X
On April 30, 2025, Jeff Williams, Founder and CTO of Contrast Security, chatted with Techstrong’s Alan Shimal about the critical role of application security and the move away from the old way of securing web applications. Runtime security is crucial for identifying vulnerabilities while code is running, and Jeff addressed the limitations of traditional security's deployment event horizon. Jeff also noted that Contrast Application Detection and Response (ADR) seamlessly integrates with current operations tools. The observability provided by Contrast ADR, coupled with AI, improves threat modeling and risk evaluation.
Jeff brings more than 20 years of security leadership experience as Founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became Chief Executive Officer of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from the University of Virginia, an MA from George Mason, and a JD from Georgetown.
As founder, CEO, and editor-in-chief at Techstrong Group, Alan manages a broad array of businesses and brands including Techstrong Media (DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, Techstrong ITSM and Techstrong TV), Techstrong Research and Techstrong Learning. To do so and succeed, Alan has to be attuned to the world of technology, particularly DevOps, cybersecurity, cloud-native and digital transformation. With almost 30 years of entrepreneurial experience, Alan has been instrumental in the success of several organizations. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at conferences and events. In addition to his writing, his DevOps Chat podcast and Techstrong TV audio and video appearances are widely followed. Alan attributes his success to the combination of a strong business background and a deep knowledge of technology. His legal background, long experience in the field and New York street smarts combine to form a unique personality. Mr. Shimel is a graduate of St. John's University with a Bachelor of Arts in Government and Politics, and holds a JD degree from NY Law School.
Alan Shimel
Hey, everyone. We're back here live at RSA conference.
It's Wednesday morning. Things are starting to kick up here. We've already had a full day, of course.
My next guest needs no introduction to our audience here. He's one of our good friends.
I don't wanna embarrass him. He's one of the founders of the AppSec movement. Right? Early on with OWASP, everything else.
Jeff Williams
CTO and founder of Contrast Security.
Alan
Yep. My friend, Jeff Williams. I knew you were cofounder, but I always say CEO and it's CTO.
That's why I wanted to make sure I got it right.
Jeff, it's great to see you here. What is this? Maybe seven, eight RSAs?
Maybe there's some people out here who don't know Contrast Security. Just quickly, if you don't mind.
Jeff
So we're an application security company.
Application security risk is accelerating really quickly now, particularly with Vibe Coding and other things. And we take a runtime approach to application security. So we actually watch the code run, give you real details on what's really exploitable, who's attacking you, what libraries are actually in use. Like, it's all measured directly from a running application. So it's real. It's not theoretical results.
And, we do that to keep you safe and, more importantly, your customers and children safe.
Alan
Absolutely. Well, no kidding what children say. You know, Jeff, one of the interesting things about Contrast, and I've told this to people before, and I got this spiel down now, is for much of the AppSec industry, you focus on the AppSec industry focuses on the security of the application before the event horizon of deployment. Yes.
Right? And that's, like, sort of a black hole. Right? That deployment event horizon. And all of our, and if we could say all of our AppSec focus is left of that horizon.
Traditionally. And and for good reason. It's supposedly faster, cheaper, more efficient.
Well, we should talk about that.
But recently, I know Contrast – what was the movie? Interstellar? Remember that movie? You've gone through the event horizon.
We're gonna come out the other side.
And one of the few AppSec vendors that actually have a story about real runtime application security.
And to me, that's what sets you apart. I don't know as a CTO, you have a better handle on this than me. But as an observer, that's what sets it apart.
Jeff
Well, you're exactly right.
Traditionally, we've put a lot of bets down on helping developers write perfect code. Yeah. But I don't know. Do you feel like developers are writing perfect code?
Alan
I don't think there is such a thing as perfect code is the problem.
Jeff
And I think it's like a holy grail. And it's a moving target.
Yeah. Because stuff changes. It's like saying I'm never gonna publish something that doesn't have vulnerabilities.
And so we've put a lot of bets on that. And frankly, it's not delivering. Right? Like, most companies have massive backlogs of vulnerabilities that they're not triaging.
That whole approach to the problem just doesn't really work. And so we had the insight to say, hey, you know what? In production, we can see everything.
It's not, you know, in development, you see pieces of applications. You see one repo of twenty. You see, the libraries. You see the source code.
You see the APIs. They're all separate.
But in production, they're all assembled together. You analyze the whole thing at once, and you can see exactly where it's being attacked, exactly where it's vulnerable. And you can help companies focus on the, you know, the few percentage points of issues that are real. The ones that have crossed the event horizon that are actually being attacked in production.
Those kinds of problems, that's where you wanna spend your very limited critical AppSec resources on fixing those problems. So even though it seems counterintuitive to focus on security to the right, because people like the idea of shifting left. Right. Problem is, it just hasn't worked.
It's backfired.
Alan
Well, I'll tell you, it's given rise to Platform Engineering, which is our newest site platform engineering dot com. Because I think people realize that when you over shift left, what do you say? Your developers, your security guy?
I'm not saying developers raise their hand and say, man, do I like to write insecure code?
Jeff
No developer says that. But you don't have developers raising their hand and say, I'm your security guy.
That's not who they are.
Also true.
And so that I think the whole rise of platform engineering is recognizing we can't ask developers to build their own secure platform in addition to coding their apps. Someone's got to do it. Yeah.
So the way runtime security works is very much like other kinds of detection and response, like EDR and CDR. Sure. The one thing to realize, those technologies don't stop application layer attacks. Right? They see stuff in the kernel layer or in the cloud or whatever, but there's a gap, the application layer.
And so into your platform, you install ADR, and it instruments the actual running applications and watches it as it runs. That's how you detect things with full context. And so after that, it works just like the rest of the XDR ecosystem.
Telemetry gets collected. There's a dashboard, but it also goes into your SIEM, and you can correlate it with the rest of your events and so on. But it's a very natural part of operations. It's just missing.
Alan
Let me ask you a question.
You know, I was at KubeCon in London last month. Observability.
Yeah. Everything's observability. It is. How does the ADR play the observability, this new universe of observability?
Jeff
Yeah. It's a very similar concept. In fact, we call it security observability in context.
And observability is interesting. It started to the left of the boom, like, in development. And companies like New Relic and AppDynamics and Sony monitor development.
And then they realized, hey, what are we measuring? Test systems with, you know, not real data, not real users, not real load. And they're like, well, this doesn't it's not realistic because they didn't have the right context. So those tools moved into production.
And they measure real reality in production.
And that's the same transformation that AppSec is going through. You measure it in test environments. You don't have enough context.
You don't have real users. You don't have real threats. You don't have real anything.
And you get all these theoretical findings. So when you move into production, that's when you're measuring reality, and you can focus on what matters. And that's what we're helping companies do.
Walking in that same footsteps here.
Alan
So in our never ending quest for the single plane of glass, do you envision a future where security observability and, you know, call it mainstream observability or whatever, can be in the same interface, could be in this the same platform?
Jeff
I could imagine that.
Although, I think it's more likely in the short term that we'll see it as part of, CNAPP and SIEM kinds of integrations that they're already collecting security telemetry and building a security graph. And our data you know, we have a graph. It fits into the other graph. Like, that's that's how that works. Observability is a little bit more of a junk because it's different users Right. I think today. But, ultimately, if we achieve the vision of DevSecOps, that we'll break down those silos and everybody will be working off one model of reality, we call it a digital twin.
And it's come a long way now too, especially with AI.
So we're building a digital twin of your application layer. Not one app at a time, but the whole thing.
Alan
This is new to me from you now. Yeah. Let's start over here. Talk to me.
Jeff
So imagine you're a big complex enterprise. You've got hundreds of thousands of applications all connected to each other, APIs, containers running everywhere, all confusing.
So when you deploy Contrast, you can deploy it across that infrastructure. Like, we got a Kubernetes operator. You just push it out. It's part of platform engineering.
You push it out. Then the telemetry starts coming in. And we take all this telemetry that's coming from all these apps saying, you know, things like, what's the attack surface?
Where are the vulnerabilities? Where are the attacks? Where are the assets?
All that's coming together and we're building a digital twin. We call it the Contrast graph.
And it's a model of how your application layer works. It's a lot like the Wiz graph, except it's not infrastructure. We're talking about another layer of abstraction. All the how the application layer works.
And with that, you get a lot of benefits. You can put vulnerabilities in context and say, like, oh, well, I understand this vulnerability is in this app, which has this blast radius. And you could really get a good risk rating.
And you can use that data not just for, like, vulnerabilities and attacks, but you can use it to feed into your threat modeling process, your pen testing process.
I'm a big believer in digital twinning.
I think one of the nice things about all the AI buzz that goes on, and our ability now to kinda get our hands around bigger infrastructure or or bigger picture.
That's what we had to do to get it. Our old, you know, two years ago, Contrast used, our telemetry flowed into a SQL database. And that's limited.
So we moved to a modern streaming data architecture. It's Kafka. It graphs deep databases. And we've built a massively scalable data collection platform. Do that too. It's because of our new CEO from Splunk.
Oh, so obviously And so he came in and said, hey, you know, this we need to collect more data, not less.
And so we've just been enhancing our telemetry, building up also a lot.
Once you're able to get your head around or your hands around all that telemetry, now you start applying the AI and stuff like that.
You start seeing insights that you just couldn't see before. Runtime security and AI go together like peanut butter and jelly. Like, they're because runtime is real. It's measured directly from running apps.
It's not theoretical stuff. It's not false positives. So, yeah, they go together really well.
Alan
Love it. Alright. This camera's on you. Right? Okay. Tell them how did they go get this today?
Jeff
Yeah. It's easy. I mean, you can go to our website. You can learn a little more.
Alan
That's always a good first step. And the website is Contrast security dot com. Right.
Jeff
And, there's stuff you can try if you wanna give it a spin.
We're happy to come in and do a POV with you. But the deployment process is easy. You get our installer. You just push it out to your containers or your workloads, wherever they are.
We don't really care whether it's on prem or in the cloud or whatever, whether it's APIs or applications. We support all of that. And, almost immediately, the telemetry will start flowing.
But particularly if you deploy in production, and that's really where I think you should put it. Then you're gonna see, you get amazing visibility into what's happening. I will tell you, you're probably in for some surprises.
Like, there's probably a lot more attacks going on on your application than you thought. Yep. And attackers are probably reaching vulnerabilities that you didn't think that they were able to reach. You may find some Log4Shell that you didn't know about, by the way. We always see it, it's all out there still.
Alan
Jeff, good stuff. Really good.
I'm really you know, it's not often I get to hear new stuff. Application security has not been innovating as fast. And with the boom coming from AI development, I mean, if you're producing more code or a hundred percent more code, I don't find the way the team is gonna double. So you need technologies to help you scale into that.
Jeff
We don't have enough AppSec teams as it is for what we've been doing three years ago.
Alan
Anyway, hey, man. This is great. I love it. You're doing a great job, Jeff. It's always, man. You're the best. Alright. Jeff Williams, Contrast Security.
Go check out what he was talking about here because this is the kind of stuff you're gonna need not three years from now, not two years from now. Now. We need it now. Go check it out. We're live at RSA conference.
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
