The most effective way to defend an application is to focus on what it actually does. For example if an application doesn’t use SQL, it won’t be vulnerable to SQL Injection. Tools such as the free Contrast Community Edition enable teams to watch running code and observe what this code actually does, focusing time and effort on the things that matter. In addition to accuracy, this improves performance because the defenders have contextual information that can be used for defense. In essence this moves defense up from Layer 7, watching data over the network, into a more modern Layer 8 of how the application actually uses the data.