Empowering Developers To Write Secure Code Faster
This blog originally appeared on Contrast Security with the title Contrast Community Edition Empowers Developers To Write Secure Code Faster.
As software eats the world, the world faces a software security crisis. The movement to modern software such as cloud technologies and microservice architectures is essential to innovate quickly. Yet, nearly three in four developers say that security slows down Agile and DevOps.
Neither developers nor security teams are to blame. DevOps speed is held back by a 15-year-old, scan-based application security (AppSec) model designed for the early 2000s. Traditional security tools cannot keep up with today’s rapid development pace or modern application portfolio scale. However, sacrificing security for development speed places critical and confidential personal and business information at risk—from financial to healthcare data—and can disrupt operations or even cause outages.
Code Scanners Cannot Meet Modern DevOps
Traditional AppSec models that depend on static application security testing (SAST) or dynamic application security testing (DAST) are plagued by development delays and highly inaccurate results. Scans take many hours, if not days—not ideal timelines for agile teams that ship code multiple times a day. Imagine a server bug on an e-commerce platform serving millions of customers; the company will lose thousands of dollars every second the bug remains. Teams simply cannot wait for these security scans to complete. Moreover, once they do complete, the security results naively, yet unintentionally, cause more harm than good.
Inaccurate findings take the form of false positives and false negatives. These are foundational weaknesses of code scanners because they waste developers’ critical time on security problems that actually do not even exist. Code scanners cannot tell the difference between false positives and true positives because they are “blind” to the runtime context of applications, such as the entirety of data and control flows, internal logic, configuration and architecture, presentation view, libraries and frameworks, and application server. The runtime context, which escapes code scanners, contains the critical pieces of information required to differentiate false positives from the vulnerabilities that are real.
Transforming AppSec with Security Instrumentation
Contrast Security transforms AppSec by offering a radically different approach. Leveraging the same type of software instrumentation approach used in other areas of modern software development such as application performance monitoring (APM), Contrast embeds security sensors in the packaged binary upon application startup. Data flow through the application, in conjunction with other important runtime context, activates an intelligent pattern-matching engine that produces accurate security insights, a technology called interactive application security testing (IAST).
Rather than focusing on time-consuming and frustrating security bottlenecks and interruptions to writing code, developers can focus on creating innovative and secure applications. Contrast eliminates code scanning and the resulting bombardment of security alerts from false-positive vulnerabilities. Security instrumentation is an excellent fit for modern software and DevOps because it is scalable. Functional tests now also serve as security tests, replacing expensive security experts with developer-friendly security products and development delays with accelerated time-to-market timelines.
Democratizing Modern AppSec
Aspiring to make modern AppSec available to all developers regardless of their ability to pay, Contrast launched Community Edition, the only free DevOps-Native AppSec Platform designed with developers in mind. Community Edition offers near full access to Contrast’s produ