Original article is at:
See article below from Jeff William:
My most recent venture, Contrast Security, is designed to make application security accessible to every developer, tester, and architect -- even if they don't know much (or anything) about application security. By harnessing the power of instrumentation to monitor your applications for vulnerabilities, Contrast provides real time feedback on the security of your code with an industrial-strength security engine, not a scaled down toy spell checker.
Yes, we can find vulnerabilities inside of libraries and frameworks, even if they are third-party applications that you are only using portions of. We use instrumentation to gather information from HTTP, the code, data flow, control flow, configuration files, and even backend connections. All this information makes it possible to accurately identify a far broader range of vulnerabilities than traditional tools, including injection vulnerabilities, XSS, XXE, encryption problems, verb tampering, and many many more. Our dashboard is intuitive, our results prioritized based on criticality, and we support a host of different languages.
Using Contrast to find *real* vulnerabilities in your organization's code is a great way to learn what kinds of mistakes they are making and exactly how they work. Once you understand, you can choose the best strategy for fixing your code. Not just one application, but all of them.
I once heard the story about a child taking piano lessons. Some children read music well, and others try and "cheat" by playing by ear e.g. practicing what they hear. When the piano teacher hears the music being played nicely, but not as written, they can tell who is practicing and who is using perfect practice, meaning they play it as written over and over again. After all, practicing the music incorrectly still qualifies as practice, but it's not the kind of practice you write home about. Contrast's deep analysis and immediate feedback enables perfect practice when people are writing code. Because, unfortunately, you can write code all day long and still not be any good at writing secure code.
And since learning by itself can be fun, practicing in a real environment that won't threaten the security of your current project is probably best. For that, we recommend using http://appseclive.org/ or
https://code.google.com/p/owaspbwa/ to learn about application security from vulnerable applications. Both tools will let you code in the real world without harming your current security methods.
I'll leave you with a mantra I heard growing up that motivates me from day to day,
Thanks for reading. If you'd like to read more of my blogs, you can find them here.