Contrast integrates into Kenna Security to deliver better vulnerability risk management

Executive overview

Legacy approaches to application security  are slow and complex. 

These fundamental problems allow far too many vulnerabilities to pass into production—where cyber criminals have ample time for exploitation before a patch can be deployed. Developers need modern application security that simplifies vulnerability management while facilitating rapid remediation of critical issues across all parts of the application.  A new joint solution from Contrast Security and Kenna Security, part of Cisco, achieves comprehensive visibility, accurate risk prioritization, and developer-friendly guidance in order to help teams quickly find and fix problems during development.

Outdated, complex application security is ineffective

Application development is driving enterprise transformation. As a result of massive growth in this area, “everything-as-code” is defining a new perimeter in today’s cloud-first environments. While the velocity of development, use of third-party code, and diversity of the technology stack have all helped increase business agility, software proliferation has also introduced unprecedented amounts of risk. Compromised applications are now the primary mode of intrusion—representing 39%  of all data breaches in the last year.¹

"The average total cost of a data breach rose from $3.86 million to $4.24 million over the last year—an increase of nearly 10% and the largest single-year jump over the last seven years."²

Effective vulnerability remediation in development depends on quickly determining which application security testing (AST) results warrant action and which of those have highest priority. Unfortunately, most organizations continue to struggle with this because they lack clear visibility into vulnerabilities, lack the ability to prioritize issues for remediation, and depend on slow manual analysis by human security experts before fixes can be made. These shortcomings bottleneck DevOps workflows—forcing many organizations to choose between meeting their delivery deadline or releasing secure code.

A joint solution for simplicity, better visibility, and support

"Nearly all (99+%) organizations admit that the average application in production has 4 or more vulnerabilities."³

Contrast Security partnered with Kenna Security to extend risk-based vulnerability management into the software layer. The Contrast Application Security Platform’s context-rich vulnerability and software composition analysis (SCA) data is now an integrated part of the Kenna.VM platform.

The Contrast and Kenna joint solution brings an unprecedented, risk-based approach to application vulnerability management. Contrast’s custom code and open-source vulnerability data is imported into Kenna.VM, where it is then combined with real-world threat intelligence and advanced data science to determine which vulnerabilities pose the highest risk and which ones can be deprioritized. DevOps teams get better application visibility, accurate risk scoring, and contextual “how-to-fix” guidance to help developers remediate issues as they code.

Gain comprehensive application visibility

Enhanced application visibility is powered by Contrast’s highly accurate, context-rich vulnerability data. This data includes both custom code and open-source components. Contrast deploys an intelligent agent that instruments smart sensors throughout the application. The code is analyzed from within the application as it runs. This instrumentation gives the Contrast agent a comprehensive view of runtime and the ability to confirm which routes can be exercised and those that are truly exploitable. This enables Contrast to eliminate the false positives generated by other application security tools and provide highly accurate results.

Contrast’s data feeds into Kenna.VM, where it is incorporated into the Kenna risk score. Kenna’s dashboard provides a single, consolidated view of analyzed risk across the organization—a continuous picture of the full application stack with visibility into infrastructure and vulnerabilities in one place.

"Fixing a vulnerability gets more expensive as the development process gets further from where the error was introduced."⁴

Prioritize high-risk vulnerabilities

The integration of Contrast into the Kenna.VM helps organizations quickly understand the ranked level of risk that each vulnerability presents. The solution’s prioritization model is powered by Kenna Security’s renowned risk-based vulnerability management (RBVM) framework. Unlike the Common Vulnerability Scoring System (CVSS) and other static scoring methods, Kenna’s approach provides the context required to understand the true level of risk that vulnerabilities pose.

Kenna ingests, aggregates, and processes billions of pieces of data from internal sources (e.g., containers, infrastructure-as-code, networking layer, databases) as well as external sources (including more than 18 threat and exploit intelligence feeds). Kenna then automates the analysis of this data using proven data science algorithms to deliver an accurate, quantifiable risk score for every vulnerability. Each score includes an estimate of the likelihood of exploitation to deliver a rank ordering of the probability of exploitation using that particular attack vector.

Accelerate remediation with how-to-fix guidance

The joint solution provides comprehensive visibility and risk-based prioritization that help developers quickly find and fix critical vulnerabilities. Contrast’s innovative Security Trace format pinpoints exactly where a vulnerability appears in the code and how it works. This enables organizations to quickly locate and remediate vulnerabilities without waiting for direction from human security analysts.

Further, Contrast’s context-rich guidance within Kenna’s unified dashboard tool set helps developers address issues in real time as they code. Poor “how-to-fix” guidance directly contributes to the growing backlog of non remediated vulnerabilities. For one traditional static application security testing (SAST) vendor, it takes 86 days to fix only 50% of issues—versus only 3 days for Contrast.⁵

A singular view for simplified application security

Contrast’s instrumented vulnerability data, combined with Kenna’s predictive modeling technology, helps expose which “layered” vulnerability of the stack poses the highest risk and accurately forecasts the exploitation of new vulnerabilities.

With Kenna and Contrast, organizations can understand what to fix, how to fix it, and why. This joint solution also integrates seamlessly with popular ticketing systems—allowing them to optimize their existing DevOps ecosystems.

"According to research by Kenna, it generally takes defenders a month after a patch is released to remediate 50% of the vulnerable assets in their environment. By comparison, attackers reach 50% of max exploitation prevalence across target organizations in about 2.5 months."⁶