Contrast Security Provides Application Security Leadership and Direction for Software Supply Chain Risk in Support of White House Executive Order

14
Contrast Security Provides Application Security Leadership and Direction for Software Supply Chain Risk in Support of White House Executive Order

Contrast Securitya leader in modernizing application security, today announced it enables organizations to make the software bill of materials (SBoM) mandate a reality. By leveraging its influence in the market and relationship with the National Institute of Standards and Technology (NIST), Contrast — and its Application Security Platform — directly supports the majority of the goals of President Joe Biden’s executive order to improve the nation’s cybersecurity.

Application security is arguably the most critical priority in the executive order, and preparing for stricter guidelines and higher levels of security in applications and the broader software supply chain should begin today.

In the fallout of a successful ransomware attack on a pipeline that supplies nearly half the East Coast’s gasoline, the executive order places strict new standards on the cybersecurity of any software sold to federal agencies.

It should be no surprise that improvements to application security are a recurring topic throughout the executive order’s various sections. Specifically, President Biden calls for greater software supply chain transparency via SBoM, which removes the need to assess procured software source code.

Third-party software presents a variety of organizational risks that must be managed. For instance, some third-party libraries use risky licenses that could require an organization to open-source an entire application. In response, application security teams need an automated means to baseline their open-source security (OSS) posture while legal and compliance teams track licensing risk by building an SBoM that scales with their application portfolio.

“Contrast invented an entirely new technology to analyze the security of libraries with the full context of the application that uses them,” said Jeff Williams, CTO and co-founder at Contrast Security. “We built Contrast OSS, the first product to embed software composition analysis (SCA) and open-source security within an application. This approach makes Contrast the only product that delivers SCA in real time, continuously and accurately, across an entire application and API portfolio.”

Also Read: The Impact of the Pandemic on the Future of Enterprise Cybersecurity

Contrast customers can generate an SBoM directly in a way that meets the specifications of the OWASP’s CycloneDX SBoM standard and the Presidential Executive Order. The capability is available through a simple API or a command through the Contrast command-line interface (CLI).

Contrast’s history with open-source security began when its founders conducted the first large-scale study of insecure open-source use and later championed adding it to the OWASP Top 10. Currently, Williams serves on the board for OWASP’s CycloneDX SBoM standard, an SBoM standard designed for use in application security contexts and software supply chain component analysis.

CycloneDX enables developers, consumers, legal teams, and other stakeholders to quickly and accurately understand exactly what open-source libraries are in use in the applications and APIs they use.

Contrast has also been working closely with NIST on the implementation of the executive order on cybersecurity. The executive order directs NIST and the National Security Agency (NSA) to jointly publish guidelines covering the definition of critical software, software security testing, software labeling, and SBoM use.

Contrast has been an active participant in the NIST workshops process and submitted six separate position papers on various issues. Currently, Contrast is working with NIST to help implement the software labeling program called for in the executive order. Contrast is thrilled to work with NIST to make its vision a reality.

For more such updates follow us on Google News ITsecuritywire News.