Contrast Assess is a revolutionary application security testing tool that combines Static, Dynamic, and Interactive Application Security Testing (SAST, DAST and IAST), to provide highly accurate and continuous information on security vulnerabilities in your applications.
In a fast-paced DevOps software world where applications are deployed iteratively, scarce security expertise can be a bottleneck. Contrast helps perform testing quickly and accurately by using an agent that instruments applications with sensors. The sensors look at data flow in real time and analyze the application from within, helping figure out vulnerabilities in:
When an application is deployed with the Contrast agent, Contrast code is inserted in to the application’s existing methods across custom code and libraries. These sensors are hooked in based on where data enters and leaves the application. Consequently, Contrast now has visibility into any data that flows through the application. When we detect a security flaw or vulnerability in this code path, it is immediately reported to Contrast’s central web application console.
Contrast provides real-time visibility to vulnerabilities, since it becomes a part of the application itself. It can now be used in existing Application Security and DevOps processes across the software development lifecycle (SDLC).
Contrast is integrated into CI / CD tools preferred by roles across the SDLC, including Development, Security, and Operations:
To get started with Assess, the first thing you need to do is enable the Assess functionality on the agents that have instrumented the application you want to analyze. This is done within the Contrast UI on the Servers page. Find the server(s) you want to begin analyzing and turn the Assess toggle ON.
Though you can get a glimpse into the types of vulnerabilities Contrast discovers without an Assessment license, you won't be able to retrieve any details and miss out on other important functionality outlined below. So, you need to make sure you license the application as well. To license an application, find the application you want to license on the Applications page. You can either click the TRIAL link next to the application name or select Apply License from the row menu. You'll be prompted to confirm this action.
When Assess is enabled, you will need to restart the application in order for the Contrast agent to properly instrument the application with Assess capabilities. Once that is completed, Contrast will begin getting vulnerability analytics and more. The application will no longer have a TRIAL designation next to the name, indicating it has an Assessment license assigned to it.
Note: Organization administrators can skip this manual step of applying licenses for their users by enabling "Automatically apply licenses to new applications" from the Organization Settings page in the Licensing section.
Assessment is applied to each application. Once your application has been assessed, Contrast presents a multitude of information, including:
There are two types of policies available in Contrast Assess. They are as follows:
Read more about these policies in our Assessment Policy article.