DevOps Chats: Route Intelligence From Contrast Security

Contrast Security has released the first “Route Intelligence” functionality in the latest version of its next-generation security platform.

In this DevOps Chats, we speak with Contrast’s CTO/co-founder, Jeff Williams, about what route intelligence is and why you should have a look at it.

Contrast continues to set the bar in DevSecOps, pushing beyond vulnerability scanning to enable more security software.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Claroty

Transcript

Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com and Security Boulevard. You’re listening to another DevOps Chats. In this DevOps Chats, we’re gonna catch up with Jeff Williams, CTO and co-founder at Contrast Security. Jeff, welcome to DevOps Chat.

Jeff Williams: Thanks, Alan. Always a pleasure.

Shimel: Always a pleasure to have you on, my friend. I know we were originally, Jeff, trying to talk at RSA, but that seems to have gotten away from us. But you know what, so much the better, because I think now we get to discuss something that maybe wasn’t around or you couldn’t talk about at RSA, and that’s something that Contrast is rolling out called their first round intelligence, right?

Williams: That’s right. Yeah, we’re super excited about it.

Shimel: Cool. So, let—if you don’t mind, why don’t we tell our audience a little bit about what do we mean by first round intelligence?

Williams: Yeah, so, when you build a web application you have to somehow tell the application which URLs go to what code. And every language, every framework does this differently, but it’s actually really critical to security analysis to understand the routes that is this URL when it causes this transaction to happen in the code. And it’s not something that any other tools can really understand, because the frameworks are quite complicated.

So, you know, using Contrast’s instrumentation based approach to application security, we’re able to see the routes as they’re being registered with the framework and we can expose those. So, that’s all sort of under the covers technical mumbo jumbo. [Laughter] But what it means is that you can really understand how much of your application you’ve actually tested. If I tell you your application has 72 routes, then you can know how many of those routes have actually been analyzed for security problems, and you can see exactly which routes still need to be tested to see if they’re safe or not. Make sense?

Shimel: It makes perfect sense to me. You know, in my mind, Jeff—and maybe this is an oversimplification—it’s almost like the exact opposite of, you know, back in my day, we used to have sort of these attack maps. You know, companies, Giddy Cohen’s company, I don’t remember—SkyNet, right? So, they would show you the route an attacker would take coming into your network and eventually wind up back where your application sits or where there was something vulnerable that they can hit, whether it be the application—

Williams: That’s right.

Shimel: – the database, the web server, et cetera. This is almost coming at it from the other end of the map, right? Saying, “Okay, from the application on out, what is the route, right, that’s being taken here?” Would that be a fair—

Williams: That’s right, I think it’s a good analogy. I mean, sort of everything has moved up the stack since those days. And so, you know, now most of the innovation is happening at the application layer. That’s where people are doing their digital transformations and they’re turning their enterprises into code, and they need to have this understanding to know sort of what is the attack surface of their application layer.

And you can’t do it with static analysis, it’s just way too complicated. Those tools can’t see what routes are exposed. You can’t do it dynamically with a dash scanner kind of tool, because those tools don’t know what they’re attacking, they’re just using the user interface as a guide to figure out what’s exposed, but they don’t really know what’s there. So, this is very new and it’ll really help folks get really good coverage over their web application.

I’ll give you an example of a real success story. Recently, I was at a large mutual fund company, and they’ve been using Contrast for a while, and we enabled this route intelligence feature. And they noticed that a number of their applications had a bunch of exposed routes that they hadn’t been testing. And in fact, when they dug into it, they didn’t really know that these routes were there. These are hidden routes, and many organizations have these hidden routes. In this case, those routes were added by the framework.

So, Spring Boot has a way of adding in extra routes to applications, unbeknownst to the developers. They’re called management routes, and they do things like they allow you to get the environment variables or test the status of the application, even capture snap a heap dump of the memory inside the application, all of which are really dangerous to expose externally, and this mutual fund company didn’t know that those routes had been exposed to the public and were sitting there just waiting for anybody to hit them. But Contrast illuminated those routes, allowed them to see them, they very quickly realized they were a security risk and they’ve now turned them off in a whole bunch of their applications. But that’s just, you know, sort of one aspect of why it’s really important to understand your routes.

Shimel: Exactly. And, you know, and it’s something else, too, Jeff, and it’s kind of a wave that I saw building maybe two years ago, I first saw it, but I’ve seen a ton of companies since then—not a ton, but more than several companies in the cyber space since then, and that is, trying to let people know where and what assets they have within their digital domains, right? And knowing that is only half the story. This seems to be the other half of the story. Okay, so, I know I have this, that, and that, and when I use this application, where does it go to this, that, and that, right? Because you need that intelligence.

What’s scary to me is, I guess before we had the cloud in the apps, I thought we had a handle on these things, right? Maybe it’s because it was simpler then, right?

Williams: [Laughter] Yeah.

Shimel: You know, your app lived on a server, it was projected out maybe onto a web server, your data was back in a database.

Williams: Yeah, I think that’s right. It was a little simpler in the old days. Things are getting very complicated with smashing up these monolithic apps into a whole bunch of APIs which can then run anywhere. It makes it very difficult to understand where your code is and what it’s doing.

So, this route intelligence feature is part of our efforts to expose what’s really going on inside the application layer. You mentioned inventory, very important to understand your inventory. Contrast helps with that by kind of letting all your codes self-inventory. So, instead of having to run around with a clipboard and write down where all your code is, Contrast automatically collects all that from all your apps and builds an inventory in reverse, actually, like it’s, the apps are reporting in to tell you exactly where they are.

We tell you what code’s in each of those things, so we analyze all the libraries and the frameworks and the custom code and tell you what’s in there, and this route intelligence feature is taking it to that next level. It says, “Hey, here’s exactly what exposed end points connect to which code to allow you to see exactly how the apps are put together.” And then the future of this route intelligence capability is to start reporting details about each of those routes.

Like, wouldn’t it be fantastic if you could just quickly query Contrast and ask, “Hey, show me all of my routes that have sensitive information going into them that connect to SQL database on the back end.” And show me—maybe you wanna say, “Hey, show me if any of those routes don’t have an access control chat associated with them.” A really powerful way to zoom in on what’s really important and find those kinds of architecture level vulnerabilities that you’re paying tons of money to pen testers and security analysts to try to figure out the hard way. We can do all that much more easily.

Shimel: Makes sense, makes perfect sense. It’s crazy. It’s a really powerful tool. Jeff, how is—I know it’s part of the bigger Contrast assess offering, but how do you price this out, you know, for people when they have a question on it?

Williams: Oh, yeah. So, generally, we price it per app. It’s an annual subscription per application, and we’re not real strict about how you define an application. It’s generally, you know, the code that a team of developers is working on. So, it’s pretty easy.

However you think of your application inventory, that’s how we’ll track it, and then using Contrast is really easy, you just add Contrast to your application and then keep doing your normal development the way you’ve always done it. You don’t have to change anything about the way you build or test or deploy your code. Contrast just sits there in the background gathering instrumentation based telemetry from your applications and building you this picture so you always have an up to date dashboard of everything that’s going on from an application security perspective across your portfolio.

Shimel: Exactly, exactly.

Williams: And it’s a little different—

Shimel: I—I’m sorry, go ahead.

Williams: – it scales really differently. I was just gonna say, it scales really differently than scanners. Like, scanners, you kinda have to go one by one through your portfolio. But with Contrast, you can deploy it across hundreds or thousands of applications. We see a lot of cloud deployments these days where people are just adding Contrast to their standard server build, and then it just goes out across hundreds of applications or thousands of applications all at once and, you know, you can sort of turn on the lights with regard to AppSec, instead of just getting the strobe light visibility into one app at one time, instead, you can see kind of everything all at once.

Shimel: Across. You know, and the other thing, Jeff, too, is—for too long, frankly, and I’m not knocking the, right? There are a lot of companies that have made a lot of money in the AppSec space, and there’s been a lot of improvement in the security of our applications.

But really, for too long, AppSec was really just scanning the code, scanning your app. You know, a different kind of vulnerability scan, if you will, right? But not that different.

Williams: Yeah, that’s right. [Laughter] I’m not a huge fan of scanning any more, because applications have gotten a lot more complicated, and you know, if you look at the results of what the scanning tools are producing, they’ve missed a lot of vulnerabilities, and more importantly, they generate tons of false positives which, you know, as a DevOps person, you know that the speed of being able to iterate on software is, it’s paramount.

Shimel: Yeah.

Williams: And so, we don’t have time, in a 15 minute build pipeline, you don’t have time to run a scan that takes 4 hours and then takes another two weeks to get the findings triaged by human experts. That’ll just kill your DevOps program. And so, you know—

Shimel: Well, it doesn’t kill the DevOps program. We’ve learned this. The DevOps program goes forward—

Williams: Well, you just, DevOps goes around it.

Shimel: – without your security.

Williams: [Laughter]

Shimel: What it kills is your security program, right?

Williams: That’s fair, yeah.

Shimel: Right? Because people aren’t gonna wait for that. They’ll—you know what? MVP will get it out. When you get me those scan results, we’ll take a look, right?

Williams: Yeah, I think that’s right, yeah.

Shimel: And that’s what happens more often than not, right? I think that’s one of the fallacies of the pre-Copernicus security person who thinks security’s the center of the universe. It isn’t.

Williams: [Laughter] Yeah, that’s an excellent point. It really isn’t. And what was it Zane Lackey says, he said, “DevOps finds a slowdown and routes around it”—

Shimel: Right.

Williams: – “so, security is slowed down ________.”

Shimel: It’s true. Zane always comes up with some good one-liners, but that’s another story. But yeah, no, that’s what it is. So, Jeff, this sounds great. Is it generally available at this point?

Williams: Yeah, it’s available to everybody. It’s actually also available as part of our Contrast community edition. So, if you are interested in IAST and RASP and using an instrumentation based approach to AppSec, you can create yourself an account at contrastsecurity.com/communityedition, and give it a try to see what, you know, how routes can enhance your application security program.

Shimel: Cool. Very good. Jeff, we have maybe—we don’t have too much time left, but beyond this, anything else new at Contrast you wanna share with the audience, maybe?

Williams: Well, let’s see. We’re growing really fast. So, we’ve got now a team in Belfast, we’ve also got a team in Japan. So, we’re expanding internationally quite a bit. We’re almost 300 people now, and I don’t know if you got a chance to swing by our booth at RSA, but you saw, you know, we had a real big booth there and had a lot of great meetings.

I think it’s gonna be a really exciting year for Contrast. I think it’s finally time that people are viewing IAST as the way to start with application security. And, you know, it’s been so long for SAST and DAST and sort of a scanning based approach. But we’ve finally got people to a point where they know about IAST, they know about RASP and they’re starting there. You know, you start with the easy thing that covers most of your portfolio, and then if there’s still a few edge cases where you need to use static or dynamic, great. But we’ve gotta get people off those, because they’re slowing down people’s programs way too much.

Shimel: Got it. I’ve gotta be honest, I never made it to the show floor at RSA, Jeff, I was so busy with videos putting on our DevSecOps Days event the Monday of RSA weekend in Moscone.

Williams: Yeah, of course.

Shimel: So, between that and a couple of other things—

Williams: Well, I’ll tell you what, it was roughly the same as it’s always been.

Shimel: I’m sure it was. You know what they say, you’ve seen one, you’ve seen ‘em all, but—no, I’m only kidding. [Laughter]

Williams: No, it’s true. [Laughter]

Shimel: It is. Anyway, Jeff, I wanna thank you for joining us today. Good luck with this. It sounds like an exciting new frontier in the AppSec wars, right, and making us all—making all of our applications more secure and providing a better experience for end users. So, good stuff. Keep up the great work at Contrast. It’s always a pleasure to see how you guys are kinda knocking it out of the park.

Williams: Thanks, Alan. Great to talk to you as always.

Shimel: Alright. Jeff Williams, CTO, Co-founder, Contrast Security. This is Alan Shimel, and you’ve just listened to another DevOps Chats.

Alan Shimel

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 82 posts and counting.See all posts by alan

Application Security Check Up