Interview with Jeff Williams, Contrast Security CTO
I’ve known Jeff Williams for more than a decade. He is the CTO of Contrast Security. He’s done very much to advance the art of web application security auditing and his development team is based in the Natty Boh building in Baltimore. I invested in Contrast for their pioneering RASP technology and how much customers raved about them during diligence. I recently caught up with Jeff in the following interview.
Contrast helps secure web applications and APIs in a much different way than application firewalls or static source code scanners. What problem does Contrast address and how is it different from web application firewalls and source code auditing?
The tools available to secure web applications (SAST, DAST, and WAF) were invented in the early 2000’s, and they haven’t evolved to keep up with modern software. You had to use a bunch of different tools and none of them worked very well. Unlike external scanners and protections, Contrast analyzes and protects applications from within, using a technique called dynamic binary instrumentation. Essentially, Contrast enables applications to protect themselves… turning them into what we call “self-protecting software.” Working from inside the application allows Contrast to combine the strengths of multiple different analysis techniques, as it has access to code, HTTP traffic, configuration, libraries, backend connections, data flow, and more all at once. This makes Contrast much faster and more accurate than traditional tools. Enabling applications with Contrast is a quick and easy process — and from that point forward, your whole application portfolio is continuously assessed for vulnerabilities and protected against attack.
We’ve had many big web vulnerabilities occur over the past few years including HeartBleed and now the most recent Apache Struts vulnerability. How does Contrast help stop attacks against these vulnerabilities?
Every organization needs to be able to quickly respond when one of these third-party component vulnerabilities comes out. Attacks on Struts 2 applications started within a day. We have been attacked regularly every day since it came out, and so have all our customers. Contrast works two ways to help organizations survive this kind of threat. First, Contrast automatically blocks attempts to exploit known vulnerabilities in third-party components. We call this “CVE Shields” and basically Contrast instruments these libraries in a way that makes the known vulnerability unexploitable. The main benefit is that your applications stay online and safe, even if they have a known vulnerability. There really isn’t a downside to using CVE Shields, as they’re safe, scalable, and automatic. Second, Contrast also inventories all third-party libraries in use everywhere in the enterprise with the exact version number and any known vulnerabilities. This is a “big data” approach that gives you the ability to know exactly what code you are running in every application and every server… no more surveys.
Can you give some anecdotal examples of web vulnerabilities in custom code that evaded application firewalls and source code scanners?
The problem with both application firewalls and source code scanners is that they only have part of the picture. WAFs can only see the HTTP traffic, so they are totally blind to what goes on inside the application. They can only detect SQL injection if something blows up and they can detect the problem in the response. But that doesn’t always happen, so they miss a lot. Same thing with source code scanners. They can’t see how the application is put together or what’s going on in the HTTP traffic. So they have no way to see if your CSRF defenses are correct or whether you’re using HTTP headers correctly. One of the biggest problems with source code scanners (SAST) tools is that they are very poor at data flow analysis. It’s just too difficult to calculate how data will flow through an application by looking at the source code, particularly in modern applications with lots of libraries and frameworks. APIs are particularly difficult as well. Poor data flow analysis means that you are going to miss a large percentage of SQL Injection, XSS, Command Injection, LDAP Injection, XPath Injection, XXE, SSRF, and other serious vulnerabilities.
How is Contrast deployed?
Simple, just add our agent to your application environment. It takes under a minute and it doesn’t require any security expertise to install or use. In Development, coders get instant feedback on their code through Eclipse, Slack, HipChat, JIRA, Jenkins, etc… In QA, every test case now doubles as a security test with no extra effort. And in Production, Contrast blocks attacks and alerts the appropriate teams through Splunk, ArcSight, PagerDuty, etc…
Have you seen customers take the output of Contrast and send it to their SIEM, Threat and/or incident response platforms?
Absolutely. Contrast is the best application security sensor ever created. And while we love our dashboards, we understand that companies need security data in * their* dashboards. So all of Contrast’s data feeds into SIEMs and other operational tools easily. Interestingly, we also have a feature called “log enhancers” which allows organizations to beef up the security logging in their applications without changing any source code, retesting, or redeploying. Basically, you can instantly get much better security telemetry out of your applications, enhancing the results of all the downstream analysis.
If developers or IT security people want to learn more is there a webinar or white paper you would suggest they read?
The quickest way to know what Contrast is all about is this three-minute video from the RSA Innovation Sandbox. For a deeper dive into RASP with Contrast Protect, you might enjoy this webinar with one of the inventors of this technology, Contrast’s Chief Scientist Arshan Dabirsiaghi. There’s much more on our website at http://contrastsecurity.com. And you might like some of my articles about the future of application security at https://www.linkedin.com/in/planetlevel/recent-activity/posts/. If you’re interested in the future of application security in a modern software environment, check out Contrast’s “ Continuous Application Security Handbook “.