The 6 Pillars of Application Security

Once you discover a vulnerability, it instantly is super-critical information. How do you protect security vulnerabilities inside your organization? How are they stored? Who gets access? This What are people allowed to do with them? I've seen many organizations that pass them around via email. Sometimes in calendar entries. Sometimes on file systems, in Excel documents, and in web-based risk tracking applications.

At Contrast, we treat vulnerabilities as the most sensitive kind of information you can imagine.

Having a vulnerability is similar to having a password – it's the key to all the information in the application. You can use Contrast as a SAAS or On-Premises. But either way, you want some strong security around your vulnerabilities. We couldn't take security more seriously.

To that end, we based Contrast Security on 6 pillars of application security, namely:

1. Infrastructure Security
   The security of the Contrast service depends on maintaining control of our physical and network infrastructure. Contrast is hosted in a secure data center, managed by trusted staff, and our systems are kept hardened, patched, and up-to-date. Our network is defended and segmented by firewalls and we detect and block both network and application attacks. 
2. Data Protection
   Protecting your data is our highest priority. We use strong encryption throughout our system - everywhere data is transmitted or stored. We use universal authentication and access control to protect data. We have also established extensive protections against injection and other attacks.  
3. Developer Protection
   We believe that the productivity of your developers is a critical asset that deserves to be carefully protected. Contrast is carefully designed to be quick to install and use, eliminate false alarms, and never interfere with applications. Contrast also scales to large numbers of servers. 
4. Rugged Development
   To make sure that the Contrast service is designed and implemented securely, Contrast Security follows a secure development life cycle. All our developers are trained in using our standard security defenses. We have performed extensive threat modeling and minimized Contrast's attack surface. We use a powerful set of tools to protect and manage all the source code, user stories, and other software artifacts.
   
5. Security Verification
   An independent team at Contrast Security performs our proven architecture analysis, code review and penetration testing processes on Contrast. We use a custom test suite, automated security tools, and even run Contrast on itself to double-check for vulnerabilities. We are committed to finding and eliminating vulnerabilities from the Contrast service throughout our secure development life cycle.
   
6. Transparent Security
   Without information, good security decisions are impossible, so we are committed to ensure that you understand the protections that we have provided. We will notify you immediately of any security issues that might affect your business. You can export your data from Contrast at any time, and we will purge it from our systems if you decide you want to leave. 

Our Vision

We envision a world where we can trust software with the most important activities of humanity. We love software, and it hurts us to see it misused to cause harm to others. Contrast Security is committed to the highest standards of application and network security for Contrast. We secure our infrastructure, ensure data is always protected, minimize impact on developers, practice rugged software development, and carefully verify our code. At the core of our security is a commitment to transparency – across our protections, processes, and even potential problems. Those are the pillars on which we stand. And we plan on standing until we can trust software with the most important activities of humanity.

Developing and maintaining a robust application security program does not need to be a daunting task...

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.