X
Government and federal agencies have long observed the National Institute of Standards and Technology’s (NIST’s) Risk Management Framework for security frameworks to help agencies select suitable safeguards relating to cybersecurity, privacy and supply-chain risk management.
One critical component for IT officials to assess risk and deliver new information systems is authorization to operate, or ATO. At the core, ATOs served as sign-offs given to IT systems, where officials consider the inherent risk in deploying them acceptable enough for them to be used. The Defense Department has recently indicated that it is time to move toward a framework known as continuous authorization to operate, or cATO.
On Feb. 4, 2022, the Pentagon issued a memo that described the benefits of using cATOs, which the memo notes represent a “challenging but necessary enhancement of our cyber risk approach to accelerate innovation while outpacing expanding cybersecurity threats.” The goal is for this framework to allow for continuous monitoring and assessment of systems so that any potential weaknesses can be quickly identified and addressed before they become an issue.
To achieve continuous monitoring of security system controls within IT systems, officials must show that real-time or near-real-time cybersecurity countermeasures and a secure software supply chain can be deployed. The memo also stated that the Defense Department’s framework should allow for effective monitoring of critical security controls within IT systems, including a secure software supply chain.
Additionally, cATOs are seen as providing more realistic checks of how cybersecurity functions in real-world conditions since they are based on current known vulnerabilities rather than what was known at the time security teams made assessments months or years ago. ATOs were traditionally allocated for three years and renewed every three years based on updated security requirements.
Continuous ATOs are sometimes referred to as ongoing authorizations based on a “full security authorization package and the results of defined continuous monitoring activities that security teams can use to determine changes in risk and risk acceptance determinations made by authorizing officials.”
Bo Berlas, CISO General Services Administration, said in an interview that agencies looking to adopt the new cATO standards need to use a “robust and formalized continuous monitoring solution, which requires the ability to maintain ongoing situational awareness and ready response in the event of security events.”
To fulfill the requirements of a cATO operation, security measures must be able to demonstrate three primary competencies:
The Contrast Solution harmoniously integrates these requirements into a single integration point. The Contrast platform delivers Software Composition Analysis (SCA), Application Security Testing (AST), and exploit prevention capabilities, allowing developers to instrument security across the Software Development Life Cycle (SDLC).
Web applications and application programming interfaces (APIs) remain a leading attack vector for expensive, reputation-damaging breaches. Security leaders have struggled to mount adequate protection against known and unknown threats by relying solely on perimeter-based Application Security (AppSec) solutions, including Web Application Firewalls (WAFs). While perimeter solutions provide necessary network-layer protections, security leaders also need application-layer visibility into how vulnerabilities are impacted as they are exposed to actual threats in runtime. In addition, using experts to manually implement WAFs can be excessively costly.
Contrast Protect is a runtime application protection and observability solution. The solution uses real-time analysis of application runtime events to confirm exploitability before taking action to block an attack. Contrast Protect maximizes detection and protection against known and unknown threats while virtually eliminating false-positive alerts by leveraging both precision sensors and dynamic control over runtime. The application is easy to deploy and runs continuously in applications wherever they reside. Contrast Protect aligns with modern-day DevSecOps processes, facilitating rapid, cost-effective application scalability with security compliance.
Utilizing instrumentation-based runtime application protection and observability delivers contextual insights into application runtime events such as code, libraries and APIs. This process enables AppSec teams to defend against vulnerabilities with superior accuracy. Security teams can reduce dependency on manual workflows and focus on essential strategic and business-critical tasks. Since runtime application protection and observability are inseparable from the actual application, deployment and scaling become fast and frictionless.
Once deployed, Contrast Protect provides continuous protection through Runtime Exploit Prevention (REP). This multistep approach analyzes application runtime events and confirms exploitability, improving the likelihood of thwarting zero-day attacks by detecting and automatically blocking breach attempts during real-time code execution within the application runtime. Detection monitoring takes sub-milliseconds, even under the heaviest attack loads. Contrast Protect detects the top threats identified by the Open Web Application Security Project (OWASP) and the NIST.
Continuous security observability from the inside
Active runtime application protection that responds to threats in real time
Simple auto-scaling and security portability
Traditional approaches to AppSec that rely on scanning lines of code for known vulnerabilities lack visibility and accuracy. As a result, they depend on manual security checks by expert staff to triage and interpret the results before handing recommendations with limited context back to developers to fix the problems. This inefficiency inhibits development cycles, increases costs and often fails to eliminate many vulnerabilities that cyberattacks can exploit.
To avoid these issues, Contrast Assess uses instrumentation to embed security directly into the development pipeline. It automatically identifies and diagnoses software vulnerabilities in applications and APIs, enabling organizations to release secure software to end users faster and with fewer risk exposures. Plus, it offers the broadest language support in the industry among Interactive Application Security Testing (IAST) solutions.
Contrast Assess automatically identifies and diagnoses software vulnerabilities in applications and APIs using instrumentation to pinpoint and prioritize software vulnerabilities. By embedding sensors inside applications, organizations can “shift left” and discover vulnerabilities earlier in the SDLC.
This approach provides the highest accuracy, efficiency and coverage possible. Contrast Assess enables companies to decrease security team triage and DevOps remediation expenses significantly. In addition, reducing alert noise (caused by false positives) helps eliminate hours of work required of DevOps teams to find and fix vulnerabilities without an in-depth understanding of a specific vulnerability’s priority. Instrumentation is the key to transforming AppSec into a continuous process.
The solution’s sensor-driven assessment continuously monitors all parts of the application stack for vulnerabilities. Because it is embedded in the software, it runs anywhere the application runs — including in integrated development environments (IDEs), on a local testing server, on a quality assurance (QA) machine, as part of the CI/CD build, in a container or in the cloud. Contrast Assess then instantly alerts of any findings, empowering developers to identify, fix and verify remediations during runtime, thereby providing an “always-on” security assessment.
The accuracy and ease of use of Contrast Assess help organizations detect and fix threats earlier in the CI/CD pipeline.
When working against tight sprint deadlines, developers almost always default to using third-party open-source or commercial off-the-shelf (COTS) components to provide ready-made functionality for a particular business use case. Developers pull these components from various sources, including public repositories and project sites. This results in complex dependency trees that can be difficult to track. AppSec teams can quickly become overwhelmed with this volume of technical debt. In many cases, they struggle to answer the simple question, “What is in the application?”
Open Source Software (OSS) allows developers to build feature-rich applications on aggressive timelines. However, reliance on OSS adds layers of complexity across an organization’s software supply chain.
Contrast SCA delivers real-time feedback on third-party software risk by embedding SCA and compliance controls into applications throughout their life cycle. By leveraging instrumentation, Contrast SCA reduces friction between development, security and operations teams by showcasing critical insights — such as runtime library usage — that can help drastically reduce manual triaging and prioritize remediation efforts for developers.
Contrast SCA provides real-time feedback to developers by integrating that feedback into their native CI/CD workflows. SCA provides context into how vulnerable libraries are introduced, with no scanning required. This enables developers to take advantage of the many benefits of SCA while delivering AppSec teams the necessary safeguards they need to be confident that the libraries used in their code are secure.
Contrast SCA enables you to embed third-party software testing throughout the software life cycle. The benefits:
Flag library risk within cloud-native applications and block attacks on vulnerable libraries in production. Prioritize the most immediate risk based on which libraries are used.
Mitigate security debt by accounting for transitive dependency risk.
Stay up to date on third-party software inventory and institute scalable controls.
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
