Interview – Nick Baglin – Contrast Security
Interview Nick Baglin
DAN ASSOR [00:00:02] Welcome back. I’m Dan Assor from CloserStill Media you’re listening to the LinkedIn live event. So next up, we have Nick Baglin from Contrast Security. Hi, Nick how are you doing?
NICK BAGLIN [00:00:13] Good. Thank you, Dan. How you doing?
DAN ASSOR [00:00:16] I’m okay. So we’re gonna get straight into it, Nick. Thank you for attending today. Be great to understand how instrumentation is disrupting the application security market.
NICK BAGLIN [00:00:31] Sure. So I think firstly, in my opinion, this is a market segment that is right for disruption, is crying out for it and I think for me to explain why I believe that is probably worth reflecting on how application security is being done today. It’s not a new concept. It’s been consistently called out as a major threat for many years. In fact, I think in the latest Verizon data breach report, 43% of breaches are tied back to vulnerabilities exploited in applications. So in the last 10 years, companies have really been addressing this problem and threat the same way they deployed a mixture of static application, security testing and dynamic application security testing. Or SaaS and DaaS as they’re more commonly referred to, they have very different approaches to the same problem, but both were early attempts to figure out from the outside what was going on inside the application. However, despite their board adoption, both have seen problems in the real world. The main one being just an enormous amount of noise, false positives in particular that needed removing manually or worse still, some false negatives where they just miss vulnerabilities. So at Contrast, our Co-Founders were acutely aware of some of the limitations of within SAST and DAST, and so they turned to instrumentation to solve the same problem. Now, the use of instrumentation gives a much more holistic view from inside the application and the results are very comprehensive, without the false positives and noise, and we’re seeing a very fast-growing demand for many users who are just tired of manually solving the same of solving the problem and they want to automate before I pass back to you Dan, I just probably should say because people might complain instrumentation of apps is not a new thing Contrast did not invent that.
DAN ASSOR [00:02:37] Yeah. We begin to understand a bit more about Contrast…
NICK BAGLIN [00:02:42] Many people have done it successfully beforehand, but it hasn’t really been adopted broadly for security. So we call our approach, IAST, Interactive Application Security Testing. It’s a natural evolution of the market and it’s absolutely disrupting the way that appsec is done.
DAN ASSOR [00:03:00] Okay, thank you and the rise of Dev Ops. Do you think it’s changed the way in which organisations approach application security?
NICK BAGLIN [00:03:11] It has. For reasons similar to what I just described in the speed and accuracy of application, security has always been under the spotlight. How fast can you find, notify and fix vulnerabilities in code? it’s always been a problem what Dev Ops has done is it’s just poured petrol on the fire. I mean, everything has to be done now at Dev Ops speed. With Dev Ops, inevitably growing globally, the legacy tools like SAST and DAST that were developed pre Cloud and certainly pre Dev Ops, they just can’t keep pace. They’re introducing bottlenecks, introducing friction between dev teams and security teams. So what we see is that when companies are really actively migrating to Dev Ops, they’re having to refresh the tools and approaches they use for appsec. And that’s when they’re choosing IAST, and those that don’t quite obviously don’t see the true benefits of that Dev Ops initiative.
DAN ASSOR [00:04:12] Sure. How do to think that would work in a microservices in containerisation environment?
NICK BAGLIN [00:04:18] It’s a very common question. Because both of those tools which the adoption of which are only increasing to and from the outset, Contrast, approach and solution, was always designed to work with those types of environments. We have a very distributed technology which works in any manner of state application environments. The Contrast agent becomes parts of the application. So it doesn’t really matter if the application is in a data centre or a VM, Cloud or container, it scales very nicely in those dynamic environments and for API’s in microservices. This is where the legacy to reach struggle they were never built to cope with them and they really can’t adapt easily. So we’re seeing end users heavily transition to IAST at pace if their business strategy involves using either of those approaches.
DAN ASSOR [00:05:14] Sure. Thank you for that. Who do you think should own the security code? Do you think it’s development or security?
NICK BAGLIN [00:05:21] Yeah. We see organisations debate this internally for months. Over who’s going to pay for it. Should it be, is this a development tool or a security tool and really all it’s doing is delaying the benefits that those organisations could be reaping. I think to answer the question directly, in the majority of cases, we see security paying for the appsec tooling but we actually think it’s the developers who ensure that the project really become an overall success. So to answer the question, both really own securing the code, but they really have to work together. To help with this, we developed our solution for developers first and foremost. We always felt we wanted this to be a tool that developers embraced and they like using, and it can teach them how and when they’re introducing the vulnerabilities into the code they’re writing. But security, of course, need to see the bigger picture. They need to report on how many vulnerabilities there are, how many are being remediated, and they need to measure. So whilst we do empower and enable the development community, we do give security complete control and visibility in tandem and that’s been the perfect mix for us.
DAN ASSOR [00:06:43] Thank you and how could a CCO do you think reduce their security debts on applications? And how can they quickly fix the vulnerabilities that they find?
NICK BAGLIN [00:06:54] So sadly, there is a growing security debt. I think some are in denial. But what we really see it and what I mean by that is that there’s a growing amount of vulnerabilities that are being highlighted but just not remediated. Now, with legacy tools like scanning, what it does is it produces a static PDF report which sits there. It’s not particularly actionable. In fact, we’ve discovered that only 45% of vulnerabilities are remediated within 90 days following a static application security test, just not acceptable. And we’ve also found that once past the 90-day mark, the vulnerabilities rarely get fixed. The mantra has to be identify and fix fast. So Contrast Interactive Security Testing provides constant monitoring and real-time feedback. So rather than a PDF report, just think of like notifications. So imagine a developer is working on an application introduces inadvertently a sequel injection vulnerability. We get that notification to them immediately, depending on whether they’re using Slack, IDE, Bug Tracker, Microsoft Teams we’ll communicate with them in their favoured and familiar away. But the result is much faster with mediation. This is the very essence of shifting left, solving the problem much earlier in the cycle. And the results are we see 51% of vulnerabilities fixed within the first 7 days. Which is a lot better than 45% in 90 days. If that was 90 days we see 70% of vulnerabilities fixed, which is a very tangible improvement. And it’s really helping CCO’s reduce that security debt.
DAN ASSOR [00:08:36] Sure. Thank you and lastly Nick, it could be great. I mean, Amazon recently disclosed that it mitigated the last ever denial of service attack with traffic of 2.3 Terabytes per second. Do you think we’re going to see more attacks of this scale?
NICK BAGLIN [00:08:55] Sadly and inevitably, yes, we are. Denial of services is not something that Contrast help with that, but I mean all threats attack with the denial service being one is unfortunately growing, which is why I don’t envy the role of a CCO but we do try and make it a bit easier for them.
DAN ASSOR [00:09:13] Okay, so Nick thank you so much. That’s just about all we’ve got time for today. Appreciate it. That’s Nick Baglin from Contrast Security. We are just going to cut to a quick break. And next up is Phillip Griffiths of Net Foundry.