Go Language Support for Industry’s First Interactive AppSec Analyzer

New agent delivers better accuracy and fewer false positives than legacy approaches which is critical for API security.



Contrast Security has announced the addition of the Contrast Go Agent to their application security platform. This virtually eliminates false positives that plague legacy application security testing that approaches security from the outside-in. Using instrumentation to embed the agent within the software, Contrast reduces security noise resulting from false positives while empowering developers to easily and quickly fix vulnerabilities themselves.

The platform delivers the industry’s first interactive application security analyzer for Go language applications. Its release is important for organizations seeking to secure application programming interfaces (APIs). As building APIs is one of the primary uses of Go (done by 74% of developers), organizations previously had to secure and protect these APIs using legacy application scanning solutions. In addition to generating high rates of false positives, these legacy scanning tools missed unknown threats. The Contrast Go Agent performs software composition analysis (SCA) to locate known vulnerabilities while employing integrated analysis that analyzes API runtime to detect unknown vulnerabilities. Additionally, if a new, previously unknown, vulnerability is discovered at a later date, the DevSecOps Control Center shows which applications are affected.

“Extending platform coverage to include Go applications makes it possible for organizations to reduce application risk at both test and runtime in ways that were not previously possible,” said Steve Wilson, Chief Product Officer at Contrast Security. “Contrast eliminates false-positive security alerts that plague legacy application security approaches. These inundate security teams with alerts that pose no risk and bog down development release cycles. For applications in Go, a better alternative did not exist until now. The Contrast Go Agent detects only those vulnerabilities that matter while making it simple and fast for developers to remediate vulnerabilities on their own.”

Contrast enables organizations to address vulnerabilities in both custom and open-source code in Go applications. The integrated analysis approach weaves sensors into an application to trace data flow and improve the accuracy and quality of vulnerabilities found for everything from path traversal to injection attacks. The Go Agent works by source rewriting to add fail-safe entry-exit sensors to different methods based on what they do. The impact on performance is low and only impacts test environments rather than production deployments. At build time, the composition analysis takes only a couple of seconds to surface results.

The approach supports security testing as well as delivers active protection of applications in production environments with very little performance impact while providing tremendous risk-reduction benefits.