Contrast sinks fangs into Python
Contrast Security is one of those firms talking about the new breed of so-called self-protecting software, where AI and machine learning come to the fore with predictive functions make our infrastructure layers ever more autonomous.
The company is now focused on the open source programming language Python due to its widespread use in web application development.
As many readers will know, Python is a dynamic language equipped with built-in data structures and simple syntax – which makes it attractive for rapid application development as well as a scripting language.
However, Python developers have particular challenges when it comes to security.
“Traditional security tools cannot accurately locate security vulnerabilities in enterprise-scale, Python-based applications. And when they do, it happens far later in the software development life cycle – which is much more costly than finding which is much more costly than finding vulnerabilities earlier,” notes Contrast, in a press statement.
Root of the problem
The root of the problem comes from the fact that Python is a dynamic language (as opposed to static languages like Java or C).
The difference between dynamic and static comes mainly from how variables are assigned. In static languages, variables are assigned types. But because Python is dynamic, variable type is not determined in the application until runtime.
Subsequently, for application security to accurately and effectively do its job, Python code needs to be evaluated during runtime. And this is something that traditional testing – such as static application security testing (SAST) and dynamic application security testing (DAST) tools – cannot do.
According to Contrast, “Dynamic programming languages require modern security tools – which is exactly why Contrast Security is a match for Python-based web applications. Contrast’s instrumentation-based AppSec platform automates vulnerability identification and remediation verification by testing running applications via data flows. It provides visibility into every application route instead of analysing individual lines of code (like SAST and DAST).”
Contrast’s platform includes: Interactive application security testing (IAST), which is run in preproduction, detects vulnerabilities in both custom code and libraries during normal use by gathering data from running code.Software composition analysis (SCA), which analyses libraries to identify potentially vulnerable third-party and open-source components.
Also here, there is runtime application self-protection (RASP), which runs in production to validate request inputs and prevent vulnerabilities from being exploited inside the application (both custom code and libraries).