Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production. More information can be found ator by following Contrast on Twitter at .
Contrast Assess is a revolutionary application security testing solution that infuses software with vulnerability assessment capabilities so that security flaws are automatically identified.
Contrast Protect gives applications the ability to self-report the following about an attack at a minimum – the attacker, method of attack, which applications, frequency, volume, and level of compromise. In addition, Contrast Protect also provides specific guidance to engineering teams on where applications were attacked and how threats can be remediated.
Most studies show that XSS vulnerabilities are very prevalent, affecting the vast majority of applications. Contrast Security work shows that 80% of applications have at least one XSS vulnerability. That's a stunning result for a problem that’s been on the OWASP Top 10 list for over a decade.
Reinforcing this same cautionary note, Contrast Labs' November 2019 analysis of real-world application security data reports that:
XSS is a type of injection, in which a malicious script is injected into otherwise benign and trusted websites. XSS attacks occur when data enters a web application through an untrusted source, most frequently a web request. XSS can also occur when data is included in dynamic content that is sent to a web user without being validated for malicious content.
OWASP has published a cheat sheet that can be used to prevent XSS attacks. These guidelines focus on three prevention strategies – escaping, validating input, and sanitizing.
In general, preventing XSS vulnerabilities is likely to involve a combination of the following four measures:
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from execution of malicious content in the trusted webpage context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website.
Spotting most XSS vulnerabilities is simple. You just have to find input that flows from an untrusted source into an HTML page. Many times, the path from the request to the HTML page isn't very complicated, for example when the same call gets the data and puts it in the HTML page.
But other XSS vulnerabilities are less common and can be devilishly complex. Imagine an application that has millions of lines of code involved in getting data, transforming it, validating it, storing it, combining it, escaping it, decoding it, persisting it, retrieving it, and finally rendering it. How can one know if there is a path through all that code that creates an XSS vulnerability?
The number of possible paths and patterns is infinite, and that's why traditional tools struggle to find XSS without flagging a lot of false alarms.
A web application firewall WAF is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between servers, a WAF is able to watch application-level traffic and decide to allow or disallow based on the data that is visible over the network.
Dynamic scanning DAST tools generate thousands of requests and bombard your application with them to see if they can get anything through. DAST tools can find issues that show up in webpages, but can't see anything internal to your application and don't exercise much of your code.
Static analysis SAST tools, on the other hand, try to model the entire application by guessing how all the source code, libraries, frameworks, and components fit together and will operate when run. But they make a lot of mistakes and typically don't even attempt to model the whole application.
Since both of these approaches are difficult to set up and don't get very good results, Contrast is leading the way with the next generation of application security tools known as IAST, or "Interactive Application Security Testing" tools.
Contrast Protect is a RASP solution that uses deep instrumentation to eliminate 99% of false positives, helping to secure software applications in a way far superior to legacy tools. Contrast operates from within the application and is fully aware as it moves and scales with the app, providing accurate attack visibility, monitoring, and protection.
Any time untrusted data ends up on an HTML page without proper validation and escaping, that fits the definition of cross-site scripting. Contrast takes the innovative approach of simply tagging and tracking untrusted data wherever it goes within the application. Contrast also tracks all the validation and escaping that happen to that data along the way. Then anytime data gets written to an HTML page, you know if it's an XSS problem, because Contrast reports the vulnerability along with all the details.
Pinpoint app attacks down to the exact line of code: A WAF can’t tell you the line of code that is being attacked, but Contrast Protect can. Unlike WAFs or external scanners, Contrast analyzes and protects applications from within by integrating security safeguards into the running application making it self-protecting.
Immediately block known exploits and virtually patch newly discovered vulnerabilities: Contrast Protect becomes an essential part of the application, making application security nimble and quick, shrinking the time from “vulnerable” to “protected” even for zero day attacks.
Most of the tools available to secure software applications (SAST, DAST, and WAF) were invented over a decade ago, and as such, their legacy underlying core technology prevents them from evolving to keep up with modern software movements like Agile and DevOps. What the enterprise needs in this new era is software which is self-protecting, such as Runtime Application Self-Protection RASP.
Gartner defines RASP as “a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.”
RASP provides a level of visibility and accuracy that network security solutions simply cannot achieve. Instead of monitoring the application for potentially malicious inputs, RASP only processes inputs that could change the behavior or operation of the application. This approach has the potential to increase accuracy without significantly impacting app performance.
Because RASP solutions incorporate security into the running application wherever it resides on a server, it is able to detect, block, and mitigate attacks immediately, protecting applications as they run in real-time by analyzing both application behavior and context. By using the app to continuously monitor its own behavior, RASP has the ability to protect an application from malicious inputs and behavior such as XSS and injection – without human intervention.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.