Eating Our Own Cooking at Contrast: Securing and Protecting TeamServer

It’s very rare that one has an opportunity to experience the development of a major software solution from the ground up and use that very product to secure and protect it at the same time. This is precisely what we’ve been able to do at Contrast Security. My engineering team is responsible for developing and managing TeamServer, the user interface for the Contrast Application Security Platform. The technology powering TeamServer automatically builds an application inventory across an entire organizational portfolio and provides continuous, real-time insight into application security. Rules are centrally managed by customers, who can push out new rules in real time.

Using Contrast Assess from the Very Start

Soon after the founding of the company, we started using Contrast Assess to continuously analyze applications in development. All of our code runs through a Pull Request process that triggers an automated pipeline. The result is that all code is tested for security as soon as a PR is submitted, providing continuous, real-time feedback that empowers my team to detect vulnerabilities as soon as they are introduced into code. This shifts application security to the far left rather than waiting until later in the development process, which requires more time for remediation and can delay release cycles.

Identification of the cause of application vulnerabilities, including their triage, diagnosis, and remediation, is made easy with context awareness and integration with the Jira project management tool. In traditional application security models, this entire process can consume valuable cycles, taking developers off of writing code for hours at a time each day.

Modern Development Team for TeamServer

Our current development team, which is charged with the development and management of TeamServer, is comprised of 20 professionals. The team continues to grow as Contrast iterates on new customer requirements and releases.

In terms of our development approach, the TeamServer development team embraces Agile and DevOps methodologies and processes associated with modern software development. We are currently moving toward a Kanban approach because of its overall business value and emphasis on matching available capacity with work that needs to be done.

The frequency of our software releases is dependent on business needs and preferences of the different teams working on specific projects. One of our requisites is the need for continuous integration and automation of processes, including security testing, which we have because of the Contrast Application Security Platform. The outtake is that it really doesn’t matter how often we release code. Wherever we need to do so, it is a non-event. Before Contrast, that was not always the case in my career. Traditional application security scanning can create real obstacles that impede development cycles and dictate when and when you cannot release code.

Software Composition Analysis with Contrast OSS

When the company launched our software composition analysis (SCA) solution Contrast OSS, we also added it to the mix. TeamServer leverages a significant number of open-source frameworks and libraries—over 400 are active today. Having inactive libraries creates unwarranted risk that we are able to manage using Contrast OSS. We can ensure that only those libraries and frameworks that are being exercised are included in the application.

We also can manage open-source versioning so that we are not on versions with known Common Vulnerabilities and Exposures (CVE). Successful library releases, as a result, update to a subsequent release that remediates all vulnerabilities but without causing other problems for the application. Finally, contrast OSS also identifies cases where dependencies are present but not actually used by the software. This saves us hours of time and produces much cleaner code.

Delving Into the Architecture Details of Application Security

The development environment and customer-facing side of TeamServer initially were on-premises, but we migrated both to Amazon Web Services about five years ago. Doing so provides us with much greater flexibility and lower cost.

TeamServer is built using a powerful Java EE stack that includes Apache Tomcat web server, the Spring application development framework, the Hibernate object/relational mapping tool, and various other community-driven, open-source frameworks and libraries. The architecture of TeamServer is designed to scale to support the processing of data from thousands of applications simultaneously. Our database abstractions from JSR-317 that uses Hibernate give our customers the flexibility to choose their own persistence option.

Protection in Application Runtime with Contrast Protect

With the release of Contrast Protect, my team added runtime application self-protection (RASP). This extends the same security agents that we use in development into production. Contrast Protect, in this instance, gives us deep insight, extensive visibility, and sub-millisecond response time to cyberattacks. Because Contrast Protect uses instrumentation, we gain significant efficiency gains by virtually eliminating false-positive alerts. For a modern development team like mine that is measured on delivering releases that address customer requirements, this is critical time spent.

The instrumentation approach of Contrast Protect also provides continuous protection against both known and unknown threats and zero-day attacks. Many perimeter defense solutions struggle to detect these. Recognizing the importance of protecting our customers’ critical information, we periodically run Contrast Assess on our production environment to verify it is free of vulnerabilities.

Measuring Business Value of Contrast on Contrast

Earlier this year, our Customer Success and Sales organizations partnered to develop a business value analysis methodology to measure the cost savings and operational efficiency gains customers are achieving and prospects can achieve using the Contrast Application Security Platform. It was very eye-opening to uncover the tangible value we are getting from Contrast over a legacy application security approach.

Our analysis looked at three primary areas:

  • Improved efficiency for application security and development
  • Minimized risk exposure with compliance and application exploitation
  • Reduced security-related infrastructure costs

In the first year, we achieved over $623,000. Over a three-year time frame, we gained nearly $1.45 million in cost savings and operational efficiency improvements. Under each of the three business value analysis categories, we delved into greater granularity. We produced the findings in a report and discussed them in a recent webinar and podcast. Readers interested in more detail on the business value findings can check those assets out.

Digital Innovation Enabled, Not Inhibited

As organizations rush to embrace digital transformation, adding more applications in development, the speed of development cycles is crucial. But many are discovering their legacy application security toolsets simply cannot scale to meet the demands of modern software development life cycles (SDLC).

Thankfully, we’ve never been in that situation at Contrast. Rather, by using the Contrast Application Security Platform, application security has facilitated rather than inhibited our adoption of Agile and DevOps practices. At the same time, the realized business value is dramatic—whether avoiding the hiring of a dedicated headcount to handle application security, accelerated development cycles, or improved efficiencies.

REPORT: Securing and Protecting Contrast with Contrast: $1.45 Million in Business Value Compared to a Legacy Application Security Approach

WEBINAR: Contrast-on-Contrast Case Study: How We’re Using Our Application Security Platform from Development to Production

PODCAST: Contrast-on-Contrast Case Study and Business Value Analysis: Key Insights and Learnings

*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by David Hafley, VP of Engineering at Contrast Security. Read the original post at: