Continuous Visibility

Contrast Assess is a revolutionary application security testing tool that combines Static, Dynamic, and Interactive Application Security Testing (SAST, DAST and IAST), to provide highly accurate and continuous information on security vulnerabilities in your applications.

In a fast-paced DevOps software world where applications are deployed iteratively, scarce security expertise can be a bottleneck. Contrast helps perform testing quickly and accurately by using an agent that instruments applications with sensors. The sensors look at data flow in real time and analyze the application from within, helping figure out vulnerabilities in:

  • Libraries, frameworks and custom code
  • Configuration information
  • Runtime control and data flow
  • HTTP requests and responses
  • Backend connections

Instrumentation

When an application is deployed with the Contrast agent, Contrast code is inserted in to the application’s existing methods across custom code and libraries. These sensors are hooked in based on where data enters and leaves the application. Consequently, Contrast now has visibility into any data that flows through the application. When we detect a security flaw or vulnerability in this code path, it is immediately reported to Contrast’s central web application console.

Integrated App Security

Contrast provides real-time visibility to vulnerabilities, since it becomes a part of the application itself. It can now be used in existing Application Security and DevOps processes across the software development lifecycle (SDLC).

Contrast is integrated into CI / CD tools preferred by roles across the SDLC, including Development, Security, and Operations:

  • Build tools: Contrast integrates with Continuous Integration tools such as Jenkins, Maven, Gradle, and Bamboo. When the number of vulnerabilities of a specified severity exceeds a pre-defined threshold, Contrast can instruct the CI tool to fail the build.
  • Team communications and bug tracking tools: Apart from email, Contrast can send notifications and alerts via popular messaging and communications channels including Hipchat, and Slack. For customers in a DevOps environment, we integrate with bug tracking tools such as JIRA, Serena Business Manager, and Microsoft Visual Studio Team Services/Team Foundation Services.

Enabling Assess

To get started with Assess, the first thing you need to do is enable the Assess functionality on the agents that have instrumented the application you want to analyze. This is done within the Contrast UI on the Servers page. Find the server(s) you want to begin analyzing and turn the Assess toggle ON.

Though you can get a glimpse into the types of vulnerabilities Contrast discovers without an Assessment license, you won't be able to retrieve any details and miss out on other important functionality outlined below. So, you need to make sure you license the application as well. To license an application, find the application you want to license on the Applications page. You can either click the TRIAL link next to the application name or select Apply License from the row menu. You'll be prompted to confirm this action.

When Assess is enabled, you will need to restart the application in order for the Contrast agent to properly instrument the application with Assess capabilities. Once that is completed, Contrast will begin getting vulnerability analytics and more. The application will no longer have a TRIAL designation next to the name, indicating it has an Assessment license assigned to it.

Note: Organization administrators can skip this manual step of applying licenses for their users by enabling "Automatically apply licenses to new applications" from the Organization Settings page in the Licensing section.

Application Assessment

Assessment is applied to each application. Once your application has been assessed, Contrast presents a multitude of information, including:

  • Accurate vulnerability identification that comes with details on the code and solutions to fix it
  • Overall score to let you know how the application is performing in general - read about Score Settings
  • Activity of the URLs being hit
  • Application usage metrics
  • Insight into the architecture of the running application
  • Third Party & Open Source library assessment results
  • Compliance reporting via PDF

Contrast Assessment Policies

There are two types of policies available in Contrast Assess. They are as follows:

  • Assess Rules which can detect specific types of vulnerabilities, such as SQL Injection or Cross-Site Scripting
  • Security Controls which are methods in your code that make sure data is safe to use

Read more about these policies in our Assessment Policy article.