Organization Administrators have access to a variety of configuration settings for operating and managing an organization, such as administering users and setting up password policy, integrations and server defaults. Go to the User menu* and choose Organization Settings** to see all of the functions available.
View basic information about your organization and configure high-level preferences including date and time formats in the Organization tab.
Use Organization groups to designate a user's organization and application role, which determines what users can see and do in Contrast. You can create, view, edit and delete groups at any time.
Manage users for an organization, by adding, editing or deleting them. You can also assign users to a default group (or role), designate them for API-only use and unlock their account.
Manage password policy and session timeouts, two-step verification and IP restrictions. You can also access an audit log, where you can search for past activity in your organization by keyword and date.
Single Sign-On (SSO) is an authentication service that allows access to multiple applications using one set of credentials. As a Super or Organization Administrator, you can configure Contrast to use this service for your organization.
Contrast APIs allow you to grant access to other services. You may have API keys emailed to you, and rotate keys as needed.
Contrast offers basic integrations with various tools including bugtrackers (JIRA, Bugzilla and Serena) and notification channels (Slack, HipChat and generic Webhooks). Authorize and connect the tools you need to streamline workflows.
Server Settings provide default configurations for new servers (agents) that are being brought on board. You can customize these configurations for each environment.
Notifications provide a mechanism for Contrast to alert users in specific cases, such as the discovery of a vulnerability or an attack on an application. These notifications occur in Contrast and/or by email. Organization Administrators can set the default notification settings for all users in their organization.
Report Settings offer a centralized view of format options for hard-copy reports in your organization. Categories include:
Score Settings allow you to customize how Contrast calculates Overall Score and Library Score, and determine what letter grade (or score) is assigned within Contrast.
When you download the Contrast JVM plugin (also called "the agent"), it comes prefitted with a set of randomly generated credentials for your organization that don't involve the passwords of any users in the organization. When the plugin communicates with the Contrast application, it authenticates using these credentials.
Contrast added another layer of security through an organization API key that you can manage on your own. In the case of a security breach, an unauthorized user can't submit forged or malicious data to your organization because their organization API key is wrong. Authentication follows the process shown in the image below.
Manage organization API keys as an Organization Administrator by going to the User Menu > Organization Settings > API tab. A System Administrator can also select an organization and manage API keys by going to the User Menu > System Settings > API tab.
In the REST API section, view your Organization Keys, including your Organization ID and API key, and your Agent Keys, such as your Agent Service key. Rotate your API or Agent Service keys by clicking the links provided for each. You can also click the button to Generate Sample API Request.
For more information, read About the Contrast API.
To see more examples of API requests, go to the Contrast API documentation.
For help with connection issues after rotating service keys, read to the troubleshooting article.
Server Settings provide default configurations to new servers (agents) being brought on board. Organization administrators can customize these configurations and set specific defaults for each environment.
The Log Level field allows you to control which events are processed by server logging, and can help you more effectively capture events. Contrast generally recommends that you run in Error mode unless a problem occurs and you're asked to collect more metrics by support.
For more details on log levels, go to the article on Server Settings.
Automatic server cleanup enables a Contrast background task to run every five minutes to check if there is an organization with cleanup policies configured. For each organization with cleanup policies, Contrast checks if there are one or more servers with no activity received within the timeframe configured in the policy. Servers with no activity are disabled automatically and are no longer visible in the Servers grid. Contrast maintains information on vulnerabilities and attacks related to these servers, even after they're disabled. This feature is available for Java and .Net servers only.
Assess mode provides detailed information on vulnerabilities discovered by Contrast so that you may track, share and receive remediation guidance. Turning Assess on allows you to enable sampling and designate how stacktraces are captured.
For more information on sampling and stacktraces, go to the Server Settings article.
Protect mode provides monitoring of your servers and applications - identifying and blocking attacks in real time. Turning Protect on gives you the option to bot block, which allows Contrast to use simple signaturing to block traffic from scrapers, attack tools and other unwanted automation.
Protect mode also allows you to output events to Syslog for one or multiple servers. Contrast offers syslog message categories according to the Syslog RFC 3164 specification for severity. Read the article on Output to Syslog to learn more about enabling this feature.
Ensure that new servers receive full, immediate coverage from Contrast by automatically applying Protect licenses.
Note: Administrators receive emails each time a server is licensed. As servers go up and down frequently, you may want to setup an email filter for any unwanted traffic. Contrast is working on making this configurable in the future.
Go to the User menu > Organization Settings > Servers tab to start setting up defaults.
Use the dropdown menu to choose the environment in which you want to apply the default. Check the box if you want to set this as the default environment for servers.
Use the dropdown menu to choose the Log Level. The default selection is Error.
Check the box to Enable automatic server cleanup.
Use the dropdown menu to choose which stacktraces Contrast captures. The default selection is ALL.
Check the box to Enable sampling for higher performance. Choose the numerical values for the following fields:
Check the box to Enable bot blocking.
Check the box to Enable output of Protect events to Syslog.
Note: Turning Protect on by default requires that Protect licenses are automatically applied to servers.
Organization Admins can choose default settings for applications in their organization based on levels of importance, existing policies and Assess licensing. Go to the User menu > Organization Settings > Applications tab to get started.
Use the dropdown menu to choose an Importance level for applications. The default selection is Medium.
Use the multiselect Policy field to choose which Remediation and Compliance Policies to apply automatically to applications. (You can still add applications to policies that aren't included in your default settings after you onboard them.)
Check the box to Require administrative approval when closing vulnerabilities in your organization. In the fields below, choose the statuses and severities of vulnerabilities that should automatically go into a Pending state when a user moves to close them. When a user requests to close any qualifying vulnerabilities, Contrast will notify you that your review is needed.
Note: To qualify for administrative approval, both a status and severity that you selected in this configuration must apply to the vulnerability being closed.
Each vulnerability status will remain pending until you submit your review of the closure. If you deny the closure of a vulnerability, you must provide a reason for denial; once confirmed, your feedback appears in the vulnerability's Discussion tab. If you disable the feature, any pending closures are automatically approved.
Note: While in a Pending state, the vulnerability's previous status still applies for the purpose of organizational reports and statistics.
See Manage Vulnerabilities for more information about Pending states and workflows.
Check the box if you want to Automatically apply licenses to newly onboarded applications. The thermometer chart below the checkbox shows you the number of licenses used out of the total number of licenses available in the organization. Click on the total number of licenses to go to the Licenses view of the Organization Statistics page.
Use the Custom Fields section to configure custom metadata that should be provided for each of the applications in your organization. During agent onboarding, users are prompted to enter metadata for the fields you create, and add the information in their configuration files. The metadata is then displayed in the Applications page grid, where you can also use it to filter applications, and the application's Details page in the Contrast UI.
The following agent versions support custom metadata fields:
Complete the following steps to create custom fields:
Once you've defined each field, Contrast provides the formatted property that you can copy and paste into your agent configuration files. You must then complete the information for each key=value pair.
If you would like to fail applications that don't include all required fields, check the box to Restrict applications missing required fields. This may apply to new or new and existing applications in the organization.
Note: If you don't choose to restrict applications, any application missing a required field will be successfully onboarded but flagged in the UI. Contrast will also send an email alert to the designated Point of Contact, if provided.
Notifications allow Contrast users to receive alerts in specific situations, such as the discovery of a vulnerability or an attack on an application. Organization Administrators can set default settings for Contrast notifications for all users in their organization. Individual users can then tailor these settings as needed.
There are two primary channels available for notifications: Email and In Contrast.
Organization administrators can define default notification settings for all users in their organization by going to the User menu > Organization Settings > Notifications tab. Individual users can modify the default subscriptions that you set. However, integration notification settings affect which messages users receive from integrations that are set up in your organization, and are managed by Organization Administrators only. For more information on user settings, go to the account Notifications article.
Use the toggles in the Integrations, In Contrast and Email columns to enable or disable the following subscriptions. Use the dropdown menu to choose an integration that's configured in your organization, and adjust the default notification settings for each one.
Custom notifications allow users with Admin, Edit and Rules Admin roles in an organization to enable notifications for one or more users when a specific condition is observed in Contrast. These notifications execute and alert users by email at the time of the event, daily or weekly.
To create a custom notification, click the Create Notification button above the grid in the Custom Notifications panel. In the dialog that appears, fill out the following form fields.
Contrast supports six conditions for custom notifications: Category, Impact, Likelihood, URL, Class and Method.
|Category||Is or Is Not||Categories are high-level groupings of rule types such as Authentication, Injection, Cryptography, etc. There are 11 categories within Contrast rule types.|
|Impact||Is, Is Lower Than, Is Higher Than||Impact is measured in High, Medium and Low ratings based on how a rule type affects a given organization. Every rule type has a default impact configuration setting which can be customized.|
|Likelihood||Is, Is Lower Than, Is Higher Than||Likelihood is measured in High, Medium and Low ratings based on how frequent a rule type may occur. Every rule type has a default likelihood configuration setting that can be customized.|
|URL||Is, Contains, Starts With||A specific URL from an application.|
|Class||Is, Contains, Starts With||A specific Java or .NET class.|
|Method||Is, Contains, Starts With||A specific Java or .NET method.|
Administrators automatically receive the following notifications for high-level events in their organization in the Contrast application and by email.
For some features that require user notifications, Contrast automatically notifies the affected users in the Contrast UI when a Contrast administrator enables the feature. (You can't control these notifications in the Notifications page.) Contrast requires user and administrator notifications for features including vulnerability status approval and other Policy Management settings.
Contrast offers compliance reports for understanding an application's compliance status.
Report settings offer a single interface for organization administrators to define the template of hard-copy reports. Select Organization Settings in the user menu and Report Settings in the left navigation. This essentially involves defining the default values for reports created within the organization such as:
When viewing the Application Details page, users can generate a PDF report to see how the application is doing as it relates to compliance requirements. The defaults will prepopulate the report generation dialog, but the user can still make any necessary changes.
Organization administrators can customize score settings for both overall score of applications and libraries by selecting Organization Settings in the user menu and Score Settings in the sidebar. Settings are separated into two sections: Overall Score and Library Score.
This determines how applications are scored in Contrast.
There are two methods for determining library scores in Contrast:
You can also configure policy settings in Policy Management so that any library in violation automatically receives a failing score (F). Once these settings are chosen, you'll see an alert message in Score Settings. Clicking the policy link in the alert navigates you to Library Policy, where administrators may view and revise these settings.