The Home of the Security Bloggers Network
Home » Security Bloggers Network »
By Orlando Villanueva
December 5, 2022
Security affects every digital company, from small startups to global enterprises. Security issues can range from minor annoyances to major catastrophes that can hurt a company’s reputation and their existing user base. There’s no sign of it stopping: A recent vulnerability report by Risk Based Security noted that 28,695 vulnerabilities were disclosed in 2021, the highest number ever recorded.
According to IDC’s 2022 U.S. Accelerated Application Delivery Survey, 90.5% of organizations are releasing features with lead times of a month or less. As software development continues to demand a higher speed for deployment, we are beginning to enter a perfect storm of rapid application development and a growing number of bad actors and vulnerabilities to match it. IDC projects that by 2025, there will be 750 million new logical applications increasing application attack surfaces, making them a sought-after target for bad actors.
Making things even trickier, the use of open-source libraries — which are a great way for developers to deliver features faster — is estimated to comprise up to 96% of applications. Open-source code is inherently more likely to contain vulnerabilities and malicious code than code generated from scratch, but it’s an understandable choice for busy developers trying to deliver quality code under ever-tightening deadlines.
For decades, security has been managed by a team in a separate organization that only reviews the code once it’s actually committed, scans for issues and demands that developers make changes, even if they’ve already moved to another project. This traditional approach to security has been a top-down experience delivered by AppSec experts who are removed from the challenges of code development. It’s not hard to understand why this approach is a major source of frustration for everyone involved.
The problem with this security strategy is that few people understand security requirements, threat modeling and architecture. Dividing security from developers in this way means that the people fixing security issues have less in-depth knowledge of the applications, increasing the likelihood of remediations being less secure and more time-consuming to complete. Additionally, because this working model doesn’t leave security in the hands of developers, development teams may be unfamiliar with security requirements, best practices or how their organization handles incidents.
Security is a vital part of every application, for good reason. If there are vulnerabilities in your product, hackers can attack it and steal data or credentials, leading to identity theft, the installation of ransomware and other security breaches.
The more developers know about security, the better their applications will be at keeping users’ data safe. Knowing the ins and outs of good security will also help developers ensure that their applications run smoothly, consistently and with fewer security risks. And, because developers know the application better than anyone else, it makes sense to have the developers — who know how thorough or makeshift their development choices are — search for and repair vulnerabilities.
The shift-left trend in security has already gained traction. According to GitLab’s 2022 DevSecOps report, over 57% of security team members stated that their organizations have either shifted security left or are planning to this year.
Developers have strict deadlines, and security is not a functional requirement for most devs within organizations. As such, security tools that exist outside of developers’ normal workflows are essentially a non-starter: Such tools must, rather, exist within their pipelines. In an ideal world, developers would be involved in the entire life cycle of an application, from original development to release, giving them ample opportunities to perform testing throughout the development process.
To get started on their security journey, developers need security tools that are simple to integrate and, at a minimum, scan their source code and libraries for vulnerabilities consistently throughout the development process in order to decrease the chances of bugs or exploitable oversights from making it into the final release. Doing so eliminates the potential for minor vulnerabilities to incur security debt and ensures the release of a quality product.
This trend of integrated security tools has pushed development teams to increase their use of scans in 2022. Today, 53% of developers run Static Application Security Testing (SAST) scans, according to GitLab’s 2022 DevSecOps report. Nearly 60% of security experts report that their devs now scan containers (up 10% since 2021), while 56% take advantage of dependency scans (SCA) and 61% run license compliance checks (SCA).
Contrast is the first security platform that enables and empowers developers to build and ship applications that are secure from the start. Instead of treating security as an issue delegated to a separate team, Contrast’s mission aims to empower:
Contrast delivers a cohesive set of tools that allow developers to build secure applications from the ground up and solve some of the most common security challenges that affect them. Our tools help you build applications resistant to common vulnerabilities and security risks. You can start your developer journey for free with our developer security motion CodeSec, then progress with our market-leading enterprise solutions Contrast Scan (SAST) and Contrast SCA.
But why stop there? Let’s explore some of the integrations and products Contrast Security is able to offer to both free and paid development teams, so you can take your application’s security to the next level.
Contrast’s command-line interface (CLI) tool enables developers to integrate Contrast Security within their existing security infrastructure. This tool provides a fully interactive CLI and is a convenient way to manage your Contrast account and to perform security scans and checks.
Note: CLI design is the same for both free and enterprise users.
Contrast CLI tools support top programming languages as detailed in this list, including:
The following CLI tools can help you find security vulnerabilities from your terminal, regardless of which of these languages you use:
In the Agile world of DevSecOps, it’s essential to ensure that the Continuous Integration/Continuous Deployment (CI/CD) pipeline is secure. That’s why Contrast offers GitHub Actions for both SAST and SCA capabilities to enable developers to secure their GitHub workflows from open-source dependencies and source-code vulnerabilities. Learn more about this app on our GitHub product page.
Note: Contrast GitHub Actions is available to both free and enterprise users.
Contrast SCA is a protection platform that scans your entire software supply chain and identifies vulnerabilities in third-party libraries or packages across the entire SDLC, from coding to production. It flags any gaps in security that exist within your software supply chain, including direct and transitive dependencies that get introduced unnoticed during build cycles. With instrumentation embedded within the application, Contrast SCA can also flag which libraries are used or unused so developers can take a more targeted approach to remediation and not waste hours fixing libraries that pose no risk. Additionally, Contrast SCA enables teams to create Software Bills of Materials (SBOMs) to increase visibility and manage supply-chain risk.
Contrast Scan is an industry-leading code-scanning (SAST) tool built from the ground up to make security testing as routine as a code commit while focusing on the most imperative vulnerabilities to deliver fast, accurate and actionable results. Contrast Scan delivers:
Purpose-built for native developer pipelines — Built from the ground up to run in any modern pipeline. Code scans can be initiated through our Contrast Dashboard or CLI option and build automation (e.g., Maven, Gradle, GitHub Action) through a simple application programming interface (API) or a secure code upload.
Lightning speed without sacrificing accuracy — Expedited time to value for security and development teams when accounting for setup, code scan and triage time. Speed without compromising accuracy allows scans to be run and results to be actioned without breaking the CI/CD pipeline.
Focus on what gets you hacked — With an exploitability-focused detection algorithm, achieve the most accurate static analysis solution based on OWASP Benchmark scores. This allows organizations to focus limited staff resources on the critical vulnerabilities that matter.
CodeSec is Contrast’s developer security motion that offers a free, easy-to-use CLI tool that delivers Contrast’s market-leading SCA, SAST and Serverless solutions right to developers at no cost.
CodeSec enables developers to scan, secure and ship their code in minutes, with scanning speeds of up to 10x faster and 70% less noise than other legacy (SAST) tools. Top that with access to a powerful SCA capability and access to a one-of-a-kind, free serverless tool, and it’s no wonder that CodeSec has detected over 50,000 vulnerabilities and counting for its free users.
To get started with CodeSec, simply install it into either your Homebrew or npm package manager or straight into your binary. Authenticate with your Google or GitHub account, and you’re ready to start scanning!
Note: Contrast GitHub Actions are also available to CodeSec users. CodeSec’s free CLI tool offers the same scanning speed, accuracy and integration as our enterprise solutions. However, there is a limited amount of scans a single user can perform per month: See the pricing page for more information.
Hackers are discovering new ways to steal user data and hack into systems. The increase in hacking has gotten so intense that the federal government has stepped in. In May 2021, the White House issued an executive order (EO) to improve the nation’s cybersecurity. The EO led to a memo (PDF) from the Office of Management and Budget (OMB) — M-22-18 — that will usher in a new era of software transparency, with requirements for federal agencies to request self-attestation letters about software security profiles and practices from software producers, as well as SBOMs that list all open-source and third-party components present in a codebase.
In light of the current climate of increased hacking and the concomitant ramping-up of government oversight, it’s essential for developers to understand the level of control they have in implementing security in their applications and services so that they don’t weaken security or even wind up in the courts.
Contrast developer tools can help stay in front of these trends by securing code throughout the SDLC, from the very inception — planning, requirements and design — on into application building, documentation and testing, and even through to deployment runtime and maintenance. Our developer tools deliver security control directly into the hands of developers, making your applications much more secure and promoting the shift-left approach.
For more information on how to get started with CodeSec for free, visit Developer Central today.
For more about writing secure code with enterprise-level security and to learn more about Contrast Security, schedule a free demo today.
Sr.Product Marketing Manager, CodeSec, Contrast Security
Cybersecurity Insights with Contrast CISO David Lindner | 12/2
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.