IntegrationsAug 22, 20195 min read

CI/CD, meet CAS: Continuous Application Security

Nikesh Shah

Director of Business Development and Strategic Alliances at Contrast Security

2019-08-19-Contrast

Writing secure code with the 7 key concepts of CAS

Did you know that 72% of developers say that security slows down DevOps? Furthermore, 3 out of 4 security executives can’t find enough specialized security personnel with the key skills to support rapid development environments like Agile and DevOps. So how can you deliver 10x more code without compromising the security of your code and your business?

Continuous Application Security (CAS) is a methodology that empowers developers to reliably build and operate secure applications and APIs by transforming paper-based security policy and guidance into “security as code”. Through instrumentation-based security enforcement, CAS enables development, security, and operations teams to work together at the pace of modern software development with scale.

Application security has been around for over 20 years, and many of the traditional concepts have some value at their core. However, applications continue to be the #1 vector leading to successful data breaches. On top of that, the average number of serious vulnerabilities in web applications today is 33, almost exactly what it was in 2003 when the first OWASP Top Ten was released. Even the risks in the OWASP Top Ten itself haven’t changed. The 7 key concepts of CAS are structured to be automated, real-time, and scalable for the digital transformation era.

  1. Continuous: In a world where applications are attacked every day, new threats are frequently unleashed, and as new vulnerabilities are discovered often, enterprises need continuous visibility and control of security across their entire application portfolio. In CAS, vulnerabilities and attacks are instantly detected and reported, not waiting undetected for an annual scan. Most critically, organizations must be able to deploy new defenses immediately in case of an attack, without having to rewrite and redeploy code.

  2. Instrumentation: This is a safe and proven way of adding missing capabilities to applications without having to recode, retest, and redeploy them. Many popular logging and application performance management products have relied on instrumentation for over a decade. Security instrumentation adds real-time capabilities to identify vulnerabilities, block attacks, analyze libraries, provide detailed application inventory, and even enable centralized policy command and control.

  3. Interactive Application Security Testing (IAST): This is an assessment technology that uses instrumentation to detect vulnerabilities by watching applications as they run. IAST is simple to deploy and has significantly more context about the application than SAST or DAST tools, yielding far better coverage and accuracy.

  4. Real-Time Security Feedback: Security costs increase dramatically the longer a vulnerability exists, a threat goes unaddressed, or an attack goes undiscovered. Providing security feedback in real time means that vulnerabilities can be eliminated as part of normal software development, and that attacks can be neutralized before they get started. That eliminates the costs of triaging, documenting, tracking, scoring, and retesting risks.

  5. Runtime Application Self-Protection (RASP): This is a defensive technology that uses instrumentation to add the capability of detecting and blocking attacks to applications at runtime. RASP is simple to deploy and has significantly more context about the application than a WAF or other external protection, and therefore is much more accurate. Contrast Enterprise provides both IAST and RASP in a single agent that works across the entire software lifecycle.

  6. Security: This isn’t some mystical property that can only be glimpsed by wizards. CAS makes it concrete – something to build, test, and measure. In CAS, security is knowing that strong defenses are assigned to the threats that matter most to the business; that those defenses are correct, configured properly, and deployed in all the right places; and that they can detect and block both known and novel vulnerabilities and attacks.

  7. Sensor: In CAS, a “sensor” is a set of security instrumentations designed to analyze code for a particular vulnerability, detect and block a particular attack, or create visibility into some aspect of an application, such as components, frameworks, architecture, or backend connections. These sensors are the basis of both IAST and RASP technologies, and delivered in a single agent in Contrast Enterprise.

For more details on Continuous Application Security, click here.

With CAS there is no requirement for separate security steps. It will not hold up an environment built on continuous and automated processes. The vulnerability analysis is done seamlessly in the background by instrumenting the running application with smart sensors to analyze code, continuously, in real-time, from within the application (delivering security as code).

For a hands-on experience, we encourage you to download Contrast Security Community Edition and the Contrast Security orb to automate application security into your CI/CD pipeline, and empower yourself to solve security problems early on in the software development lifecycle.

Sources:


This post is a part of a series we produced covering DevSecOps. To read more posts from this series, click one of the links below.

Copy to clipboard