How Contrast ‘secures from within:’ Code vulnerabilities set off smoke alarms; runtime incidents & cyberattacks trigger the sprinklers

What does Contrast Security mean when we say “secure from within?” 

We mean proactive security, as in, everything you do before an attack, as opposed to the all-too-common flailing after you’ve been torched. We mean securing an application so well from the inside that you proactively keep the bad guys out. 

There’s been a lot of talk about this subject.

But what does “proactive” entail? Does it refer to preemptively identifying security vulnerabilities in your applications that could lead to breaches and successful attacks? 

Or how about implementing processes to identify threats before they’re exploited? Does it mean your applications are protected in production in case your Application Security Testing (AST) tools miss something or your teams are too busy digging out from vulnerability backlogs to stop a risk that slips through to production? 

The answer is that proactive security/secure from within boils down to prevention, the gist being “anything besides our current knee-jerk reactions.” It means backing away from purely reactive security processes, as in, responding to attacks only after they occur; after ransomware burns your data and your business to a crisp; after you get steamrolled by another Log4Shell; after your customers’ data has been exposed; after your brand is trashed because attackers have used your compromised system to island hop onto your customers’, suppliers’ and partners’ systems; after you wind up skewered in headlines. 

Of course, businesses need to invest in robust, infrastructure-level security practices, such as log monitoring, attack detection and response, and security information and event management (SIEM). These practices and technologies work by responding to incidents and stopping the ongoing attack or business disruption before it causes even more damage. But no matter how fast you respond, there’s almost always at least some damage, and there are cases where you’re essentially closing the barn door after the horse has bolted.

A purely reactive approach isn’t enough. Chief Information Security Officers (CISOs) and other security leaders, along with the security organizations they lead, need to know what vulnerabilities exist in their ecosystems before they’re exploited. They need to know the severity of those vulnerabilities and how to fix them. And once the application is running, you want a solution that automatically hardens it before the first attack is even attempted. This type of proactive approach enables an organization to identify and prevent incidents from doing damage in the first place.

That’s exactly what Contrast does. The Contrast Runtime Security Platform doesn’t just detect vulnerabilities in code. Our technology also keeps bad things from happening by blocking attacks in production. It does so by injecting security directly into the application.

We use instrumentation to change the code as it loads at runtime, equipping it with security checks to make them safe against misuse by developers and abuse by attackers. That’s what we call “secure from within”: The platform both detects vulnerabilities and blocks attacks. 

Comparing SAST and DAST with the ‘secure from within’ security approach

Secure from within is different than trying to secure apps from outside the app, as is done with black-box testing to find externally visible issues and vulnerabilities with Dynamic Application Security Testing (DAST): an approach that can require days of scanning, relies heavily on experts to write tests, lacks insights regarding an application’s health and behavior, and which misses a lot. 

Since DAST works from the outside-in, it can only detect vulnerabilities that the tools can actually exploit and detect in the HTTP response. Possibly the worst part: DAST tools can only scan the “front door,” not all the back-end interfaces and connections in modern applications. Bottom line? DAST takes a lot of work and misses a lot.

SAST tools are another outside-in approach: They’re often used in development pipelines to find vulnerabilities early, but they only look at source code, so they can’t see how the fully assembled application actually works. 

When it comes to web application firewalls (WAFs), they can't protect against attacks from back-end systems. Neither can they protect against SQL injection attacks such as the MOVEit breach: a type of attack we’ve known about for 25 years and which WAFs still can’t stop. WAFs, too, also spout a constant stream of false negatives and positives, sitting at the front of your infrastructure, where they can’t take into account its ephemeral, modular, distributed nature. 

Your WAF doesn't have your back

This state of affairs isn’t cutting it. Today's complex environment requires a holistic view, with a unified approach that can navigate the multifaceted structure of modern applications: one that’s constantly shifting, given the realities of dynamic, cloud-based or containerized environments. The smarter approach is to climb out of the black box and instead secure from within. 

Secure from within

Here’s a rough analogy: Contrast’s Runtime Security Platform is similar to the technologies you use to keep your house from burning down. It smells the smoke of vulnerabilities, alerts your developers, pinpoints where the risk lies within your code, gives guidance on remediating it and, if a fire does start in production, triggers the sprinklers by blocking attacks on even unknown vulnerabilities. 

After all, sometimes, firefighters are too late. Your house has already burned down by the time they arrive. You need your house to sense — and extinguish — fires on its own. That’s secure from within. 

Comparing security risks to catastrophic fires isn’t hyperbole. Companies have been snuffed out as a consequence of cyberattacks. Travelex is one such: The company filed for bankruptcy in January 2020 after a cyber attack struck on New Year's Eve.

Here’s how Contrast’s secure from within approach works: 

1. Contrast Security smells the smoke and detects vulnerabilities

Contrast Security starts by analyzing applications with Contrast Assess, an Interactive Application Security Testing (IAST) tool that detects vulnerabilities. It will find vulnerabilities in both the first-party code you write as well as known vulnerabilities in the third-party code you import (i.e., Common Vulnerabilities and Exposures, or CVEs). Vulnerabilities are detected (poorly, but detected all the same) by Static Application Security Testing (SAST) tools, and CVEs are detected by Software Composition Analysis (SCA) tools, but Contrast Security has a trick up its sleeve that neither of these technologies has. By doing whole code analysis – going down into third-party dependencies – it can both detect and block unknown vulnerabilities in those dependencies, adding security checks and creating trust boundaries to dangerous methods. For now, think of it as a way to fireproof incendiary materials in your application/house to prevent them from igniting.

In fact, Contrast blocked the following zero days before they were disclosed:

Zero Days Blocked Before Discovery Hall of Fame

Contrast Security detects and prevents exploitation against entire classes of
vulnerabilities via embedded detection rules.

Examples of zero days that Contrast mitigated before
they were discovered (before CVEs were issued):

• Atlassian Confluence — Server Site Template Injection opens risk to Remote Code Execution - CVE-2023-22527
• Spring/Kafka — Deserialization opens risk to Remote Code Execution - CVE-2023-34040
• Spring4Shell — Command Injection/ClassLoader manipulation - CVE-2023-22965 
• Log4Shell — Expression Language Injection - CVE-2021-44228
• Confluence OGNL Injection — CVE-2021-26084 
• Apache Struts2 — CVE-2020-17530
• Python Salt CVEs — CVE-2020-11651 & CVE-2020-11652
• Tomcat Server — CVE-2020-9484
• WebLogic Remote Code Execution (RCE) — CVE-2019-2725
• Apache Struts2 — CVE-2019-0230
• Apache Struts2 — CVE-2018-11776
• Jenkins XStream — CVE-2016-0792

2. Contrast Security sounds the alarm to remove vulnerabilities

Contrast Assess does more than just sniff out vulnerabilities; it’s the alarm that alerts development teams so they can permanently remove the vulnerability. Think of it as replacing all the wood in your house that Contrast previously, automatically coated with metal to render non-combustible. At that point, you don’t even need treatment for the vulnerability, because it can’t catch fire. 

It doesn’t sleep: The IAST solution continuously detects and prioritizes vulnerabilities and guides developers on how to eliminate them. It does so by generating diagrams illustrating the code context of the vulnerability, including data flows, so even the most junior developer can see how to remove the vulnerability.

Contrast Assess also maps the URL (aka “routes”) of the app or application programming interface (API), showing exactly how the vulnerability is reached, pointing to the exact line of code where a vulnerability appears and explaining how the code is vulnerable.

3. Contrast Security triggers the sprinklers, erecting mini-firewalls around dangerous functions in production

The root cause of all vulnerabilities and all attacks are dangerous functions: the callable units of code — be they procedures, methods or subroutines — in the code you write or within third-party dependencies. These functions perform critical tasks such as creating files, parsing documents, executing native commands, deserializing objects and making database queries, all of which are necessary for the application to provide functionality but can cause harm if misused.

Contrast instruments the code itself, at runtime, injecting trust boundaries around those dangerous functions: hence the term “secure from within.” By hardening those functions, Contrast prevents them from being abused. Contrast Security is the only Application Security Testing (AST) tool that addresses this root cause of dangerous functions.

We take the kindling — all those dangerous functions — and we instrument them, dousing the kindling in fire repellent. 

Why Contrast Security?

The Contrast Platform adopts an application-level zero-trust approach through its Runtime Security product, which unifies IAST, RASP (Runtime Application Self-Protection) and runtime SCA (Software Composition Analysis) into one product. It actively monitors and analyzes application behavior in real time, surrounding dangerous functions with trust boundaries, identifying vulnerabilities in the development and testing phase, and blocking attacks in production.

We alert your incident response people when dangerous functions have been invoked without proper sanitization, and we give the developer instant feedback on vulnerabilities that need to be eliminated to achieve a permanent fix. Think of runtime security as adding a security boundary around each application — in essence, a mini-firewall — that protects them in production and gives rich feedback in the development phase. 

Once we've hardened an application’s methods, it’s now secure from within. 

We put the security in exactly the right place — where it should have been from the beginning.

Read more: 

• Contrast glossary: What is Runtime Security?
• Contrast blog post: Your WAF doesn't have your back
• Contrast blog post: False positives + false negatives = real costs
• Contrast blog post: Replace broken AppSec tools with an Application Security technology that actually works: Runtime Security
• Contrast blog post: Runtime Security fits fast-paced AppDev environments | Contrast Security
• Contrast blog post: Find True Positives, vs False Positives, with Runtime Security | Contrast Security
• Contrast glossary: What are dangerous functions in programming?

Request a “Secure from within” demo.