Surag Patel, Contrast Security: a single point of code insertion can have monumental repercussions
The increasing digitalization of business processes calls not only for a safe but also a next-generation approach to application security.
Many businesses turned to digital transformation and the development of new applications and enhancement of existing ones to sustain business during the pandemic and to lay the groundwork to propel themselves out of the pandemic. As digital transformation efforts accelerated, there was an increased demand for new software applications in virtually every industry. It placed an immeasurable burden on developers to do more and to do it faster, leading to significant application security challenges, even for modern software development teams.
A recent study found 79% of developers are under pressure to shorten release cycles and commit code more quickly. Yet, at the same time, 85% of developers admit their average application has an average of 10 or more vulnerabilities.
We reached out to Surag Patel, Chief Strategy Officer at Contrast Security, to discuss the company’s next-gen approach to application security and various cyber threats that come along with using or developing applications.
How did the idea of Contrast Security come to life?
Contrast was founded on the evidence that traditional application security methods are broken and that new, embedded approaches are needed. Embedded approaches bring differentiated benefits of accuracy, simplicity, scalability, and continuous results to transform legacy approaches.
Our founders had used all the legacy state-of-the-art tools and realized they were insufficient for modern software. They were inspired by the idea of “MRI Contrast dyes” that are used in MRI medical imaging to get a significantly more detailed, accurate, and in-depth view of the human body. Contrast Security, the idea, and the name were born on this idea.
As modern applications evolve to become much more distributed and complex, traditional “outside-in” application security tools no longer do an adequate job of finding application vulnerabilities. To address this problem, Contrast observes running applications from the inside—which offers better visibility of actual vulnerabilities present in the code. Our unique approach to security instrumentation embeds an entire platform of application security tools inside the code of an application to assess vulnerabilities and protect against attack--from development through production.
The Contrast Application Security Platform transforms application security into an enabler of digital transformation, with 28.7x faster mean time to remediation (MTTR) of vulnerabilities.
You talk about providing “just-in-time” how-to-fix guidance that helps developers remediate security vulnerabilities in real-time as they code. Can you tell us more about this?
Contrast's innovative Security Trace format helps developers remediate software vulnerabilities in real-time by pinpointing exactly where a vulnerability appears and providing line-of-code insights for repairing the issue. This kind of “just-in-time” contextual guidance is specific to the code that is being fixed and the vulnerabilities found by the Contrast Application Security Platform.
Are there any security measures widely used nowadays that, in your opinion, don’t do the job properly or pose some major risks? Why do you think people still turn to these solutions?
Static application security testing (SAST) and dynamic application security testing (DAST) have both been primary tools for testing for applications in development over the last two decades. In recent years, development cycles have started to move much faster thanks to DevOps and Agile processes as well as modern cloud platforms. Application code volume has also grown in volume and complexity through the adoption of open-source libraries and application programming interfaces (APIs). And yet the traditional static analysis tools that many organizations still use have not fundamentally advanced since the early 2000s—while offering only about 26% accuracy in their results. Legacy SAST scans now generate so many false positives that outputs have become mathematically impossible for security teams to triage. This is why more than half (55%) of developers currently admit to sometimes skipping scans altogether.
Code scanning remains an established need in many organizations; existing processes are designed around it and those are hard to change. For SAST to evolve into an effective tool for today’s needs, it needs to look for the real risks posed by the application. This requires a modern approach to scanning—one that can identify the most critical true positive vulnerabilities without the distraction of noise created by large volumes of false positives and low-value findings.
Besides providing application security, you also have a research team at Contrast Labs. Which issues do you focus on?
Contrast Labs is a team of accomplished cybersecurity researchers and industry experts who perform application security threat analysis, security analytics, and other security research to help enterprise clients develop more proactive application security programs. They also lead efforts to update the Contrast Application Security Platform to respond to new threats they discover. As a part of this work, the Contrast Labs team also developed the Contrast RiskScore, including its soon-to-be open-source algorithm, that provides an objective, real-time view of the relative risk posed by different vulnerability types and attacks.
In the last year, Contrast Labs has discovered 20+ new vulnerabilities (CVEs) in products by Microsoft, Google, Docker, Slack, Facebook, Jenkins, Zoom, OpenMRS, Sonatype Nexus, Atlassian Jira, Electron, Zulip, and more.
The Contrast Labs team offers a combined 135 years of experience in application security with members that include co-founders of OWASP, a tech reporter for InfoQ, and a tech advisor for PolicyPak. Contrast Labs publications include annual research reports, studies on specialized topics in the field, bimonthly security intelligence analysis, as well as ongoing findings throughout the year in our regularly published blogs, podcasts, and videos.
You recently named dependency confusion “a new third-party risk to the software factory.” Can you tell us more about it?
“Dependency Confusion” is an attack technique that can be used to poison the application-building process. These fall under the broader umbrella of recent attacks against the “software factory”—the tools and processes used for building applications (including coding, building, integrating, testing, delivering, deploying, operating, and monitoring). At the time of its initial public disclosure, dozens of major software solutions were found to be vulnerable.
Dependency confusion generated a lot of interest because of its potential reach. A single compromise can have a very widespread impact . For example, researchers at Contrast Labs helped uncover a critical dependency confusion vulnerability in Microsoft Teams. Microsoft Teams is a major collaboration tool that helped businesses around the world sustain operations during the first months of the pandemic. Its number of daily average users (DAU) increased from 44 million to 75 million from April to May 2020—reaching 115 million users by the end of the year. If a malicious attacker were to execute code on a Microsoft Teams build server for a desktop application update that was about to be distributed, they could potentially compromise every desktop using Microsoft Teams around the globe.
This kind of threat is very dangerous because a single point of code insertion can have monumental repercussions—potentially affecting as many organizations as the SolarWinds debacle.
Which best practices should organizations follow when implementing AppSec?
The best thing that any organization can do today to improve the efficacy of their AppSec program is to embrace the concept of DevSecOps.
The speed of modern development cycles combined with an increasingly opportunistic threat landscape, created conditions where application security and development team priorities are no longer in alignment. The only way to address this disharmony is to eliminate the systemic bottlenecks that currently put development and security teams at cross purposes.
Organizations need a different approach to application security—one that synchronizes the workflows and objectives of developers, operations managers, and security experts within the organization (better known as DevSecOps). Modern tools that build security into development processes can actually accelerate operations while improving the quality of software innovation. To get there, security must be able to automatically see how all parts of the application perform when it’s actually running—comprehensive observability of the entire application runtime that can accurately spot vulnerabilities in development and block exploits in production.
This is precisely what Contrast’s platform-based approach to AppSec achieves. The combined capabilities of the Contrast Application Security Platform cover all parts of an application (including custom code, and open-source components, and APIs) across the entire software development lifecycle (SDLC). By providing comprehensive security at the speed of DevOps, Contrast makes DevSecOps a reality. It accelerates testing and remediation processes, reduces code vulnerabilities, and provides air-cover protection against unknown threats in production.
Which security solutions are going to gain popularity in 2022?
The cloud continues to be a boundless source of transformative innovation and breakthrough capabilities. But security remains an open question in a lot of circumstances.
For cloud-native companies, or for enterprises migrating their development environments to the cloud, the Contrast platform provides application security testing natively designed for the cloud environments in which it operates (e.g., AWS, Azure). Contrast also offers numerous integrations with cloud-based integrated development environments (IDEs), continuous integration/continuous deployment (CI/CD) environments, as well as quality assurance and operations tools. These integrations make it easy for cloud developers to close application-layer security gaps in the course of their usual work processes, using the tools they already know.
Containers are another key security trend to track in 2022. Containers accelerate and simplify application deployment, whether they’re in the cloud or on-premises. But containerized applications still must be tested for vulnerabilities and protected from attacks in production. The tricky part is that containers have short life spans—which means that monitoring them (especially during runtime) can be difficult. Contrast’s instrumentation-based approach allows organizations to integrate security into the application code itself, wherever resides--even if it’s inside a container and hosted in the cloud. Instrumentation provides comprehensive visibility, monitoring, and automation capabilities across all parts of the application at all times.
Finally, Forrester predicts that 25% of developers will use serverless technologies by the end of 2021 to help accelerate the pandemic recovery. But as organizations embrace serverless for developing and hosting applications, legacy application security testing (AST) tools are failing. Specifically, because traditional AST solutions weren’t built for serverless, they don’t have sufficient visibility of all the contextual parts of these applications. This results in blind spots that greatly diminish traditional testing accuracy. Therefore, purpose-built AppSec for serverless environments will be a pressing need in the coming months.
What’s next for Contrast Security?
We have a number of really exciting things coming up with regard to expanding our platform to different languages and integrating security for cloud-native applications.
With respect to the previous question about the limitations of traditional SAST scanning tools, we’ve just released the industry’s first static analysis scanning tool designed specifically for developers and modern development environments. As a complement to the Contrast Application Security Platform, Contrast Scan delivers a breakthrough, pipeline-native approach to scanning. It combines demand-driven static analysis, risk-based policies, and a product design that helps developers to find and remediate vulnerabilities in real-time as they code. Adding Contrast Scan to our comprehensive platform of solutions strengthens Contrast’s mission to secure and protect software across the entire software development life cycle (SDLC).