Contrast Security Further Expands Industry’s Broadest IAST Language Support with the Addition of Python
May 2020 by Marc Jacob
Python is one of the most widely used languages for web application development today. It’s a dynamic language that is equipped with built-in data structures – which makes it attractive for rapid application development as well as a scripting language. Python’s simple syntax and numerous available open-source packages make it easy for developers to learn and start coding. As a result, Python is widely embraced as a robust and reliable programming language for enterprise-scale applications.
DevOps teams that need to rapidly build, deploy, and scale web applications to hundreds of millions of developers code in Python because of how friendly it is to use. Indeed, Python already plays a pivotal role in some of the world’s best-known organisations. For example, it is used by Netflix to stream videos to more than 100 million homes worldwide, power the photo-sharing phenomenon Instagram, and aid NASA in space exploration.
Python’s Dynamic Nature Creates Security Challenges
However, Python developers have particular challenges when it comes to security. Traditional security tools cannot accurately locate security vulnerabilities in enterprise-scale, Python-based applications. And when they do, it happens far later in the software development life cycle – which is much more costly than finding which is much more costly than finding vulnerabilities earlier.
The root of the problem comes from the fact that Python is a dynamic language (as opposed to static languages like Java or C). The difference between dynamic and static comes mainly from how variables are assigned. In static languages, variables are assigned types. But because Python is dynamic, variable type is not determined in the application until runtime. Subsequently, for application security to accurately and effectively do its job, Python code needs to be evaluated during runtime. And this is something that traditional testing – such as static application security testing (SAST) and dynamic application security testing (DAST) tools – cannot do.
Contrast Security Adds Python Support to Its Industry-leading Platform Dynamic programming languages require modern security tools – which is exactly why Contrast Security is a perfect match for Python-based web applications. Contrast’s instrumentation-based AppSec platform automates vulnerability identification and remediation verification by testing running applications via data flows. It provides visibility into every application route instead of analyzing individual lines of code (like SAST and DAST). Contrast’s platform includes:
• Interactive application security testing (IAST), which is run in preproduction, detects vulnerabilities in both custom code and libraries during normal use by gathering data from running code. The Contrast Python agent for Contrast Assess delivers the only IAST solution that offers Python support.
• Software composition analysis (SCA) analyses libraries to identify potentially vulnerable third-party and open-source components. Python has a big open-source community—and a reported 84% of today’s applications consist of more than half open-source code.
• Runtime application self-protection (RASP) is run in production to validate request inputs and prevent vulnerabilities from being exploited inside the application (both custom code and libraries).
Contrast Assess helps Python application developers find vulnerabilities early in the software development life cycle, when fixes can be made more easily and affordably. The Contrast agent begins securing code by adding sensors to the entire software stack to directly identify vulnerabilities and attacks. Contrast Assess continuously monitors all code (including libraries) for known and unknown vulnerabilities and produces accurate results without dependence on AppSec for manual testing, research, and remediation. Further, because the Contrast platform is version agnostic, it protects both Python 2 and Python 3 – enabling developers to continue to make the upgrade transition at their own pace while ensuring that their code is secure (whether Python 2 or 3).