Contrast Assess is a revolutionary application security testing tool that combines Static, Dynamic, and Interactive Application Security Testing (SAST, DAST and IAST, respectively) to provide highly accurate and continuous information on security vulnerabilities in your applications.
In a fast-paced DevOps software world where applications are deployed iteratively, scarce security expertise can be a bottleneck. Contrast helps perform testing quickly and accurately by using an agent that instruments applications with sensors. The sensors look at data flow in real time and analyze the application from within to help figure out vulnerabilities in:
When an application is deployed with the Contrast agent, Contrast code is inserted in the application’s existing methods across custom code and libraries. These sensors are hooked in based on the locations where data enters and leaves the application. Contrast then has real-time visibility into any data that flows through the application. When Contrast detects a security flaw or vulnerability in this code path, it's immediately reported to Contrast’s application interface.
You can use Contrast in existing Application Security and DevOps processes across the software development lifecycle (SDLC). Contrast is integrated into CI/CD tools preferred by roles across the SDLC, including Development, Security, and Operations.
Build tools: Contrast integrates with Continuous Integration (CI) tools including Jenkins, Maven, Gradle and Bamboo. When the number of vulnerabilities of a specified severity exceeds the threshold that you've chosen in the Contrast interface, Contrast can instruct the CI tool to fail the build.
Team communications and bug tracking tools: Apart from email, Contrast can send notifications and alerts via popular messaging and communications channels including Hipchat and Slack. For customers in a DevOps environment, Contrast integrate with bug tracking tools such as JIRA, Serena Business Manager, and Microsoft Visual Studio Team Services/Team Foundation Services (VSTS/TFS).
Once your application has been assessed, Contrast presents a multitude of information, including:
There are two types of policies available in Contrast Assess.
When Contrast discovers code flaws while navigating your application, the Contrast application lets you know exactly where in the code the vulnerability was found and how the code was used. Vulnerabilities are presented and classified with a severity to help you manage and prioritize next steps. With this information, you must analyze these findings, track the findings, and remediate them so that your application is secure.
The Vulnerabilities page in the Contrast interface allows you to search, sort and sift through each application's vulnerabilities. As Contrast discovers these weaknesses, it provides guidelines for determining how to resolve them and prevent an attack. As you triage, you can mark a status and create tags as needed. For more details, keep reading about how to Analyze Findings and Manage Vulnerabilities.
You must keep track of the discovered vulnerabilities for planning and maintaining fixes to prevent attacks. Send vulnerabilities to bugtracker integrations, which your organization administrator can set up, or by email to notify users who don't have access to the Contrast interface. For more information, read the article to Track Findings.
Contrast always provides an explanation of why the vulnerability was flagged and guidance on potential solutions and techniques to resolve the vulnerability. For more information, read our articles How to Fix Vulnerabilites.