The Contrast platform secures the world’s largest organizations against applications using Log4j without patching while protecting against future vulnerabilities
Contrast Security, the leader in next-gen code security, shared information on how global organizations are successfully using the Contrast Secure Code Platform to protect against attacks targeting applications using Log4j.
Sándor Incze, CISO at CM.com said, “We were able to analyze whether our own built software would be vulnerable to the Log4j zero-day, using the Contrast Secure Code Platform, and got the answer within 30 seconds by just looking at the Libraries menu! How fast is that!”
Contrast has demonstrated that its unique, in-app, runtime protection has been stopping Log4j attacks in their tracks since Day-Zero. The Contrast Code Security Platform:
Top iTechnology AIOps News: Leading Edge AI Chipmaker Hailo Partners with NXP to Launch High-Performance, Scalable, AI Solutions for the Automotive Industry
- Stops attacks against the Log4j vulnerability immediately, without updating or patching.
- Lets developers quickly target applications that are vulnerable to the Log4j vulnerability to allow them to quickly update vulnerable code.
- Detects and defends against other “injection” vulnerabilities that may occur in the future – either in custom-developed, or open-source code.
“We can expect more attacks similar to Log4j because attackers will continue to target commonly used open source code. Many organizations are struggling to respond to Log4j because it can be difficult to identify all of the instances where Log4j is running, and they may also be taking steps to isolate possible instances until they can determine where it is running and apply the needed patches. Contrast Security has been able to help customers immediately respond with attack detection and blocking, making it a valuable tool in protecting against these types of attacks and helping security scale with the speed of modern development,” said Melinda Marks, senior analyst at ESG.
The advantage of a platform that integrates Application Security Testing (AST), Software Composition Analysis (SCA) and RASP like Contrast is that it allows organizations to respond instantly to zero-day vulnerabilities like Log4j, but also future-proof their stack against the many emerging threats to come.
Top iTechnology Cloud News: Accenture Announces Intent to Acquire AFD.TECH to Bolster its Cloud First Network Capabilities
The Contrast Platform provides three layers of defense:
- Contrast Protect defends applications against the underlying vulnerability with sandboxes that separate exploitable operations from exploiting targets. This immediate protection allows customers to schedule permanent fixes without being exposed.
- Contrast SCA is able to establish which of a company’s many applications are using Log4j in a manner that makes them vulnerable to attack, so that teams can fix the most urgent issues first.
- Finally, Contrast Assess detects the underlying vulnerability in applications. This means Contrast will find the next vulnerability like Log4j, before it becomes a disclosed CVE or major incident.
“This kind of thing happened before and will happen again,” said Steve Wilson, Chief Product Officer at Contrast Security. “In 2017, Equifax announced a data-breach that exposed personal, confidential information and was very similar to this situation in many ways. It was based on a similar attack technique in a common open source, free software library called Apache Struts. However, today Log4j is far more common than Apache Struts was at the time of the 2017 incident. This means that the exposure is far, far broader. Organizations will struggle to find all the instances of Log4j in their environments as many organizations do not have effective, automated tracking on data like this. The best strategy is to use Runtime Protection, like Contrast Protect, to defend immediately without patching.”
Top iTechnology Security News: Six Cybersecurity Trends to Be Aware of in 2022
[To share your insights with us, please write to sghosh@martechseries.com]