Skip to content

Went To AppSec California 2014. Tried Contrast. Here's My Story.

    
Went To AppSec California 2014. Tried Contrast. Here's My Story.

AppSecCali_BannerWe receive "fan" mail from many of our clients, and lots of people who watch a demo are impressed. But when Steve Rosonina, CTO of Accumulus Labs, sent us a review with his story, we had to put it up for the world to see. Without further ado, Steve Rosonina.

The Short Version:

"As with many technical startups, the majority of our time is spent developing features our customers demand. Any modifications to our development process must be minimal.  Integration was seamless, it took only 15 minutes to enroll in the service and integrate Contrast into the Eclipse IDE.  A few hours later our code base was analyzed, remediated and published to AWS.  Simple setup, easy to understand results, and quick remediation. Contrast is now a permanent member of our development team!" 

The Long Version:

As a security-minded professional I’m constantly on the lookout for products that can make our site more secure. Our users depend on us for financial transactions ranging from a night out with friends to the car you’ve always wanted.

So I was intrigued by Jeff Williams headline at AppSecCali in January 2014. Titled, “Application Security at DevOps Speed and Portfolio Scale” it promised to open my eyes to a security sensor that could monitor my code from the inside out. I’ve seen dozens of presentations in the past from a variety of vendors, but this one had something different about it, and I had to see it in action.

I agreed with Jeff’s presentation: gone are the days of traditional scanners. DevOps and Agile style software development systems don’t have time to wait for scans to be scheduled, reports to be run, false positives to be filtered, and remediation advice to be recommended. We need information, and fixes, in the now. We need real-time application security analytics. And that’s what Contrast does. At least, that’s what they claimed.

So I downloaded the Contrast Agent and put it to work analyzing the code in a project I’d been working on. I created a free account, dropped the agent into my Tomcat config, and browsed through my app for a few minutes. Contrast had already created a security dashboard for my application showing eighteen vulnerabilities. Eighteen vulnerabilities in a matter of minutes! That had to be a fluke. I had to investigate. So I went to the source.

I sat down with Jeff Williams and talked to him about each and every error Contrast listed. (Thanks, Jeff.) I’d never been so excited to find errors in my life, but watching the latest application security software agent in action made me a believer. So much so, that I left the conference to go fix them.

When I returned to the conference a few hours later, I went in search of Jeff Williams. I just had to let him know what had transpired. And that’s why I’m letting Contrast Security evangelize using my name. Because Contrast is now a permanent member of our development team.

If you want to have the most up-to-date application security on the market, simply put, you need to be running the Contrast agent.

Sincerely,

Steve Rosonina
CTO, Accumulus Labs
@Rosonina


Developing and maintaining a robust application security program does not need to be a daunting task... 

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.

continuous-application-security

 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.