Contrast Security announced that its Secure Code Platform now integrates software supply chain security across the development lifecycle, from the developer desktop to production systems.
The new integration makes Contrast the first platform on the market that allows enterprises to identify their biggest supply chain risks and defend against them.
As a direct response to the 2021 ransomware attack that shut down the Colonial Pipeline, President Joe Biden’s Cybersecurity Executive Order imposes strict standards for any software sold to federal agencies. More recent zero-day events such as the log injection vulnerability embedded in the popular Log4j Java library have also forced businesses in the private sector to re-evaluate the security standing of software imported, built and consumed by developers.
“Together, open-source and custom code are the ingredients to the applications that businesses build, buy and ship,” said Jeff Williams, co-founder and CTO at Contrast Security. “Testing these software ingredients separately lacks context and leads to both false positives and false negatives. To accurately identify vulnerabilities organizations must perform security testing on the entire integrated application or API, which reveals how custom code and open-source interact.”
Contrast integrates software composition analysis (SCA) with each of its security testing and protection solutions including its interactive application security testing (IAST), runtime application self-protection (RASP) and Serverless Application Security solutions. Integration with Contrast’s static application security testing (SAST) solution is coming soon. The Contrast Secure Code platform helps businesses close security gaps in their software supply chain by:
- Testing for custom and third-party code vulnerabilities simultaneously within native CI/CD pipelines and cloud-native environments.
- Producing a comprehensive software bill of materials (SBOM) to help benchmark software supply chain risk and satisfy regulatory and compliance requests.
- Removing the need to chase fixes for inactive libraries pulled in from code repositories by flagging libraries that are actually called at runtime.
- Finding third party security issues in cloud-native workloads like serverless functions (e.g., AWS Lambda)
- Protecting production applications and APIs from targeted attacks with no patching or code changes required.