Contrast OSS: Automated Open Source Security Software and Compliance

Challenges

• 33% of applications are never tested for security vulnerabilities, with nearly 80% of applications containing at least one critical or high vulnerability.¹
• An estimated 84% of security breaches exploit vulnerabilities at the application layer. Consequently, in the time between release and patch, adversaries can leverage the weaknesses in the code to compromise vulnerable systems.²

Solution

Contrast OSS delivers automated open source risk management by embedding security and compliance controls into applications throughout their lifecycle. Contrast is the only solution that can identify vulnerable open source components, determine how they are actually used by the application and prevent exploitation at runtime, all through a single, self-service platform.

Incorporating open source code into your products introduces potential security vulnerabilities and legal compliance risks. Managing these risks in a high-velocity software development environment like Agile DevOps requires a solution that provides real-time visibility for early detection of issues and continuous verification and monitoring.

Capabilities

• Automatically create and maintain organization-wide inventory of open source components mapped to applications, servers, and environments to identify what runs where, and what needs to be secured.
• Continuously evaluate OSS components in your application portfolio for known and unknown vulnerabilities, as well as open source license risk.
• Set and automatically enforce custom policies across the SDLC and provide real-time feedback to security and development teams.
• Prioritize remediation efforts on vulnerabilities that really matter by accurately identifying whether vulnerable open source components are actually used by the application.
• Continuously monitor production applications and block attacks on vulnerable open source code to prevent exploitation at runtime.
• Provide real-time correlation of vulnerabilities, OSS license information, and other library metadata to components in inventory

Key benefits

Scale and ensure security while accelerating development with end-to-end automation

Contrast OSS automatically discovers open source components in your applications, provides critical versioning and usage information, and triggers alerts when risks and policy violations are detected at any stage of the SDLC. In production, Contrast OSS monitors, blocks and alerts on attacks. All of this information is streamed to security and development teams in real-time through their native tools, enabling short feedback loops and quick action.

Empower developers by catching issues early and enabling faster remediation

Contrast OSS enables early detection of vulnerabilities and open source license risk in the developer environment with continuous verification across CI/CD pipelines. Unlike legacy Software Composition Analysis (SCA) tools, Contrast OSS performs runtime analysis to accurately identify whether vulnerable components are actually used by the application. This intelligence enables developers to prioritize and focus remediation efforts on the vulnerabilities that really matter.

Deploy the right security control to protect against known and zero-day exploits

Beyond automatically detecting risk, Contrast OSS provides runtime protection so attacks on vulnerable open source code are automatically monitored and blocked to prevent exploitation in production. Applications self-monitor and self-defend against attacks targeting open source components in production.

Continuous visibility and self-updating software risk intelligence

Contrast OSS monitors your entire application portfolio including third-party and custom code, automatically applying new vulnerability and license risk intelligence and policies. This eliminates the need for disruptive scans and re-scans of code repositories.

A single solution for your open source and custom code

Leverage a single deployment and assessment process to identify vulnerabilities in open source and your custom code. No need to implement multiple tools, orchestrate between different analysis engines, or run complex correlations.