If there’s one thing Jeff Williams learned from years and years of doing pen testing and threat modeling, it’s this: They're highly time-pressured.
“Every time you start pen testing and threat modeling with a new application, you have to learn everything from scratch. You have to figure out the framework, authentication, access routes and databases before you can begin,” recounted Williams, CTO and founder of Contrast Security, in a recent episode of The Application Security Podcast.
The genesis of Contrast Security was in asking a simple question: Are there ways to help the threat modeler and pen tester be more efficient? The answer was yes, and the result is Runtime Security Observability — which underpins Contrast’s Application Detection and Response (ADR) and Application Security Monitoring (ASM) technologies. It was a logical outgrowth of the company’s long history in runtime security instrumentation, he says: “We realized we could automate that whole process, observe the application as it's running and generate a security blueprint that shows how the application works and all the endpoints and security controls it connects to,” Williams sums up. “ADR builds on the amazing level of security detail that comes from these security blueprints that make detecting complex threats, vulnerabilities, and attacks much faster and more accurate.
“Shame on us for not thinking of this earlier.”
During the interview, Williams offered compelling insights into the challenges and future direction of AppSec. He included how ADR represents an evolution in Runtime Security and the importance of security blueprints that ADR provides. He also highlighted how ADR bridges DevSecOps, discussed the importance of a “secure by design” approach to assurance, and explained “shift smart” as a better alternative to shift left in development and testing.
Shift left is based on a made-up statistic plucked from AppSec Never Never Land. Read about the more thoughtful option: Shift smart
The conversation offers a comprehensive overview of ADR and its role in the evolving AppSec landscape, providing valuable insights for security professionals and developers. Let’s unpack the critical themes and their significance for modern security practices.
1. ADR: An evolution of Runtime Security
Williams vividly described the pain points ADR solves: “Every time you dive into a new application, it’s like starting from zero.”
Born from that insight, ADR is the next evolution of runtime application protection and offers real-time protection for applications and APIs in production while also generating detailed security blueprints. “It’s real. It’s truth. These blueprints are directly recorded by watching running code,” he said. These blueprints map out how an application functions — covering routes, backend connections, security controls, dangerous functions, and attack surfaces — allowing threat modelers and pen testers to focus their efforts where they count. With this precision, he said, “You can easily shave 50, 75, 80% of the work.”
Intelligent security assessment = seeing what others can’t
Unlike traditional web application firewalls (WAFs), which lack any insight into what they allegedly protect, ADR operates from within the application, enabling it to detect attacks more precisely, reducing false positives and ensuring Application Security (AppSec) without disrupting operations. “It’s not just detecting suspicious inputs — it’s detecting the root cause of application and API attacks,” Williams explained. For example, with SQL injection attacks, ADR recognizes an anomalous behavior when untrusted data alters query logic and flags the attack in real time.
WAF & RASP = Raising the bar for app protection
By filtering false positives and seamlessly integrating with security operations center (SOC) platforms like security information and event management (SIEM) and extended detection and response (XDR), ADR ensures security teams stay laser-focused on high-priority threats. As application environments grow more complex, ADR’s ability to embed protection at the application layer makes it indispensable for modern security strategies. “We need instrumentation for things that are complex and important — cars, airplanes, space shuttles,” he said. “That’s how we identify internal issues and deal with them before they become an incident. Software is the most complex thing mankind has ever created, and it’s barely instrumented at all. ADR delivers instrumentation-based runtime protection to handle the complexity of modern applications and APIs.”
Security instrumentation embeds sensors within apps
so they can protect themselves from the most sophisticated attacks
in real time. Read the eBook (PDF).
2. ADR bridges DevSecOps with operational insights
Williams described one of ADR's unique advantages: how it aligns development, security and operations teams by providing real-time operational insights.“RASP was designed to sell to AppSec teams, but that creates problems because you’re selling an operations technology to AppSec, and operations says no,” he explained. “ADR speaks the language of operations by delivering real-time security insights. It’s more about events, incidents and runbooks than vulnerabilities and tickets.”
He explained that ADR enhances collaboration by removing silos between development, security and operations, helping organizations realize the true potential of DevSecOps. It ensures that security becomes an integrated part of daily operations instead of being a separate function managed by AppSec teams. This blending of functions is valuable in responding to zero-day vulnerabilities and addressing production incidents quickly and effectively.
Rather than relying on perimeter protection to identify attacks using simple patterns, ADR’s security blueprints provide detailed visibility, analysis, and context, enabling operations teams to understand and address incidents independently. Williams added, “I’m hopeful that ADR will make the Ops part of DevSecOps a reality.”
3. Secure by design: From risk management to assurance
For Williams, real security lies in “secure by design,” where systems are built with the proper controls from the outset, backed by evidence that those controls work. He emphasized that “none of what anybody in security does matters unless it’s contributing to assurance.” Simply finding vulnerabilities isn’t enough. Building systems with embedded security controls and verifiable evidence offers proactive assurance.
Williams argued that since the 1990s, the market has shifted toward risk management, fostering a reactive mindset among organizations. “We’re stuck in a low orbit around Planet Risk,” he noted, underscoring the urgent need for a proactive approach. “To achieve escape velocity and reach Planet Assurance,” he said, “companies must build systems designed to withstand expected threats while providing robust evidence for each control.” Only then can they transcend mere reaction to threats and focus on sustainable, meaningful security practices. But the gravity of Planet Risk is very strong, and almost all well-intentioned efforts to push the market towards positive security fail.
4. Shift smart: Testing where it’s most effective
While the concept of “shift left” aimed to integrate security testing early in development, Williams pointed out that it often misses the mark. “When you shift too far left, you lose all the context of the application,” he asserts, leading to a flurry of false positives that overwhelm AppSec teams and create daunting backlogs.
Instead, Williams advocates for a more nuanced approach with “shift smart,” emphasizing testing where it’s most impactful — often closer to production. He explained, “You should shift testing to where it's most effective, cheap and accurate to do the test.” Automated tests in QA pipelines offer an excellent opportunity to catch security issues with minimal extra effort, as findings in this phase reflect the actual behavior of the application.
Not all vulnerabilities require the same strategy, however. Some simple issues, like hard-coded credentials and misconfigurations, can be addressed early, while complex vulnerabilities involving backend systems and data flows demand the context only available in production. Williams noted that “QA environments are never accurate,” often relying on simulated systems that can misrepresent real-world conditions. He cited the example of organizations believing they had resolved Log4j vulnerabilities in development, only to discover they still existed in production. This example underscores the crucial role of testing in production — shifting smart — for uncovering hidden risks and ensuring comprehensive security coverage.
Conclusion
Williams’ insights highlight the need for more intelligent, integrated security strategies in today’s dynamic application environments. ADR represents the future of Runtime Security, bridging gaps between development, security and operations with real-time protection at the application layer. By aligning with DevSecOps principles and equipping operations teams with actionable data, ADR embeds security into daily operations so it’s no longer a reactive afterthought.
His recommendations;
- Evaluate whether you're doing enough to detect and respond to attacks on apps/APIs in production.
- Consider taking baby steps toward secure-by-design, investigating threat modeling, standardizing security defenses and implementing ADR.
- Focus less on shifting AppSec activities to a particular phase, and look for tools that are highly accurate and compatible with high-speed software development.
To learn more about how ADR technology can protect your organization, request a demo of Contrast Security ADR and see its capabilities in action.
Read more: