Why Runtime Insight, Not Just Scans, Unlocks Real AppSec Protection

Jeff Williams, Co-Founder and CTO of Contrast Security, joins TechNadu to explain why runtime is the missing piece in modern application security. We asked him how Contrast eliminates false positives, prioritizes real-world risk, and brings remediation into the developer experience — not outside it.

Drawing on decades of appsec leadership, Williams highlights how runtime evidence, automation, and SmartFix reshape real-world defense. His hands-on technical leadership makes this conversation particularly actionable.

In this interview, Williams details why legacy scans fall short, how ADR reduces backlog panic, and what it really means to prioritize exploitable vulnerabilities.

Read this interview for expert insight into runtime logic, automated remediation, and protecting containerized environments at scale.

Vishwa: Contrast Security’s approach is centered on real-time application protection. Can you explain, step by step, how its runtime feedback loops are integrated into DevSecOps workflows and automation tools, and what role this plays in adapting its protection for Continuous Integration and Continuous Deployment (CI/CD) pipelines?

Jeff: Traditional scanning approaches to application security were invented over 20 years ago, and are slow, burdensome, and error-prone. The best part of Contrast is that there is no complex step-by-step process to follow. You install it once, and from that point forward, security testing just continuously happens in the background. 

Developers simply receive an AI-generated “pull requests” containing the fix (along with a detailed explanation and a test case), and all they have to do is accept it. Contrast does include integrations into IDEs, pipelines, and ticketing systems, but we are encouraging teams to try the fully-automated approach.  

We value developer time highly, so we provide the highest-accuracy analysis possible, and prioritize vulnerabilities using real runtime evidence. Most teams can burn down their backlog in a few weeks and then keep it at zero without breaking a sweat. IDC found developers spend 19% of their time wrestling with security. With Contrast, that drops to just a few clicks a month. 

That’s how security becomes not just manageable, but actually delightful for developers

Vishwa: Given the limitations you see in legacy Static Application Security Testing and Dynamic Application Security Testing (SAST/DAST) tools, how do point-in-time security scans miss exploitable conditions that are triggered only during normal application execution, and what are the broader consequences of this gap?

Jeff: Traditional scans analyze all the repos, libraries, and APIs separately. So not only do you only get a snapshot, but the analysis doesn’t take the entire, fully assembled application into account.  

So these tools miss problems that span components, as well as identify many false positives. But even more importantly, apps and APIs behave differently in real-world conditions — once they’re handling real traffic, real users, real data, and real connections. 

That’s when exploitable flaws emerge, and scans will never catch them because they’re not watching while the app is running. The result is a backlog full of ‘possible’ issues while the real, dangerous ones are missed. With Contrast, you’re not guessing. 

You see vulnerabilities exactly as they execute, with runtime proof and context that makes it clear what’s real and what’s not. That means developers spend less time chasing noise and more time fixing the problems that actually matter.

Vishwa: As enterprises adopt microservices and containerized environments, what are the practical benefits of Contrast Security’s instrumentation approach, where lightweight agents are autonomously deployed alongside containers through orchestration systems and stream telemetry to unified dashboards without disrupting production performance?

Jeff: In modern environments with hundreds of microservices, traditional tools just don’t scale. Containers spin up and down constantly, and by the time you run a scan, half your infrastructure has already changed. 

Contrast was built for this reality. Our agents deploy automatically with every service, so whether a container lives for a day or a few minutes, we still get full visibility. And because the agents run inside the services, they see exactly what’s happening without adding friction or slowing performance. 

That gives teams a single, accurate view of risk across the entire environment, no matter how fast things are moving.

Vishwa: For your customers, what does “prioritizing exploitable vulnerabilities” actually involve in practice? Can you walk us through how runtime exploit evidence is gathered and used by security and engineering teams to identify, assess, and fix genuinely dangerous flaws?

Jeff: Every security team says they want to prioritize. They have to, because the average enterprise has 1.1 million app/API vulnerabilities in their backlog that they haven’t triaged and are not getting fixed. First off, Contrast only reports vulnerabilities that are actually observed in running code.  So the false positive rate is less than 1%.  

But more importantly, because Contrast also detects and protects against attacks, we can calculate a dynamic risk score that takes production threat, architecture, and business context into account. 

For example, a SQL injection flaw rated “critical” by a SAST tool could have a very different score with Contrast.  Because we know the attacker would require “admin” privilege and that the vulnerability has not been found or attacked, we can lower the score significantly, allowing development teams to focus on the most critical items.  

We also capture a wealth of contextual information to help developers fix issues, such as the HTTP information, full data flow, stacktraces, and libraries available.

Vishwa: In environments where secure coding capabilities lag behind shifting threat activity, what exactly is code remediation, and how does Application Detection and Response (ADR) help block live attacks to buy internal teams time for remediation as a compensating control?

Jeff: In the security world, “remediation” simply means fixing the code to remove a vulnerability.  Unfortunately, this is where most security programs slow down. In a recent study we published, we found that on average, teams are finding 17 new vulnerabilities per month and fixing 11 — a net gain of 6 every month per app.  

And large organizations can have hundreds or thousands of apps. So, it doesn’t work to hand a developer a vague ticket and hope it gets fixed correctly. Contrast makes that process fast and accurate. When we detect a vulnerability, our AI SmartFix remediation agent generates the precise code fix, tailored to the framework and coding patterns already in use, and opens a pull request for the developer to review. 

It’s simple, accurate, and saves weeks of wasted effort. At the same time, teams can also use Contrast Application Detection and Response (ADR) to prevent vulnerabilities from being exploited in production. 

That means even before the fix is merged, the business is protected, and teams get the breathing room they need to patch as part of the normal development process. No firedrills.

Vishwa: Can you explain what “business-logic exploitation at runtime” means in the context of modern applications, and how excessive privilege assignments or poor input validation open the door to these types of attacks?

Jeff: Business-logic flaws are different from typical vulnerabilites because they really depend on what the business wants users to be able to do and not do. These flaws show up when an attacker figures out how to misuse legitimate functions — like transferring account ownership without permission, using coupons multiple times, or exceeding maximum transaction limits. 

These issues often bypass traditional defenses because, technically, the application is working as coded, it’s just not working as intended. There are no perfect automated defenses against these types of vulnerabilities, but Contrast makes authorization checks visible so that teams can see what these rules actually are and identify misconfigurations. 

These rules are often very difficult to extract from source code and configuration, which why watching applications run is so important.

Vishwa: Finally, since Contrast Security is at the nexus of application defense, what cybersecurity tools or apps would you personally recommend, both for absolute beginners looking to protect themselves and for seasoned professionals securing enterprise-class environments? And what are your own favorite tools for cyber hygiene?

Jeff: Absolutely everyone should get a password manager (I swear by 1Password) and learn to use it for everything. I also recommend enabling multi-factor authentication on any important accounts.  And finally, just keep your devices updated. Those three things will prevent the vast majority of personal compromises.

For enterprise professionals, you need to use a framework like the Cyber Defense Matrix and make sure you have good coverage of all the components.  Many organizations have solid defenses in place for devices, network, data, and users — but they have a major gap in protecting their applications and APIs in production. 

I don’t believe WAFs provide nearly strong enough protection for modern software.  If I’m a CISO, the first thing I would do is put in ADR — both to discover what’s in my application layer and prevent most exploits.  

That will give me time to work on building a complete application security program.