My notes from a recent customer roundtable
4.16 - Update this with notes from the recent BWM webinar and changed their order to be a little more consumable. You can find the webinar here: https://www.youtube.com/watch?v=5OxR2NyJz4s
"Very positive feedback by developers “very cool tool” Contrast "absolutely speed up our software".
BMW’s goal was to “speed up time to market, decrease security risk, automate all tests, CI pipeline integrations”. Their pen tests were “Very time consuming, almost always late in the development process and expensive” “sometimes when time to market is at risk (prior to Contrast) they would have to go to production without Pen tests”
Contrast’s embedded security model is a “real success story” that “enables developers to become their own pen testers” with “immediate (2 second feedback loops) view of vulnerability findings and how to fix” He” has not seen a false positive so far across 50 applications” “They are able to pass a pen test first time every time and do not need a retest”
Your AppSec team will love this because “the usage of automated security testing reduces the qty of Pen Tests enabling our team to focus on business logic.” Many of our customers reduce Pen Test spend by ~50% or make their team significantly more productive. Per BMW Contrast has found many critical vulnerabilities.
V1.0 Previous customer roundtable with two F100 and one Mid Enterprise customer:
Contrast "allows us to make security more inclusive.” Contrast “open it up to developers without requiring extensive training” "Makes it closer to the developers mindset”
“the issues that Contrast finds were the most interesting things, they are actually real. It’s not like static analysis which generates lots of noise, they are things that can be repeated and true” "Surprisingly I was able to see SQL injections that you only see in youtube videos I never thought I was gonna see in code”. “this allows them to see the stack trace of what exactly is going in and what is going out”
“it’s nowhere near as noisy as some of the tools that just do fancy pattern matching” “You can see that stack trace with what exactly is going in and what exactly is going out. the tool Contrast is showing “this is what we saw, this is how you handle it and this is why it’s a problem” "It saves me a lot of headaches or a lot of additional effort of trying to answer questions of what may be theoretical… they can actually see it.”
--How do you encourage developers to do the right thing with Contrast?
“We try to do more positive encouragement” “Basically show them how it works” why it works, what it’s looking at helps build trust. Being able to see the request and response, follow the code, it allows them to follow and look at it” Rather than an automated Pen Test ”it provides the information in way they are familiar with. With the how to fix information that’s right there in the dashboard it kinds drives it home for them. It explains it in a way each developer can understand.”
Leveraging open source is great but you only as strong as your weakest link
Developers are empowered to find new ways to bring open source in. “As we find those (libraries) we are able to find out very quickly who’s using which version" ..and help them
Solarwinds and Equifax were just preliminary version of how expensive and how underestimated this problem will be.
We have a full inventory of everything in use (open source, OSS) which as you can guess is hundreds of thousands. What is key and what is becoming more and more critical is being able to separate noise from signal. It’s inevitable with large amounts of legacy code to have too much to fix. the company cannot stop what they are doing and just go do upgrades…things break… the key is being able to separate the libraries that need to be fixed…actually pinpointing exposure and why. It’s key to know which ones put you at real risk.
It’s really key to be able to block the exploitation of vulnerabilities (RASP) for business critical applications that need to be delivered. This helps us avoid developers trying to circumvent our process putting the business at risk.
“the ability to put a lot of that responsibility back into the developers hands” normal QA and user experience testing allows us to find things you may not find in a pen test. “
“Contrast set a pretty high bar for all vendors we work with…how the partnership is going to be..we want to replicate that success”
--Do you have an example of something you did with Contrast everyone should know about?
“the ability to meet the deadline. It’s really important to be able deliver what you commit to the board on time”
“My answer is two fold. First I am going to say something I didn’t thing that was possible years ago. We have about 3,000 applications and as of this moment we only have 1 critical vulnerability that’s about to go away and I don’t know if you can imagine the amount of legacy code… I would have lost a bet on this years ago". In the future we want to shift the mindset towards a “what good you’ve done” shifting KPIs away from negative KPIs”