Contrast Security named a ‘Major Player’ in the 2022 IDC MarketScape Report
May 6, 2022
Andrew Lach, Senior Director, Global Analyst Relations
Subscribe to the Contrast Blog
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.
IDC MarketScape has named Contrast Security a ‘Major Player’ in the 2022 IDC MarketScape: Worldwide Application Security Testing, Code Analytics, and Software Composition Analysis 2022 Vendor Assessment – Coordinating Security and Quality for Resilience and DevSecOps (doc# US47097521).
We don’t have to look far from the IDC MarketScape assessment to get an understanding of what makes Contrast a Major Player: Contrast’s own customers filled in the blanks, as the IDC MarketScape reported when it noted how well those customers fared during the Log4Shell panic, which involved multiple devastating vulnerabilities in the ubiquitous Java Log4j logging library. “Contrast performed well during the Log4Shell crisis without requiring updates or new rules for its platform – a challenging test for application security vendors,” the IDC MarketScape pointed out.
Ahh, Log4j: Nothing like a hair-raising zero-day in a ubiquitous open-source programming library to make you realize that your apps are running on who-knows-what code that’s potentially riddled with security holes like a fine Swiss cheese, eh?
On Dec. 9, 2021, users had discovered that an excruciating, easily exploited flaw in the logging library could allow unauthenticated remote code execution (RCE) and complete server takeover. A “mini internet meltdown” was predicted “soonish.” Within hours, the flaw was being exploited in the wild.
A nightmare ensued, as security and developer teams scrambled to hunt down the library, unsure of which apps, exactly, incorporated Log4j and/or whether the library was actually invoked at runtime, which would thus render those apps exploitable.
Saving developers from sleepless nights
It wasn’t a nightmare for all, though. Contrast’s Secure Code Platform identified the underlying vulnerability automatically to developers, sparing them from having to hunt down Log4j: Instead, they could zero in on exactly where the library resided, remediate and stay safe from a collection of related vulnerabilities that came to be called Log4Shell.
For more details on how Contrast supported customers during Log4Shell, including automatically identifying the underlying vulnerability before the crisis, finding the affected applications quickly and preventing the exploit at runtime, read the report.
Of course, Log4Shell is just one of an interminable parade of zero-days. “This kind of thing happened before and will happen again,” Steve Wilson, Chief Product Officer at Contrast Security, noted at the time. “In 2017, Equifax announced a data-breach that exposed personal, confidential information and was very similar to this situation in many ways. It was based on a similar attack technique in a common open-source, free software library called Apache Struts.”
Contrast kept customers safe from Log4j using the same technology and approaches that keep customers safe from other zero days that have cropped up in the months following Log4Shell, such as Spring4Shell and the latest Java digital signature bug, CVE-2022-21449, aka psychic paper.
One major difference between Log4Shell and the Apache Struts situation at the heart of the 2017 Equifax incident: Log4j exposure was far, far broader, as Wilson emphasized. Because the library is sucked into so many application dependencies, organizations struggled to find all the instances of Log4j in their environments, given that they lacked effective, automated tracking on such data.
“The best strategy is to use Runtime Protection, like Contrast Protect, to defend immediately without patching,” Wilson said.
Stopping attacks immediately, without needing to update or patch, lets developers quickly target vulnerable applications and rapidly update vulnerable code.
Contrast SCA doesn’t just provide details on exploitability, which, particularly in the case of open-source libraries that are sprinkled throughout apps, would have resulted in a barrage of alerts. Rather, in the case of a situation like Log4Shell, it only reported dependencies if the library was actually invoked at runtime.
That only makes sense: Why bog down developers with reports about a vulnerable Log4j library if it’s not invoked? Investigating an inactive library is a waste of time for software-driven companies trying to take full advantage of the application economy by getting secure code moving across their complete software development life cycle (SDLC).
The Contrast platform also detects and defends against other code-injection vulnerabilities that may occur in the future – either in custom-developed or open-source code. Contrast Protect accurately detects and blocks attacks against vulnerabilities in runtime, even before they’re fixed or patched, protecting against many zero-day attacks without tuning or reconfiguration. Users who can’t immediately patch or update may still be protected, as they were with Log4Shell, without the need for signature updates
Getting accurate answers ultra-fast
This is how one Contrast Security customer summed up the Log4Shell crisis at the time: “We were able to analyze whether our own built software would be vulnerable to the Log4j zero-day, using the Contrast Secure Code Platform, and got the answer within 30 seconds by just looking at the Libraries menu! How fast is that!” said Sándor Incze, CISO at mobile services company CM.com.
A customer who spoke with IDC for the report gave Contrast technology high marks “for accuracy and low levels of false positive alerts delivered.” The customer told the analyst firm that their organization was able to take advantage of the hybrid nature of Contrast’s IAST approach in its Contrast Assess technology, which can analyze application data flows at runtime, as they happen.
That’s a major differentiator between Contrast and offerings from similar vendors, said the customer, whose organization has used Contrast Scan — its Static Application Security Testing (SAST) technology — during testing of its customers’ web applications, in addition to Contrast Assess (IAST) and Contrast’s SCA later in the SDLC.
Always-on testing turns function testing into security testing
The IDC MarketScape evaluated 16 vendors, focusing on the vendors that have “sufficient [Automated Software Quality, or ASQ] capabilities available and/or partner integration in key areas of concern for IDC clients,” including Static Application Security Testing (SAST), SCA, mobile AST, fuzz testing, penetration testing, assessment of architectural design impact on quality and security, and code analytics and reporting that spans application portfolios.
Contrast’s portfolio focuses on “innovative and developer-centric” approaches to security testing and SCA that make it suited for DevSecOps, according to IDC’s MarketScape. Contrast’s continuous testing environment lets developers see secure code flow through their development pipeline, making the vision of DevOps a reality by automating security and integrating it seamlessly.
That can empower developers to speed up innovation and continuously secure their code against threats, enabling them to turn functional testing into security testing and to incorporate the results into bug trackers and their integrated development environments (IDEs). The result: Developers can incorporate security into their application development process, the IDC MarketScape explained.
Contrast achieves this by embedding software agents that gather security-relevant data from an application, analyze that data and report findings to Contrast when necessary. In specific situations, a Contrast agent can also take actions within an application to prevent exploitation or enable a security defense, as was the case with Log4Shell. The agents provide context that confirms security vulnerabilities early in the SDLC — including in open-source software (OSS).
Breaking the chains that slow down development
When attacks strike mere hours after vulnerabilities are uncovered, organizations don’t need chains around their ankles. Unfortunately, the world of outdated, disconnected security tools slow developers down and clog up the development pipeline.
Contrast breaks those chains. Contrast’s new, unified approach empowers security and development teams to get secure code moving seamlessly through the complete SDLC and to jump back into the fast-moving application economy.
IDC’s Melinda-Carol Ballou, Research Director, summed it up in the IDC MarketScape: Contrast’s technology “leverages binary instrumentation in which sensors are embedded within application servers, runtime and user libraries, and other components for vulnerability and attack detection. Contrast Security’s hybrid approach (combining IAST, SAST, DAST, SCA, and runtime application self-protection [RASP]) enables contextualization, improving execution and the ability for developers to remediate issues while helping decrease the percentage of false positives (according to users with whom IDC has spoken).”
TL;DR: Contrast is a Major Player – one with innovative security testing and partnerships that reach into the Azure and AWS environments, one that can help to keep customers safe from OSS vulnerabilities, and one that weaves security testing into every aspect of the SDLC.
It’s DevSecOps, exactly where you need it: namely, on top of your code, within your pipeline and before the next zero day strikes.
*** This is a Security Bloggers Network syndicated blog from AppSec Observer authored by Andrew Lach, Senior Director, Global Analyst Relations. Read the original post at: https://www.contrastsecurity.com/security-influencers/contrast-security-named-a-major-player-in-the-2022-idc-marketscape-report