Overview

Organization Administrators have access to a variety of configuration settings for operating and managing an organization, such as administering users and setting up password policy, integrations and server defaults. Go to the User menu* and choose Organization Settings** to see all of the functions available.

General Information

View basic information about your organization and configure high-level preferences including date and time formats in the Organization tab.

Groups

Use Organization groups to designate a user's organization and application role, which determines what users can see and do in Contrast. You can create, view, edit and delete groups at any time.

Users

Manage users for an organization, by adding, editing or deleting them. You can also assign users to a default group (or role), designate them for API-only use and unlock their account.

Security

Manage password policy and session timeouts, two-step verification and IP restrictions. You can also access an audit log, where you can search for past activity in your organization by keyword and date.

SSO

Single Sign-On (SSO) is an authentication service that allows access to multiple applications using one set of credentials. As a Super or Organization Administrator, you can configure Contrast to use this service for your organization.

API

Contrast APIs allow you to grant access to other services. You may have API keys emailed to you, and rotate keys as needed.

Integrations

Contrast offers basic integrations with various tools including bugtrackers (JIRA, Bugzilla and Serena) and notification channels (Slack, HipChat and generic Webhooks). Authorize and connect the tools you need to streamline workflows.

Servers

Server Settings provide default configurations for new servers (agents) that are being brought on board. You can customize these configurations for each environment.

Notifications

Notifications provide a mechanism for Contrast to alert users in specific cases, such as the discovery of a vulnerability or an attack on an application. These notifications occur in Contrast and/or by email. Organization Administrators can set the default notification settings for all users in their organization.

Report Settings

Report Settings offer a centralized view of format options for hard-copy reports in your organization. Categories include:

  • Report Type
  • Vulnerability Status
  • Vulnerability Tag
  • Custom Footer

Score Settings

Score Settings allow you to customize how Contrast calculates Overall Score and Library Score, and determine what letter grade (or score) is assigned within Contrast.

API Credentials

How It Works

When you download the Contrast JVM plugin (also called "the agent"), it comes prefitted with a set of randomly generated credentials for your organization that don't involve the passwords of any users in the organization. When the plugin communicates with the Contrast application, it authenticates using these credentials.

Contrast added another layer of security through an organization API key that you can manage on your own. In the case of a security breach, an unauthorized user can't submit forged or malicious data to your organization because their organization API key is wrong. Authentication follows the process shown in the image below.

Manage Keys

Manage organization API keys as an Organization Administrator by going to the User Menu > Organization Settings > API tab. A System Administrator can also select an organization and manage API keys by going to the User Menu > System Settings > API tab.

In the REST API section, view your Organization Keys, including your Organization ID and API key, and your Agent Keys, such as your Agent Service key. Rotate your API or Agent Service keys by clicking the links provided for each. You can also click the button to Generate Sample API Request.

Learn More

For more information, read About the Contrast API.

To see more examples of API requests, go to the Contrast API documentation.

For help with connection issues after rotating service keys, read to the troubleshooting article.

Server Defaults

Server Settings provide default configurations to new servers (agents) being brought on board. Organization administrators can customize these configurations and set specific defaults for each environment.

How It Works

Log levels

The Log Level field allows you to control which events are processed by server logging, and can help you more effectively capture events. Contrast generally recommends that you run in Error mode unless a problem occurs and you're asked to collect more metrics by support.

For more details on log levels, go to the article on Server Settings.

Automatic server cleanup

Automatic server cleanup enables a Contrast background task to run every five minutes to check if there is an organization with cleanup policies configured. For each organization with cleanup policies, Contrast checks if there are one or more servers with no activity received within the timeframe configured in the policy. Servers with no activity are disabled automatically and are no longer visible in the Servers grid. Contrast maintains information on vulnerabilities and attacks related to these servers, even after they're disabled. This feature is available for Java and .Net servers only.

Assess options

Assess mode provides detailed information on vulnerabilities discovered by Contrast so that you may track, share and receive remediation guidance. Turning Assess on allows you to enable sampling and designate how stacktraces are captured.

For more information on sampling and stacktraces, go to the Server Settings article.

Protect options

Protect mode provides monitoring of your servers and applications - identifying and blocking attacks in real time. Turning Protect on gives you the option to bot block, which allows Contrast to use simple signaturing to block traffic from scrapers, attack tools and other unwanted automation.

Protect mode also allows you to output events to Syslog for one or multiple servers. Contrast offers syslog message categories according to the Syslog RFC 3164 specification for severity. Read the article on Output to Syslog to learn more about enabling this feature.

Automatic licensing

Ensure that new servers receive full, immediate coverage from Contrast by automatically applying Protect licenses.

Note: Administrators receive emails each time a server is licensed. As servers go up and down frequently, you may want to setup an email filter for any unwanted traffic. Contrast is working on making this configurable in the future.

Set Up Defaults

Go to the User menu > Organization Settings > Servers tab to start setting up defaults.

Environment

  • Use the dropdown menu to choose the environment in which you want to apply the default. Check the box if you want to set this as the default environment for servers.

  • Use the dropdown menu to choose the Log Level. The default selection is Error.

  • Check the box to Enable automatic server cleanup.

    • Use the multiselect field to choose the Environment in which to apply automatic cleanup. The default is All environments.
    • Use the number control and dropdown fields to set the amount of time that Contrast must wait to disable servers After Being Offline. The defaults are 12 and Hour(s).

Assess

  • Use the dropdown menu to choose which stacktraces Contrast captures. The default selection is ALL.

  • Check the box to Enable sampling for higher performance. Choose the numerical values for the following fields:

    • Baseline: The number of times that Contrast analyzes URLs to complete sampling. The default setting is 5.
    • Frequency: The number of times that Contrast analyzes URLs after the Baseline is achieved. The default setting is 10.
    • Window: The number of seconds that Contrast retains samples before reverting to the Baseline. The default setting is 180.

Protect

  • Check the box to Enable bot blocking.

  • Check the box to Enable output of Protect events to Syslog.

    • Enter the IP Address and Port in the given fields. Use the dropdown menu to chose the Facility.
    • Click on the event severity badges, and use the dropdown menu to choose a message Severity level for each one.

  • Check the box to Automatically apply Protect licenses to new servers.

Note: Turning Protect on by default requires that Protect licenses are automatically applied to servers.

Application Defaults

How It Works

Organization Admins can choose default settings for applications in their organization based on levels of importance, existing policies and Assess licensing. Go to the User menu > Organization Settings > Applications tab to get started.

Set Up Defaults

Importance

Use the dropdown menu to choose an Importance level for applications. The default selection is Medium.

Policy

Use the multiselect Policy field to choose which Remediation and Compliance Policies to apply automatically to applications. (You can still add applications to policies that aren't included in your default settings after you onboard them.)

Behavior

Check the box to Require administrative approval when closing vulnerabilities in your organization. In the fields below, choose the statuses and severities of vulnerabilities that should automatically go into a Pending state when a user moves to close them. When a user requests to close any qualifying vulnerabilities, Contrast will notify you that your review is needed.

Note: To qualify for administrative approval, both a status and severity that you selected in this configuration must apply to the vulnerability being closed.

Each vulnerability status will remain pending until you submit your review of the closure. If you deny the closure of a vulnerability, you must provide a reason for denial; once confirmed, your feedback appears in the vulnerability's Discussion tab. If you disable the feature, any pending closures are automatically approved.

Note: While in a Pending state, the vulnerability's previous status still applies for the purpose of organizational reports and statistics.

See Manage Vulnerabilities for more information about Pending states and workflows.

Licensing

Check the box if you want to Automatically apply licenses to newly onboarded applications. The thermometer chart below the checkbox shows you the number of licenses used out of the total number of licenses available in the organization. Click on the total number of licenses to go to the Licenses view of the Organization Statistics page.

Notifications

How It Works

Notifications allow Contrast users to receive alerts in specific situations, such as the discovery of a vulnerability or an attack on an application. Organization Administrators can set default settings for Contrast notifications for all users in their organization. Individual users can then tailor these settings as needed.

There are two primary channels available for notifications: Email and In Contrast.

  • In Contrast: Notifications are available directly in the Contrast application. View your notifications by clicking the bell icon in the top menu bar.
  • Email: You must configure Contrast to communicate with an appropriate SMTP system to receive notifications by email.

User Notifications

Organization administrators can define default notification settings for all users in their organization by going to the User menu > Organization Settings > Notifications tab. Individual users can modify the default subscriptions that you set. However, integration notification settings affect which messages users receive from integrations that are set up in your organization, and are managed by Organization Administrators only. For more information on user settings, go to the account Notifications article.

Default user settings

Use the toggles in the Integrations, In Contrast and Email columns to enable or disable the following subscriptions. Use the dropdown menu to choose an integration that's configured in your organization, and adjust the default notification settings for each one.

  • Active Attack: There is an active attack on an application with Protect enabled.
  • New Vulnerability: Contrast has detected a new vulnerability. Click in the field to enable notifications for specific severity levels or "Library"; the default selection is "All".
  • Server Offline: Contrast can't reach a server.
  • New Comment: A team member commented on a finding.
  • New Asset: A new asset to which the user has access has been onboarded. Click in the field to set this notification for "Application" or "Server"; the default selection is "All".
  • Email Digest: A daily summary of Contrast activities. (Email only)

Custom notifications

Custom notifications allow users with Admin, Edit and Rules Admin roles in an organization to enable notifications for one or more users when a specific condition is observed in Contrast. These notifications execute and alert users by email at the time of the event, daily or weekly.

Create notifications

To create a custom notification, click the Create Notification button above the grid in the Custom Notifications panel. In the dialog that appears, fill out the following form fields.

  • Use the radio buttons to choose Vulnerability or Attack.
  • Choose a Name for the notification.
  • Use the dropdown menu to set the notification Interval as "Daily", "Weekly" or "On Event".
  • Enter a Description for the notification's purpose.
  • Click in the multiselect field to choose the Applications for which this notification applies.
  • Choose the Application Tags for which this notification applies.
  • Choose which organization Users should receive the notifications.
  • Use the dropdown menus to choose your Conditions, and complete the following fields in the row. Click the Add Condition link to add a row.

About conditions

Contrast supports six conditions for custom notifications: Category, Impact, Likelihood, URL, Class and Method.

Notification Types Condition Description
Category Is or Is Not Categories are high-level groupings of rule types such as Authentication, Injection, Cryptography, etc. There are 11 categories within Contrast rule types.
Impact Is, Is Lower Than, Is Higher Than Impact is measured in High, Medium and Low ratings based on how a rule type affects a given organization. Every rule type has a default impact configuration setting which can be customized.
Likelihood Is, Is Lower Than, Is Higher Than Likelihood is measured in High, Medium and Low ratings based on how frequent a rule type may occur. Every rule type has a default likelihood configuration setting that can be customized.
URL Is, Contains, Starts With A specific URL from an application.
Class Is, Contains, Starts With A specific Java or .NET class.
Method Is, Contains, Starts With A specific Java or .NET method.

Administrative Notifications

Administrators automatically receive the following notifications for high-level events in their organization in the Contrast application and by email.

  • Application Licensed: A new application was licensed in Contrast.
  • Application License Expiring: The license for an active application is expiring. (Contrast sends this notification two months, one month and one week prior to the expiration date).
  • Licenses Expiring: Existing license(s) with no associated applications is expiring. (Contrast sends this notification two months, one month and one week prior to the expiration date).
  • Remediation Policy Violation: A vulnerability is in violation of an existing remediation policy.
  • Library Policy Violation: A library is in violation of an existing library policy.

Feature Notifications

For some features that require user notifications, Contrast automatically notifies the affected users in the Contrast UI when a Contrast administrator enables the feature. (You can't control these notifications in the Notifications page.) Contrast requires user and administrator notifications for features including vulnerability status approval and other Policy Management settings.

Report Settings

Contrast offers compliance reports for understanding an application's compliance status.

  • DISA ASD STIG: DISA's Application Security and Development STIG reports the security posture as it relates to policy requirements for security programs and best practices for Information Assurance (IA)-enabled applications.
  • OWASP 2013 Top 10: The Open Web Application Security Project reports the problems that are “worth fixing” or in the top ten list of flaws.
  • PCI DSS - 2.0 & 3.0: The Payment Card Industry Data Security Standard protects cardholder data in the event of a data breach. To achieve compliance, organizations must identify and remediate all critical vulnerabilities.

Report settings offer a single interface for organization administrators to define the template of hard-copy reports. Select Organization Settings in the user menu and Report Settings in the left navigation. This essentially involves defining the default values for reports created within the organization such as:

  • Report Type
  • Vulnerability Status
  • Vulnerability Tag
  • Inclusions: Whether to include status of vulnerabilities or notes on the vulnerabilities in the report
  • Custom Footer

When viewing the Application Details page, users can generate a PDF report to see how the application is doing as it relates to compliance requirements. The defaults will prepopulate the report generation dialog, but the user can still make any necessary changes.

Score Settings

Organization administrators can customize score settings for both overall score of applications and libraries by selecting Organization Settings in the user menu and Score Settings in the sidebar. Settings are separated into two sections: Overall Score and Library Score.

Overall Score

This determines how applications are scored in Contrast.

  • Default Scoring is the average of your application's library score and its custom code score
  • Custom Code-Only Scoring ignores library score when calculating the overall application score. You have the option to select specific languages, as shown.

Library Score

There are two methods for determining library scores in Contrast:

  • Default Scoring uses an algorithm that includes vulnerabilities as well as the age and versioning of a library.
  • Vulnerability-Only Scoring bases scoring solely on vulnerabilities present in the library.

You can also configure policy settings in Policy Management so that any library in violation automatically receives a failing score (F). Once these settings are chosen, you'll see an alert message in Score Settings. Clicking the policy link in the alert navigates you to Library Policy, where administrators may view and revise these settings.