Log4Shell By The Numbers

We monitor many thousands of applications with Contrast Assess (IAST), Contrast SCA, and Contrast Protect (RASP) so we have a unique data set compared to others and, so far, we have some really interesting takeaways. Of course, our data, like any data, is skewed to who and what we measure ... Read More

WAF, RASP and Log4Shell

Log4Shell has done an excellent job of making the case for Runtime Application Self-Protection (RASP). Here’s the quick summary: our Contrast Protect customers have been secure against the remote code execution (RCE) in this vulnerability for years — even before we even knew it existed. We want to make our ... Read More

IAST Is the Only Way to Accurately Detect SSRF

With server-side request forgery (SSRF) becoming a more important bug class in the era of microservices, I wanted to show why interactive application security testing (IAST) is the only tool for detecting SSRF accurately and why IAST results are more actionable.  ... Read More

Modern Problems: Traditional Security Scanning Wasn’t Built for Today’s Pipelines

Over the past 20 years, source-code scanning using static analysis has been a principal method for testing the security of software in development. This includes many of the same static application security testing (SAST) tools that are still in place today. For some time, scanning offered the best way for ... Read More

Pulling Back the Curtain On: Zip File Overwrites

Zip file overwrites are a cool but rare vulnerability that can occur on apps that work with user-supplied zip files. The folks at Snyk recently found a slew of libraries that do that, and there is a lot of history in this attack vector. In fact, a particular unzipping program ... Read More

Pulling Back the Curtain on RASP

If you set out to build a new WAF today (which, believe it or not, people are still doing), everyone would have some idea of how it would work -- you'd setup a reverse proxy, and then use signatures of all kinds on the parameters, headers, body, etc., to detect ... Read More