The Case for Application Detection and Response (ADR)

 

About the author

Jeff Williams brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by EY. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 10 years and created the OWASP Top 10 and several other popular open-source libraries and tools. Jeff serves as an application security advisor to the PCI Council, NIST, OASIS, CycloneDX, OWASP Foundation, Eclipse Foundation, and many companies and agencies. Jeff has a BA from Virginia, an MA from George Mason and a JD from Georgetown.

Why do our applications and APIs keep getting breached?

I’ve been doing Application Security (AppSec) for over 20 years, including defense systems, election systems, financial, utilities, airlines and more. I taught at the NSA’s National Cryptologic School, wrote the OWASP Top Ten and have performed manual penetration testing and code review on critical applications for hundreds of large organizations.

Believe me, I know how difficult it is to consistently write secure code. In the 22 years since I wrote the OWASP Top Ten, our progress has been glacial. The average application has dozens of serious vulnerabilities in both custom code and libraries. Some have many more. I’m deeply disappointed that we haven’t been able to bend the curve in our software vulnerability epidemic.

Many of you may have bet your business on software, and that bet depends on the success of “shift left” efforts to write secure code. I spent a lot of my career with this same mindset. Unfortunately, it’s become clear to me and should be clear to you that this is an extremely risky bet that even companies with the most advanced AppSec programs are losing.

Given this unfortunate situation, we absolutely must have excellent protection against web attacks. Unfortunately, since the late 1990s when Web Application Firewalls (WAFs) emerged, there has been essentially no progress. It’s hard to imagine that web application and Application Programming Interface (API) defense has stagnated during decades of massive innovation in protocols, data structures and architecture, but here we are. Most organizations don’t even have their WAFs blocking attacks. They just generate noisy alerts, ignored by operations.

All the other layers of the stack have moved away from perimeter devices enforcing security on network traffic. Other areas of cybersecurity have moved to XDR, EDR, NDR, CDR, SDR, SIEM, SOAR and CNAPP — a “detection and response” approach using agents, real-time telemetry and advanced data analysis techniques to identify anomalous behavior. But AppSec in operations is in the Stone Age, with teams still clinging to WAFs like Signourney Weaver and her proximity detector in the movie “Alien.”

In this white paper, we’ll explore what a detection and response approach to AppSec looks like and why it’s absolutely essential for deploying code.

- Jeff Williams, Founder and CTO of Contrast Security

Why protect applications and APIs in production and operations?

The application layer is the lifeblood of modern business operations and security. We all trust software with everything important in our lives, including our finances, healthcare, government and social life. However, this crucial layer has become an increasingly attractive target for cybercriminals. According to the 2024 Verizon Data Breach Investigations Report¹ , web application and API breaches are in the top 3 attack vectors, and the web application threat vector is in the top 2 for ransomware installs. Yet, the application layer remains woefully under-protected.

The complexity of securing the application layer cannot be overstated. Today’s applications are dynamic, composed of dozens of repositories, hundreds of libraries, many APIs, microservices and containers, deployed across multi-cloud environments — all of which, when assembled, introduce myriad vulnerabilities. According to Ponemon² , enterprises have an expanding AppSec vulnerability backlog that already averages hundreds of thousands of application and API vulnerabilities. The sheer volume and velocity of changes in modern application development exacerbate the challenge, making it difficult for traditional security measures to keep pace.

The domain of AppSec has traditionally fallen to developers, engineers and dedicated AppSec individuals. Yet, other security oversight has gone to the Security Operations (SecOps) team. It is time to democratize security visibility for apps and APIs, allowing shared responsibility and improving the efficacy of the operations team.

This paper explores the pressing issue of deficient AppSec in production and operations. It delves into the limitations of existing solutions and highlights the need for a more comprehensive approach. We will introduce a groundbreaking methodology called Application Detection and Response (ADR), designed to provide continuous protection and real-time visibility into AppSec. ADR promises to bridge the gap left by traditional security measures, ensuring that the application layer is no longer a blind spot in an organization’s cybersecurity strategy

The enterprise application layer is sprawling, inscrutable, highly complex, highly vulnerable and controls all access to data

Current AppSec detection and response: Why the three traditional AppSec measures fall short

Today, enterprises have three options for detecting and responding to AppSec incidents in production. Two options, WAFs and secure software development, hail from the early 2000s and neither was designed to address the full spectrum of threats that modern applications face in production. The third option — modern tools like Extended Detection and Response (XDR) and Cloud-Native Application Protection Platform (CNAPP) — simply doesn’t detect attacks on the application layer. As a result, organizations lack visibility into application behavior in real time, leaving them blind to active threats and unable to respond effectively.

1. WAFs are useful for blocking simple attacks against known threats but suffer from significant limitations. They operate at the perimeter, inspecting incoming and outgoing traffic to identify malicious patterns. Because WAFs have no visibility into the internal workings of applications, they are unable to accurately detect attacks. Because of this weakness, WAFs have become notorious for both under-blocking and over-blocking. They also require extensive tuning and maintenance. While the flood of false positive alerts burdens security teams, the real danger is that many real attacks can slip through the WAF undetected.
2. Traditional security operations tools are very useful, but they lack visibility into AppSec. These tools include XDR; Endpoint Detection and Response (EDR); Network Detection and Response (NDR); Cloud Detection and Response (CDR); Security Information and Event Management (SIEM); Security Orchestration, Automation and Response (SOAR); and CNAPP. The effectiveness of these tools is limited by the quality and comprehensiveness of the data they receive from sensors and log files. They use integrations and agents that gather logs and events from hosts, containers, network devices and cloud environments. But since none of their sensors has visibility into the security of applications and APIs, these tools simply cannot help with detection and response to attacks on applications and APIs.
3. Secure software development aims to detect vulnerabilities and eliminate them during the development life cycle, before software gets into production. While this sounds good in theory, AST tools, such as Static (SAST), Dynamic (DAST) and open-source Software Composition Analysis (SCA) tools, have succeeded in identifying vulnerabilities but have not reduced or fixed them. In fact, the average number of vulnerabilities has increased from 24.2 to 43.6 in the 20 years since the OWASP Top Ten was first released. The Mean Time to Remediate (MTTR) vulnerabilities found with SAST tools is currently at 290 days³ . 

None of these methods is sufficient in isolation. Even when combined, they fail to provide the comprehensive protection needed for today’s complex application environments.

In discussions with CISOs, AppSec teams and Security Operations Centers (SOCs), a recurring theme emerges: organizations are eager to learn more about the application and API security blind spot and express a strong desire for solutions that can fill it. CISOs express concern over the inability to see and respond to application-level threats, acknowledging the inadequacy of current tools. Quotes from industry leaders highlight the urgency of addressing this gap and the necessity for innovation in this space.

For instance, one CISO remarked, “We have robust defenses for our networks and endpoints, but when it comes to our applications, we are essentially flying blind.”

Another security leader noted, “The increasing complexity of our application environment means that traditional security measures are no longer sufficient. We need deeper visibility and more effective response capabilities.”

Introducing ADR

As the complexity and interconnectivity of modern applications continue to grow, so does the sophistication of cyber threats targeting them. Traditional security measures have proven inadequate in providing the necessary visibility and protection at the application layer. Fortunately, a new security technology has emerged called ADR.

ADR instruments applications and APIs to protect, detect and respond to threats in real time. ADR provides continuous visibility into the security behavior of the entire software stack, identifies anomalies that indicate security incidents, automatically takes action to mitigate these threats, and provides highly contextual feedback to operations and development teams.

ADR fills the critical application and API gap left by other detection and response solutions by providing deep, real-time visibility and protection directly within the application layer. Security teams have added detection and response methods for other attack vectors: EDR for devices such as user laptops, CDR for threats to the cloud environment, Identity Threat Detection and Response (ITDR) for monitoring of identities, and so on. Those technologies then feed their telemetry into SIEM, XDR and CNAPP platforms. But, until now, none directly monitored and analyzed application behavior to detect anomalies and vulnerabilities in real time.

Filling this gap with ADR enables organizations to trace attackers through all the major parts of an organization’s IT infrastructure. Attackers choose to target applications and APIs because they are directly connected to the organization’s most valuable data. With ADR, analysts can track lateral movement from its point of origin — in applications and APIs — and stop the incursion before it becomes persistent. This capability enables SecOps team members to suppress lateral movement and decrease the dwell time of adversaries. Later in this paper, we’ll discuss Contrast’s approach to integrating ADR with XDR, SIEM and CNAPP platforms to give SecOps teams the proverbial “single pane of glass.”

Use cases supported by ADR

1. Protect applications/APIs: Operations must deploy security measures that proactively prevent vulnerabilities within the app/API layer from being exploited. With ADR, teams can achieve this by embedding security measures directly within the running application, protecting the entire application stack, including custom code, frameworks, open-source libraries, app/API servers and runtime platforms.
   • Install into your standard application and API platforms.
   • Install across a cluster with Kubernetes operator
2. Detect applications/API attacks: Operations must be able to detect app/API threats quickly and accurately. By leveraging ADR, teams can use sophisticated algorithms to continuously monitor applications, detect anomalous behavior in real time and provide immediate alerts with extensive contextual information for quick triage of confirmed security incidents.
   • Flag anomalous application behavior within XDR, SIEM and CNAPP solutions.
   • Instantly reference the security blueprint for the processing of any HTTP request.
   • Highly accurate detection with minimal false-positive alerts.
3. Respond to applications/APIs attacks: Operations teams must be prepared to respond promptly to identified threats by initiating predefined response actions. ADR enables teams to automatically block malicious traffic, isolate compromised components and notify security teams with detailed context, effectively containing and neutralizing security incidents to minimize impact and maintain application integrity.
   • Prevent exploitation of known vulnerabilities Common Vulnerabilities and Exposures (CVEs).
   • Prevent exploitation of zero-day vulnerabilities in both custom code and libraries.
4. Ensure applications/APIs observability and compliance: It is impossible to manage the security of a frighteningly complex application layer without a detailed architecture of how it all works. ADR automatically generates detailed, real-time security blueprints of every application and API, including how they connect with each other. These blueprints help teams ensure compliance with regulatory requirements and enable effective security governance across the organization.
   • Continuous visibility into security activity across the enterprise application layer.
   • Seamless integration with XDR, SIEM, SOAR and CNAPP for full-spectrum security.

A tale of two scenarios: The unsafe deserialization incident

Let’s consider a real-world situation that is occurring right now in many enterprises.

Imagine an enterprise web application that exchanges data with a JavaScript user interface in the browser. The developer simply followed common coding patterns and “serialized” data objects in the browser into a stream of bytes that are “deserialized” back into objects in the web application. 

The developer didn’t realize that they had inadvertently introduced a serious unsafe deserialization vulnerability. The company’s traditional SAST and DAST tools failed to detect the vulnerability, and it made it into production. This is sadly a common occurrence for many organizations, resulting in the inclusion of “Unsafe Deserialization” in the OWASP Top Ten.

Before ADR

An attacker happens on the deserialization vulnerability and crafts a malicious serialized object that includes a payload designed to execute arbitrary code on the server. When the serialized object arrives at the application, the code automatically deserializes it. As part of this deserialization process, the payload contained is executed, enabling the attacker to run arbitrary code on the server — a complete takeover of the server.

Unfortunately, the company’s WAF didn’t stop the attack from reaching the application. The WAF doesn’t have visibility into the serialized object and therefore can’t tell that the malicious payload is any different from normal traffic from a legitimate user.

In addition, the company’s EDR, XDR, SIEM, SOAR and CNAPP solutions also missed the attack. These platforms are primarily focused on monitoring endpoints, networks and logs for known attack patterns and anomalies. The attack within the serialized object is invisible to these security platforms because it’s buried in the serialized data and nothing is logged for this operation.

After ADR

Now let’s consider the same scenario, but with ADR deployed. The ADR platform continuously monitors the entire application stack in real time. During routine operations, ADR detects an unsafe deserialization incident as it is being exploited. The system generates a detailed incident report containing:

• The complete HTTP request details, including the payload.
• A stack trace of the deserialization operation, captured directly from the running code.
• A contextual diagram providing the security context of the route being attacked.

The Contrast runtime security platform: The technology behind ADR

The effectiveness of ADR hinges on a robust underlying technology that can seamlessly integrate with the development, operations and security processes. The Contrast runtime security platform provides this foundation, offering a comprehensive solution for embedding security within the application runtime, ensuring real-time protection, detection and response capabilities.

As shown in this architecture diagram, the Contrast platform is designed from the ground up as an integrated approach to application and API security, rather than a mashup of unrelated technologies. It starts with fully distributed, lightweight threat sensor instrumentation that monitors runtime behavior from within the running applications and APIs. This telemetry feeds our modern data streaming architecture, from which Contrast builds and maintains a sophisticated model of AppSec across an enterprise. This model enables highly accurate issues and incidents, contextual risk rating, real-time notifications and much more.

The Contrast runtime security platform is already in use in hundreds of thousands of critical applications and APIs in many of the world’s largest companies. Our runtime security platform monitors and protects trillions of dangerous function calls every day. 

Contrast runtime security

Monitors and protects your app/API layer from within to keep your data safe

Contrast automatically hardens software by adding missing security checks and efficiently preventing exploits.

Operationalizing ADR to achieve full-spectrum detection and response

Let’s imagine a financial services organization that has decided to enhance its AppSec operations by deploying Contrast ADR. Initially, their focus was on leveraging the platform’s advanced instrumentation and real-time monitoring capabilities to detect and respond to threats within their application environment. As soon as Contrast was deployed, the security team started seeing an unprecedented level of detail and insights into the application’s behavior and potential vulnerabilities.

Step 1: Integration with Splunk for event management

Impressed by the granularity and relevance of the data Contrast collects, the financial services organization’s security team sought to integrate this valuable information into their existing SIEM system, Splunk. The team streamed events from Contrast into Splunk, adhering to the Common Information Model (CIM) for standardized event data.

Once the events were flowing into Splunk, the financial services organization’s security analysts utilized the Contrast Splunk plugin to visualize the data. The integration allowed them to seamlessly incorporate Contrast’s application and API telemetry into their existing monitoring and triage processes. The rich, contextual information provided by Contrast enabled the team to identify and prioritize incidents more effectively. They could now view detailed attack patterns, understand the impact of vulnerabilities in real time and correlate application attacks with other data sources within Splunk, streamlining their incident response workflow.

Step 2: Enhancing CNAPP with application behavior

Recognizing the broader value of integrating AppSec insights with their CNAPP, the financial services organization also connected Contrast to Wiz. This integration allowed them to gain a holistic view of their infrastructure and its security posture, bridging the gap between infrastructure and AppSec. 

With Contrast feeding detailed application security data into Wiz, the security team could see the depth of data that Contrast provides about application vulnerabilities when they drill into the workload. They were able to visualize the interconnections between different components, understand the security implications of each connection and see how widespread a vulnerability is (i.e. whether it is in a production or development environment, and if it’s on one isolated server or not). This provided a deeper understanding of how vulnerabilities and threats at the application layer could impact the overall security of their infrastructure.

Step 3: Operationalizing ADR with enhanced workflows

The integration of Contrast with Splunk and Wiz enabled the financial services organization’s security operations team to identify and respond to application and API security incidents without changing their existing workflows. The Splunk plugin facilitated easy access to Contrast data, making it a natural extension of their existing security operations workflows. In Wiz, the team could map out the full security architecture of their applications and infrastructure, identify critical vulnerabilities, and understand their potential impact on the organization.

This story underscores the transformative impact of deploying ADR within a robust security ecosystem. By embedding security within the application runtime and integrating it with comprehensive monitoring and management platforms, organizations can extend their protection across the entire application layer.

Business case for ADR: The strategic and financial benefits

The adoption of ADR offers a compelling business case for organizations looking to enhance their security posture, reduce costs and drive innovation.

Enhancing security posture

The landscape of cyber threats is evolving at an unprecedented pace, with applications and APIs becoming prime targets for sophisticated attacks. Traditional security measures often fail to provide the necessary visibility and protection at the application layer, leaving organizations vulnerable to breaches that can have devastating consequences. ADR offers a transformative solution, enabling real-time monitoring, detection and unmatched protection against threats within the application environment. By embedding security directly into the application runtime, ADR ensures that vulnerabilities are detected and mitigated before they can be exploited, significantly enhancing the organization’s overall security posture.

Cost savings from automated vulnerability mitigation

The financial impact of a data breach can be staggering, encompassing direct costs such as fines and legal fees, as well as indirect costs like reputational damage and customer churn. According to IBM, the cost of a data breach is close to $5 million on average, with related costs rising by 10% between 2023 and 2024. Implementing ADR can lead to substantial cost savings by automating the detection and mitigation of attacks on applications and APIs, reducing the likelihood of successful attacks. 

Improving detection and response capability at one of the most critical attack vectors minimizes the need for manual intervention, freeing up valuable resources and allowing security teams to focus on more strategic initiatives. Moreover, the early identification and remediation of attacks can prevent costly incidents, safeguarding the organization’s bottom line.

Reducing the attack surface

Minimizing the number of potential entry points for attackers is fundamental to strengthening security posture and reducing overall risk. ADR, especially when combined with Application Vulnerability Monitoring (AVM), provides continuous visibility into the actual vulnerabilities present in running production applications and APIs. This real-time insight allows security teams to shrink the attack surface by identifying and prioritizing vulnerabilities that pose the greatest, real-world risk based on exploitability and threat data. By understanding the true exposure, SecOps can proactively implement compensating controls and focus remediation efforts where they matter most, significantly reducing the target for attackers while development works on permanent fixes.

Ensuring compliance with regulatory requirements

Regulatory compliance is a critical aspect of modern business operations, with stringent requirements imposed by the National Institute of Standards and Technology (NIST), the Payment Card Industry (PCI), the General Data Protection Regulation (GDPR) and others. ADR is critical to meet the Securities and Exchange Commission’s (SEC’s) new investigation and disclosure requirements. ADR helps organizations maintain compliance by providing continuous monitoring and detailed reporting of security activities.

In an era where the cost of a data breach can be catastrophic, the strategic implementation of ADR is not just a security imperative but a sound business decision. Organizations that invest in ADR position themselves to better navigate the complexities of the modern threat landscape, ensuring resilience, trust and long-term success.

Use cases supported by ADR

ADR represents a significant leap forward in securing the application layer, addressing the shortcomings of traditional security measures and filling critical gaps left by existing solutions. 

ADR provides a transformative approach to AppSec by delivering real-time monitoring, deep behavioral analysis and automated response capabilities. It enhances protection against sophisticated cyber threats, ensuring vulnerabilities are detected and mitigated before they can be exploited. By integrating security directly into the application runtime, ADR offers continuous visibility and control over application behavior, significantly reducing the risk of successful attacks. Additionally, ADR’s contextual insights and precise risk scoring enable security teams to prioritize remediation efforts effectively, improving overall incident response and resilience.

Organizations must recognize the critical importance of securing their application layer and take proactive steps to integrate ADR into their cybersecurity framework. This strategic investment will yield long-term benefits, safeguarding the organization’s digital assets, enhancing operational resilience and securing a competitive advantage in the marketplace. Now is the time to act, to ensure your organization is not only protected but also positioned for success in an ever-evolving digital world.

IMMEDIATE STEPS TO TAKE:

Evaluate your AppSec gap
Assess existing security defenses and evaluate whether they provide effective protection against application and API attacks

Receive a guided demo of ADR
Evaluate⁴ Contrast ADR’s ability to provide real-time visibility, continuous monitoring and automated response capabilities to applications and APIs in production.

Integrate with existing tools
Leverage integrations with XDR, SIEM and CNAPP platforms to enhance overall security visibility and incident response workflows.

Recognize value
Evaluate the benefits that ADR will bring to your organization.

 

¹ Verizon 2024 Data Breach Investigations Report, p. 31
² The State of Vulnerability Management in DevSecOps
³ Veracode State of Software Security (PDF)
⁴ ADR demo