps at a time.
- Spread out and standardize lessons learned.
In other words: Slow down to go fast. Transitioning from perimeter security to zero trust is a slow, incremental process. But zero trust enables rapid development and innovation and faster deployment of value to your customers.
Transforming the organization for zero trust is like a wagon that’s empty when it starts a journey. People climb on board, and pretty soon, you’ve become a zero-trust organization culturally, and your people get it. That’s the path to success.
By replacing perimeter security with modern zero-trust security, organizations can protect their most valuable assets: The applications data they need to run the business.
To learn more about zero trust, the CISA fourth pillar, and how Contrast Security can help you implement zero trust, watch the recording of my recent LinkedIn Live session with James Kovach, Contrast Security’s Federal Sales Specialist: “What’s your Zero Trust strategy? What’s your Pillar 4 solution?”
For more details regarding how Contrast maps to the directives of the Applications Security directive (Pillar 4), check out this report.
Click here to download CISA’s Zero Trust Maturity Model, which encompasses Pillar 4.
Read more:
-
- What's your Zero Trust strategy? What's your Pillar 4 solution? (LinkedIn Live session recording)
- Report: Contrast Security and zero trust
- This Is Where To Focus Security, Fed CTOs! (podcast)
- Cybersecurity priorities for federal government CTOs
- CISA Zero Trust Maturity Model
- Contrast Security and Microsoft Drive Commitment to Institute Zero-Trust Architectures at the Application Layer
.jpg)
Jeff Williams, Co-Founder, Chief Technology Officer
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Loving our content? Subscribe now!
Get the latest content from Contrast directly to your mailbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast.