Tuesday 24 September 2013

Reaching out to Developers, Aspect is doing it right with Contrast

UPDATE: I got the dates wrong when I posted this. The Contrast blog post and presentation are from 2012, it is the award that is from 2013:

In case you missed it OWASP's long time contributor Aspect Security were at Java One conference in presenting their (commercial) product Contrast.

I was not there, but from the noises I'm hearing it was quite a successull event, with lots of developers reached.

Here is a cool picture from their Contrast @ JavaOne post (which contains a link to their presentation (also embedded below));

The presentation is a good overview of how their technology works, and although those 'fake tweets' are bit too much me, this is a great 'soft' sales pitch for their product.

I wished they had resisted the cheap-shots at the other Dynamic/Static products/solutions, since to solve the web application security problem, we need all available technologies to work together (not against each other).

It would also had been amazing if this technology was open source, but that is another example of the failure of Open Source to create viable business models for companies like Aspect.

That said, compared with the other tool vendors Aspect and Contrast are a breath of fresh air (and I still have to follow up on Jeff's and Arshan's offer to get a proper demo of Contrast (I need to find a project to use it)

So congratulations to Aspect for focusing on developers, for trying to inject security deep into the SDL (where it needs to be) and for winning a 2013 Duke's Choice Awards:

Presentation: Using Instrumentation to Find Security Vulnerabilities in JaveEE Applications 

.... as used by commercial product: Contrast

... I wonder if there are open source alternatives of this technique :)