podcast • 41MIN READ

Automating AppSec with Contrast Security

Everything we do is online. We bank online, access healthcare, pay our taxes, build our businesses -  and along the way we put trust in companies to keep us protected.

Unfortunately, companies aren’t great at writing secure software. Contrast Security wants to change that.

Jeff Williams, Co-founder & CTO of Contrast Security, and Steve Wilson, CPO, join the Dev Interrupted podcast to discuss the future of application security (AppSec), the importance of security automation and why the traditional way of doing security - where you scan app after app a few times a year - is over.

Episode Highlights Include:

  • By the numbers: the average application is attacked 13,000 times a month
    • And has over 35 vulnerabilities
  • The reasons AppSec should to be automated
  • How to reduce the cost of AppSec
  • Why shifting left doesn't result in more secure code

Join the Dev Interrupted Community

With over 2000 members, the Dev Interrupted Discord Community is the best place for Engineering Leaders to engage in daily conversation. No sales people allowed. Join the community >>

Dev Interrupted Discord, the new faces of engineering leadership

Transcription:

Dan Lines: Host

Jeff Williams: Co-founder and CTO of Contrast Security

Steve Wilson: CPO of Contrast Security

Jeff: [0:00] It's the companies that are best at software who are winning their sector. Being great at building software is directly relevant to how well you succeeded in market and security is a big part of that. Unfortunately, companies are really not very good at writing secure code, the average application is attacked over 13,000 times a month. That's a big number. The average application also has about 35 vulnerabilities. That's a bad combination.

Producer: [0:25] This episode is sponsored by LinearB. Accelerate your development pipeline with data driven engineering metrics, continuous improvement automation, and project visibility while cutting your software development cycle time in half. Sign up for your free demo at LinearB.io and mention the Dev Interrupted Podcast discount for one month free when you sign up for an annual pro membership.

Dan: [0:45] Hey, everyone, welcome to Dev Interrupted. I'm your host Dan Lines and today I'm joined by Jeff Williams, CTO and co-founder of Contrast Security and CPO of Contrast Security, Steve Wilson. A quick reminder for our listeners, if you haven't already rated and reviewed the show on your podcasting app of choice, particularly Apple Podcasts, please do so. Reviews are a crucial way that our show gets discovered. Jeff and Steve, thanks so much for joining me today.

Steve: [1:17] Hey, thanks for having us.

Jeff: [1:19] Yeah, thanks, Dan.

Dan: [1:20] Yeah! You know, while prepping for this episode, I came across some really interesting facts. So Steve, we'll start with you. I saw that in addition to your career as a technical leader, from being a VP of Engineering at Oracle, and a VP at Sun Microsystems, to VP of Product Management at Citrix onto your time as CPO today, you're also a second-degree taekwondo black belt, and an open water scuba diver! I'm not sure which one is more impressive.

Steve: [1:53] Yeah, it's funny, I did some martial arts as a kid, I actually got into it as an adult when my own kids started, when they were little, and I had more fun with it than the kids, so I, you know, stuck with it for ten years. And the last couple of years have been hard for any activity like martial arts, and so the guitars are getting more workout these days. But it's something that I really enjoy doing and actually-even influences my professional life and professional thinking on a lot of fronts, too, so. Discipline, focus, respect, those are things you can carry over into any arena.

Dan: [2:24] That's awesome! And Jeff, you're a founder and CTO today, you were previously founder and CEO of Aspect Security. You're also a lawyer with an emphasis on intellectual property and cyber law. How is that experience factored into your career?

Jeff: [2:43] That was an expensive mistake. [Laughing] I mean, I was-I worked as a consultant for many years, and I thought I had topped out in that field as a security guy. And so I decided to go back to law school, and my parents are lawyers, I thought it would work. And actually, about the time I graduated from law school, it was time for the dot com boom to really hit its stride. And so I was like, maybe I'll just start a company. And I ended up starting Aspect and grew a consulting business and never really got back around to being a lawyer. So I don't know, maybe that'll be next.

[Laughing]

Dan: [3:16] And also, right before the pod started, I found out that you are on the US Men's Basketball team over, what was the age- over fifty. That's just interesting. Tell-tell us about that.

Jeff: [3:30] Well, it's so fun. We've got a great team here from the Baltimore-DC area, a bunch of former college players. Jeff Baxter is on the team who was Lynn Bias’ roommate in college. And it's a super fun way to spend a few days with your friends and go to visit some cool places. And we've been winning, so it's spent a lot of fun.

Dan: [3:49] That's awesome. But a lot of our listeners are aspiring to be in the position that each of you are in ranging from founder or executive VP at these super amazing companies. We’re curious, you both have had these varied careers. How did you get your starts and kind of move up into these prominent positions? Steve, we can start with you.

Steve: [4:11] You know, my-my journey from individual contributor to manager was actually when I was at Sun Microsystems, and I was working at a little startup and then the World Wide Web was happening, and we realized we weren't doing the internet. We said we should go get jobs, figure this out. And I somehow wound up as an early member of the Java team and I basically started up a ladder there where I moved from writing code. And if you grep the source code to the JDK, there are still a few Java doc comments with me in the app author tag, but it's been a long time as I moved from writing code to help managing people who write code, and overtime managing people who manage people who write code and scale that up to at one point, after Sun got acquired by Oracle, I was running a like five hundred person engineering team at Oracle which is a lot of interesting experience. And-and it was that experience honestly, that put me on a path to go back to something where I could have a much bigger impact on a company. And that's what's landed me at Contrast where I joined about a year ago.

Dan: [5:14] When you became a team leader or a manager for the first time, was it just someone presented you with an opportunity? Okay I was a developer, and then something happened?

Steve: [5:25] So the quick version of this story is, if you remember, way back to the early days in Java, and I have to remind myself how long ago this was for a lot of people, but back then Java was not the enterprise powerhouse that it is today, it was for making little applets that crashed your Netscape browser, and all anybody knew about it was really slow. And so, I was an individual contributor engineer, I went to my boss and I said, “You keep complaining this thing is slow, do you want me to help figure out why?” And he looked at me like I was crazy. I was working in a team of a few hundred of the world's greatest computer scientists and I was twenty-year-old something kid. And I said, “Give me two weeks.” and I went off, and I built some little performance probes, and I wrote a paper about everything that was broken. And all of a sudden, I was the full-time performance guy, and I'm like, “Hey, guys, I'm gonna be the full time performance guy. I don't want to do this as an individual contributor, I actually want to be a manager.” and so I cut the deal. And they said, “Alright, you're going to build this performance team.” And really, over the next twelve months, it was a team of twelve and then it was a team of twenty, and it just kind of went from there. I found this thing that turned out to be really important to the organization that I was the only one raising my hand saying I'm willing to go attack this. And once there was some evidence that it was a solvable problem, people were willing to keep giving me more responsibility with it.

Dan: [6:48] One advantage, when you're an individual contributor, you can really be in the details and find something that no one else can find. When you find that thing, and you do a good job with it, you have leverage to move up or to say, “Hey, I want a team” or “I want to take that on.” so, Steve thanks for sharing that with us. Now, Jeff, you have founded at least two companies, that that I'm aware of. What was your career path like to get to that opportunity to be a founder?

Jeff: [7:16] I followed a technical path the whole way. I was a developer, and then I was a security engineer for quite a while, and then I went through law school, I was going at night and working during the day, and after law school, I just skipped every possible level of management and just founded a company as the CEO, so YOLO [Laughing]! The key to doing that is to hire some great people who are great at managing people and surround yourself with talent. So, I'm still a technical guy, I just-I hire the right people around me to make sure that I don’t mess up [Chuckling].

Dan: [7:51] That's great that you were able to skip maybe the traditional journey founding your own company. But one thing that's important there that I picked up, it's like the self-awareness, to say, “Hey, maybe I'm making this leap” and I don't know for you, but maybe never managed a large scale of people, “Let me bring in some people that can complement my skill set”.

Jeff: [8:10] Nobody is good at everything you need to run a company. They're just not. So, you got to build a team. I've got some skills, and they complement other people's skills.

Dan: [8:18] So before we deep-dive into security, I do want to get to know you both a bit more as leaders. Now Steve, as you mentioned, in your career, you-I think you said you led maybe five hundred people or like this really massive organizations at Oracle, Citrix. How is that experience helping with Contrast now?

Steve: [8:39] Contrast is it a really interesting phase of its development. When I was looking for what I was going to do after Citrix, it was part of what attracted me to Contrast was the place it is in its evolution. Contrast is only about seven years old, so it's grown from Jeff and his co-founder, like in a garage to now hundreds of people. So, it's still very much a startup where we're doing that, but we just, you know, did another round of funding with an enterprise valuation over a billion dollars. So really, what the company was looking for was somebody who had the experience of leading a team that was at larger scale, my experience at Oracle leading a team of hundreds of people inside a company that was hundreds of thousands of people, was you could still feel like a very small cog, even with a big team. Here, I'm leading the combined engineering product management, product design organization, and it's actually grown up to be a couple hundred people, it's grown tremendously even just in the year I've been here because Contrast is growing so quickly. And part of the experience that I bring to the party is that experience at knowing what a team looks like at these different phases and I've worked at a couple other startups, and-and even inside big companies started new product lines from small. And so knowing how do you take something from, you know, what really only three, four years ago mostly a one product company with the engineering team in one place, Contrast now has engineering centers in Baltimore, Belfast Ireland, Tel Aviv Israel. It's a multinational global organization with hundreds of people. And we just shipped our fourth product, and-no we just shipped our fifth product, and so, it's now a multi-product platform play that even though we're in a much smaller, more focused company, actually needs a lot of the same attributes that you'd find in in a much larger organization. So that's been the fun of it is to be able to bring that experience to the party. But in something where we just have this purity of focus what we're doing and we're all rowing the boat in the same direction. Where at a place like Oracle or Citrix, you got a hundred people with a hundred opinions and you’re just trying to corral them to go in the same direction.

Dan: [10:54] Yeah that’s really cool, I like how you kind of contrasted, even though they're both big teams, two different styles. Oracle's like a city worth of people. Yeah, so that's really cool. And you have people in Israel, same for us in Tel Aviv, and LinearB, some great engineering talent there for sure.

Steve: [11:12] It's amazing, and we really lucked into picking up this team in Israel. We acquired a really small company called Cloud Essence about a year ago, and they've built out that team, they've quadrupled the size of it, actually built this amazing new product for doing security on kind of serverless AWS lambda style requirements that's the first of its kind anywhere, and so the talent there is just amazing!

Dan: [11:36] Absolutely. Now, Jeff, we already talked a little bit about your self-awareness, but what would you say your strengths are as a leader? What's your leadership style?

Jeff: [11:46] I think it's mostly my height. People notice so that sets the tone immediately. Well, I guess really, I think I listen really well. I think one of my strengths is that I'm willing to focus on the big picture, and not get wound up in the details. Really this is not a great question for me, because this experience, starting a venture backed product company, this is the first one- this is the first product company I've worked at. I ran a consulting company for twelve years. So, every day, I feel like I'm learning something new about the size of company that we just became. And I try to stay in my lane. I'm really good at application security and I know the field inside and out. I know I can represent the needs of our customers, because I've worked side by side with them for a dozen years. And so, I try to help out all the other teams with what I know I'm good at, where I can help. It’s hard to reflect the needs of the customers inside a company like Contrast, very difficult for us to really understand what customers are trying to do, what their goals are, what's their motivation? And so, I try to be a proxy for that since I really did work with them quite a long time.

Dan: [12:49] That's perfect. So important! Gotta know your customer. What are we going to deliver next to make them happy? Yeah, that's great. Now, is there one other founder or what's the founding team look like?

Jeff: [13:00] So Arshan Dabirsiaghi and I founded Contrast, and he was working for Aspect. He was our chief scientist there, and he and I just get along great. We're always willing to tackle the hardest problems. He's got a great sense of humor, and he's brilliant, so that's-he's annoying that way. But we just get along really well, and we had this idea. We were like, “Hey what if we instrumented the app, and did security from inside a running application? It would have so many advantages over, you know, like the existing static analysis and dynamic analysis tools” and we couldn't let it go. It's such a good idea that we went on consulting trips together, and in the evenings after work, we'd sit in the hotel and drink beer and work on this idea. And yeah, it's just-it was a hobby, and then it was a product, that- an aspect, and then we spun it out as a company, a labor of love.

Dan: [13:52] Yeah. So okay, give us the story of-the founding story for Contrast.

Jeff: [13:56] It goes back to Aspect which like, we grew into a-an eighty person consulting company, which eventually got sold to Ernst and Young after Contrast had already been spun out. But Arshan and I started working on this idea that made a lot of progress and Aspect used to open-source a lot of stuff, like Aspect contributed projects to OWASP, like WebGoat and a bunch of other things.

Dan: [14:17] Nice. Yeah.

Jeff: [14:18] And so we had that DNA. It was really, it's really good for a consulting company, by the way, to do open-source projects. You'll never have enough marketing budget to put magazine ads and shoot off fireworks and stuff. But you can produce really cool open-source tools, and it sends all the right messages about your company, like, you're creative, you're passionate, you do this on the side, like it's really fantastic. And so, we were able to punch way over our weight at that-that company, but this idea, we were like this is too good to give away. So, we decided to commercialize it. We invested some money from Aspect and built it out as a product. And it worked so well, we were like this has got to be a separate company. We went and talked to a bunch of investors in Silicon Valley and they were not going to put their money into Aspect. We had to spin out the product as a separate company and then they invested in that.

Dan: [15:14] That's really interesting. And I'm sure there's probably a ton of lessons, but what are some of the lessons that you've learned along the way, at Contrast, being a technical founder?

Jeff: [15:25] So I think probably the big one that sticks with me from the founding is, it's really important to be able to communicate the story around the product that you built. We knew we built something fantastic, but it took us a while to be able to describe that to investors. And we started in a weird way, because we had all this big enterprise experience, we didn't-we weren't a startup that started selling to other little companies. We started selling to the biggest financials right on day one, and that kind of just drove our culture towards enterprise features, and [crosstalk] [16:00] thinking is that an enterprise solution.

Dan: Right

Jeff: [16:02] But I guess like, for me, it's so many lessons, it's hard to pick, because this is my first product. I feel like I've got a field-MBA now after my time here. [Chuckling]

Dan: [16:10] Are there any one or two that come to mind?

Jeff: [16:13] Well, I think those early hires are really critical. You want to make sure you get real A players who are willing to roll up their sleeves. And it's hard because A players are really in demand. They want to join companies that are already like series C or D or like really gallant. You want those guys really early; it can sit the whole trajectory of the company in the early years.

Dan: [16:35] And Steve, you have that kind of scale experience or leading product and engineering large organization, what are some lessons that you could share, being in that position, at the top of a larger team?

Steve: [16:49] It's funny, you know, what Jeff says about hiring the best people is always true. But I feel like there's a great engineering team here, so I walked into that. But the trick is you scale it out, is how do you align the organization behind the vision, and get hundreds of people all rowing the boat in the same direction? And so, being able to articulate a compelling vision for where you want to take the product set, being able to cascade that down to the right levels, where an-where an engineer working on a sub-component of a particular product can figure out how what they are doing is attached to this big strategy. That's the art of this. So, you can think “Oh, the guy working on the component, he doesn't need to know that he just needs to take his JIRA ticket that the PM gave him and write the thing!” but that-it's that which winds up with these products that feel fragmented, that check the box in terms of the functionality, but no one loves. And so, if you can really make sure that everyone understands the vision, everyone understands the user all the way up and down, we know who we're building for and why we're building it and what value it is supposed to deliver. You won't be running around trying to, like, body check people into making the right decisions, they will just, more often than not, make the right decisions. And oftentimes, if you hire that right team, and-and I'm lucky enough to have most of the team that Jeff put together in the first year are still here, those guys are so experienced, they will make on the individual decisions, they will make better decisions every time than I would have because they know this space cold, they know the customers. But as we push into new product areas, move from one product to five products. How do we bring this all together? It's about creating that unifying vision and figuring out what are the tools to make sure that the whole organization understands it, gets behind it, and is able to operate as a unit. And to me, that's the big art of this.

Dan: [18:57] Well, that certainly says something about the culture, in this day and age, an engineer, you have limitless opportunity of where you can work, you can work remote, you're getting pinged all the time by recruiters, if you're in the situation that you're just working on the JIRA ticket and you don't know probably company vision or mission, you're gonna churn, you're gonna leave. I can really relate to that, because just times are crazy right now.

Steve: [19:23] Like, there's never been a time in this industry where the individual developers have as many options as they do today. There's like a negative unemployment rate for software developers right now. They get to work on what they want to work on. And I was actually talking to one of the guys this morning, he was one of the longtime guys who's been here, and he actually articulated it to me, “Look it's like, just a few things that developers really care about what they're working on. And some of it is that passion that like, what they're working on matters, and some of it is who they work with and do they like the team they're working on and a big component of it is do they feel they're in control of what they're working on”. And if you can give everyone this vision where again, we're like all rowing the boat in the same direction, but when it comes to your part, you're making the decisions that make or break the success of your piece you're going to have really invested developers.

Dan: [20:16] Absolutely. Contrast is now very successful. You've raised 269 million in funding, according to CrunchBase, as of November, you're a unicorn, of course, congratulations. How are you handling the challenge of scaling to your next step? What does that look like?

Jeff: [20:35] From my perspective, it's really about executing. We're trying to build out this platform and really make a ton of customers super happy, and, frankly, make them better at application security. We haven't achieved the mission yet. Like, we're still growing, and we've got some great products. But for me, it's the funding is-is great. It gives us a lot of options. But it's not, oh, we're done. It's, we've still got to build great customers, and we're great products, and we have a chance to be really successful. So that's where we’re at from my perspective.

Dan: [21:05] Yeah. And, Steve, were you going to add to that?

Steve: [21:08] Yeah, I'll just take it from a totally tactical point of view. One of the things you realize, as you scale up a company like this, make multiple teams and multiple products, you need to figure out how do you structure an organization where people can make more of those autonomous decisions? Just in the last year, we've had to realize that, hey, as we move from being a one-product company to a five-product company, I need a set of people who are empowered to make decisions and own decisions on the day to day, week to week, or even month to month trajectory of those products. And so how do we empower a set of smart people to drive those? And then how do we bring together some structure around it to make sure that our whole platform, our whole product line is aligned behind this vision and the power that we can deliver to a customer. And so really, in terms of scaling that out, it's actually required us to think a bit differently about how we organize the whole team and the whole company.

Dan: [22:02] Sounds like the right mindset and the right moves. Let's get into Contrast a little bit more. So generally, application security, but what is Contrast really doing? Can we get either under the hood? Or like, what value is it providing?

Jeff: [22:16] So first of all, application security is a really important problem. Most companies are turning themselves into software, like it's the companies that are best at software, who are winning their sector. And so, being great at building software is directly relevant to how well you succeed in the market, and security is a big part of that, unfortunately, companies are really not very good at writing secure code. There's lists like the OWASP top 10, which I created back in 2002. And unfortunately, after nineteen years, that list is basically unchanged. That's terrifying to me!

Dan: [22:51] Yeah, I remember the OWASP top 10 from a very long time ago.

Jeff: [22:56] Right! Yeah, so a lot of you probably back online, you probably use medical healthcare companies that work online, and you vote and like you-

Dan: [23:05] I don’t do anything that’s not online.

[Laughing]

Jeff: [23:09] It's all software. And we're not good at writing secure software, so we've got to get better. The traditional approaches are really working, they're manual, they're slow, they're-frankly, people don't like them very much. And it demands automation. So, Contrast’s platform is designed to enable organizations to get really efficient and effective at doing application security, so that they can have confidence that the apps they're producing are free from vulnerabilities. That's what it's all about. And then our various products cover different kinds of code. Like, we cover custom code, we cover libraries in open source, we cover serverless apps, we cover protection of those applications in production. That's the range of things that we're focused on doing. And now that we've got this five-product platform, we can really enable companies to do a good job at it.

Dan: [24:01] A lot of people that are out there, software developers, some people get to work on new stuff, you might found the company and you get to work on the product from the beginning. And you can probably bake in the best practices and shifting left for developers, all that kind of stuff. But what do you do? Like how do you get better if you're not so good at security? You have an application that's out there, maybe you have a fairly large or small engineering team, like what do you even do?

Jeff: [24:29] Well, traditionally, what you would do is you'd grab some kind of scanner, and you'd run it on your code, and you'd get a five hundred page PDF report that's full of false positives. And you'd look at it and go, I don't know what this is. And you'd throw it over the fence to the developers and they'd go quickly through and mark, everything is irrelevant. And then you go back to that.

Dan: [24:46] “Low priority”.

[Laughing]

Jeff: [24:47] That process doesn't work, and so what we're trying to do is-our approach, which uses instrumentation, as I mentioned before, it works a lot like a New Relic or an app dynamic, but for security right from inside the app and we're measuring it directly. So, we can be much more accurate, and we can give much more timely feedback to developers. So, they can fix their own code, checking clean, you don't end up with these giant backlogs of security work that nobody ever wants to touch.

Dan: [25:16] When I think of something like, I think you mentioned AppDynamics, right? I think of something like that. I'm getting visibility, observability, hopefully in real time about how my application is performing when production or even better, you know, before production. Is it a similar thing, like, with Contrast? Am I getting like real-time security related information? Is it as I'm developing on the branch? Is it in prod?

Jeff: [25:45] Yes!

Dan: [25:46] Both? Yeah.

[Laughing]

Jeff: [25:47] So, think about the-the traditional way of doing security where you would just scan an app, then scan another app, and scan another app, and you just go serially through it, you probably do it a few times a year maybe. Imagine replacing that with continuous monitoring of all your apps in all your environments and giving you that real time visibility into application security, across your full enterprise, it makes it so much easier to focus on the heart pieces and make progress against the goal of getting healthy. And it takes about a year for companies, they put in Contrast, they get all this data, they work off their backlog, and then they start fixing vulnerabilities faster. And we've seen the vulnerability rates drop dramatically. So, it's not just that you're able to mow the grass better, it's that the grass stops growing so that you can really reduce the cost of application security across your whole enterprise.

Dan: [26:41] Yeah, I think, usually, the hot topic in security is what are we doing for developers? How are we making it easier for them? That type of stuff. Jeff, I'll direct the question to you like how does Contrast think about developers?

Jeff: [26:53] Developers already have the primary responsibility for security, and we want to empower them to do that job effectively. Security can really take a role of coach and tool-smith here, but if they're in the critical path, your organization has a problem. That's an anti-pattern because they will become a bottleneck, and you will irritate development teams, slow them down, and not get good security. Everything we do is designed to be supportive of developers and to give developers great information when they need it through the tools that are already used.

Dan: [27:24] Is it giving developers information on their pull requests, or branches or anything like that? Like how early can I get a-if I'm a developer, a valuable piece of security related information in my process?

Jeff: [27:39] Yeah so, we have products that work really early in the lifecycle, we've got a pipeline native scaling tool that will run like as soon as you build stuff. We’ve got-as soon as you write a few lines of code in your IDE and run them locally, we can give you feedback on that as well.

Dan: [27:54] That's cool.

Jeff: [27:55] So, it's really not all about shifting left, though, to be fair. It's important to fix security problems, when they’re-at the right time to fix them. Some problems, you can't really diagnose them early in the lifecycle, they're more complicated than that, you need to just diagnose them when the application is further developed. If-I say diagnose, specifically, the name Contrast comes from the injection that you get before you get like an MRI or an X-Ray, you get an injection of “contrast”, it makes your internal structures light up. And that's what Contrast does is we're trying to, you know, create that visibility, where you might have problems internally.

Dan: [28:31] I think the reason that I’m, like, harping on the shift left, but maybe you said that even better “at the right time”. What I've seen for engineering teams, if you give developers the right context, at the right time, it's honestly not just about security, they can move faster, they can get their job done faster, you can get value out to customers faster, as opposed to what you were saying, and I was more used to that when I was a developer. “Okay, you're telling me that there's an issue in production from some report. I wrote that code like two years ago.” So, I don't know what that is, I have to go look at this diagnose it. stop what I'm doing. It's like a total waste of time.

Jeff: [29:11] I call it shifting smart.

Dan: [29:13] Yeah.

Jeff: [29:14] And frankly, if you're just taking legacy application security tools, like skaters, and just pushing them onto development teams who don't have the skills to run them, you can cut this if you want, but I call that shitting left, because you're dropping stuff on development teams without them being able to use it.

Dan: [29:31] Gotcha. Yeah so, that then there's a balance. It has to be at the right time. And it has to be a piece of information that person could do something with. Relevant, at the right time and relevant.

Jeff: [29:42] And there is an aspect of shifting right here as well.

Dan: [29:45] Okay.

Jeff: [29:46] We think it's really important to do application security in production, where you get visibility into who's attacking you? What kind of attack vectors are they using against you? Which systems are they targeting? We need to monitor that, block attacks, and then use that threat intelligence back in development so we build the right stuff, and most organizations don't have that visibility today.

Dan: [30:06] Now-so, contrast has come out with two great reports this year about open-source security and observability in security, both pretty hot topics. Could you walk us through each of these reports and what they're all about?

Jeff: [30:21] Yeah Steve, you want to take that, or do you want me to?

Steve: [30:23] Go for it Jeff.

Jeff: [30:24] Okay, so the open source report, I think, is really interesting. Contrast analyzes tens of thousands of applications across really large enterprises, and one of the things that we monitor is how those applications use open-source. So, we see which libraries are invoked, we see exactly which classes are invoked in those libraries, and which libraries have vulnerabilities and which ones have licenses that are objectionable, a GPL licenses and things that you shouldn't use in enterprises, and we take the data from all of that real world open sources, and we create this report, and it's insightful, we know things like which libraries are most popular, which libraries tend to have the most vulnerabilities, how far out of date libraries are. And some really interesting things jump out at me, one thing is only 7.5% of the open-source code in your application ever runs. So, you may have hundreds of libraries in there, thousands of classes, but only a tiny fraction of that code ever runs, and so you don't really-some of those libraries may have vulnerabilities in them. But if that code never runs, you're not really vulnerable, and you should focus on the libraries that do run and fix those. And so, instead of getting this list of fifty out of the libraries that you need to go replace, what we try to do is boil that down and give you just the list of things that is used, invulnerable, and will give you the root dependency to so that you can replace just the right thing.

Dan: [31:45] I love that. That's really cool. Nice.

Jeff: [31:48] And then the observability report is more broad. There, we look at big trends in everything related to application security vulnerabilities, open-source libraries, runtime attacks, we try to make sense of all that data. The average application is attacked over 13,000 times a month. That's a big number. The average application also has about 35 vulnerabilities, if you add the custom code vulnerabilities and the library vulnerabilities together, and that's a bad combination. You have real vulnerabilities and lots of attacks going on, and so we want people to understand where those attacks are, what it's most likely for them to get attacked with and where they need to put their efforts into defending.

Dan: [32:31] Very cool. And Jeff we’ll-we’ll stay with you. I heard you love a good debate. What would you say to the idea that most security training is both a menace and a bore.

[Laughing]

Jeff: [32:45] Love that is a debate premise! So, I should say I spent many years teaching secure coding classes to developers, I've taught them as an instructor in three-and you know like three- or five-day classes with developers in person, we did a lot of hands-on exercises. In fact, that's why I created WebGoat in the first place. Later, I created an eLearning course at Aspect, and we offered that to companies, and we sold that for a number of years, and my conclusion, after all that is two things. First, I'd say most of that training was pretty ineffective. I don't know if it was a menace and a bore, but it was pretty damn [ineffective] [Laughing]. I mean, it's just it's not what developers’-it doesn't get them out of bed. It’s not that they're not interested, It's not that they don't get excited when they see the first SQL injection work and they try it. But it's not-it doesn't really affect their day-to-day job, and that's what we really care about. And so, I think the kind of training that we need is real close to the keyboard. Like, when developers are doing their normal work, we need to give them feedback on the code that they're writing in context immediately so that they don't have to translate like, you know, when I was teaching stuff, I would teach a generic thing about here’s how each version language injection works, and give them a generic example. But it wasn't like in their code in their environment with their environment variables and their coding patterns and their frameworks. That's what they need. And so, I'm a much bigger fan of using automation to get them that feedback while they're coding. And we do that with Contrast. It is working. We see the vulnerability escape rates going from six new vulnerabilities a month per app down to less than one. That means there must be some learning going on, when we give this feedback in the right way. And ultimately that that ends up making the program much more cost effective.

Dan: [34:32] Yeah, totally makes sense to me. When I've done security training as a developer it's really tough to pay attention when it's not your code. It has to be like your code is your thing. So, if you're telling me I have a security issue with something I made my red alert goes up oh my god, okay, show me like how where is it? How can this happen? I'll change it. I'll learn [crosstalk] [34:54] and can change it immediately.

Jeff: [34:54] You’ll learn!

Dan: [34:56] But yeah, it's tough to sit through the generic stuff, I think.

Jeff: [34:59] We're not going to fix that by training developers in generic security stuff, we really need to think about the outcome that we want, and it-to me, it's like really no interpretation required kind of security training.

Steve: [35:12] Yeah, I think the other piece of it is, look, it doesn't matter how much you train the developers on this, even if they really got it and really understand it, is they generally aren't incented to care about it. From an organizational point of view, the industry has put in place an idea that developers are rewarded for shipping on time and shipping more stuff. And they created a separate silo with AppSec, that is supposed to backstop them. And it's set up this inherently conflict oriented situation. And it basically reinforces this where, again, the training by itself doesn't matter if people aren't going to think about it, and people aren't going to work on it. And so, I was actually I was just meeting with a customer this morning in healthcare, which is obviously super security conscious, and very forward looking. And the individual who was leading their AppSec program was basically saying, “Yeah, five years ago, they moved us into Dev.” it's the same thing that happened with DevOps a few years ago, with like, the Ops teams didn't actually go away. They just became part of the same team with development, and everybody had the same goals. That's where the forward-thinking organizations are going is that it's one team with one set of goals. And delivering fast is part of the goal for the AppSec team. And delivering secure is part of the goal for the development team. And until you get to that point, there really isn't a set of magic training and tools that get you out of this just by itself.

Jeff: [36:39] One of the cool things that's changing in the software market is the drive for more security observability. And it's nowhere more evident than in the recent cybersecurity executive order. In that order, they direct NIST, to create standards for creating S bombs, creating security labels. Security is going to be a much more visible part of the software deliverable. And I think that will help close the loop and bring it back to where developers know they need to produce a certain thing in order to go live.

Dan: [37:11] So we're coming-coming up on time here, is there anything next that you could share, without giving too much up, about what's coming next in security or something interesting that Contrast is doing.

Steve: [37:24] So I’d say that the big thing going on right now, from a development perspective, in general is the shift to cloud native architectures is accelerating. And I'd say that what people meant five years ago, when they said that was often lifting, shifting an existing app off a server and putting it on a container, it doesn't mean that anymore. It's real architecting as micro services or even more extreme, using real platform as a service capabilities in the cloud like function as a service, Amazon Lambda, things like that. And what I've-what I've come to understand about this, in particular, was some of the things like the move to serverless, it is the most disruptive thing in application development. Since the servlet, was invented, right? There was this point where sort of application servers came to being and everything before them stopped working. And that's where you are when we see companies starting to large scale adopt these real cloud native architectures, their current security tooling, I think a lot of their tooling, their deployment pipelines, everything just stops working. And so, there's a massive push to modernization and the forward-thinking companies, and you can see the leaders here today, three, four years from now that people who would consider laggards will be where the leaders are now. So, this is gonna be a dramatic shift and it's a huge focus for us. How do we help our customers really secure these environments, which, in some ways, like from an infrastructure point of view, are much easier to secure because there's less surface area, right? If I’m serverless, I don't have to worry about patching the servers, that's great. But if I've got a million Lambda functions, and five thousand micro services, my application has potentially this huge surface area that I now need to understand. And there's a new generation of tooling that needs to exist, that Contrast is building today that I think is really the future of where the industry is going. And we're going to see these huge shifts to build the next gen applications that we're going to need for the next ten years. You can't build them the same way. They simply can't be built on monolithic application servers, you're not going to be able to get the scale, the reliability, everything else. So, the applications are going to change a lot. It's a huge opportunity for developers to gain new sets of skills for how can I be part of the wave as that gets adopted and for application development teams to really just view this as a huge opportunity to modernize their architectures and get huge new leverage.

Dan: [39:53] Awesome! Thank you so much for sharing that and Jeff and Steve, thanks so much for coming on the pod today.

Steve: [40:00] Hey, thanks a lot, Dan.

Jeff: [40:01] I appreciate it.

Dan: [40:02] So we like to give our guests an opportunity to close out the podcast with some type of call to action. What do you want our listeners to take away from the conversation today?

Jeff: [40:11] Yeah, sure, if any of your listeners are working in companies that have bet their future on software, then you should really think about making sure that that software's secure and Contrast offers a full platform of products that can really help you not just find vulnerabilities and build up a big backlog and track attacks and stuff. But really mature your application security program from one that was a separate silo that isn't very effective, that doesn't produce great results to one that's really valued and part of the development team. You can bring your developers and security folks together; they can use Contrast as a platform to communicate effectively. And that's ultimately our goal in life is to advance the state-of-the-art in Netstat.

Steve: [40:55] Just really quick plug for me: contrastsecurity.com/careers. We are hiring software developers like crazy. We have exciting jobs where we support ten different programming languages. If you have a favorite programming language, we probably have a product that needs expertise in it at a deep level. It's an exciting team with some really fun challenging problems.

[Music fades in]

Dan: [41:17] Awesome, so yeah, everyone listening, definitely check out Contrast Security for your engineering organization, your product team and also if you're looking for your next opportunity, a place to work, check out the careers page at Contrast Security. Also be sure to join the Dev Interrupted Discord community where we keep this type of conversation going all week long. I also want to say thank you to the more than two-thousand of you who are now subscribed to our weekly Interruption newsletter. We bring you articles from the community, inside information, and weekly podcasts and the first look at INTERACT 2.0 on April 7, 2022. We have links to all of this in the description below. See you all next week. And Jeff and Steve, thanks again for coming on.

Steve: [42:02] Hey, thanks Dan

[Music fades out]