Add, edit or delete security controls

Security controls apply to Java, .NET Framework, and .NET Core languages only.

To add, edit or delete security controls:

  1. Select User Menu > Policy Management, select Security controls.

    The Security Controls grid shows a list existing security controls, if there are any.

  2. Select the name of an existing security control to edit, or select Add security control to create one.

  3. In the panel that opens, enter the:

    • Name

    • Language: Select Java , .NET Framework, or .NET Core.

    • Type: Select either one of these methods:

      • Input validators accept user input and take corrective action if unsafe data is received.

      • Sanitizers clean the data that is passed in, making it safe for consumption by any interpreter. Many sanitizers prevent one type of attack, but not another.

    • API: When specifying the API, consider these conventions:

      • Java must include method name and parameters. Use fully qualified types, intended to target only java.lang.String parameters (not boolean, int, long, short double, float, etc.).

      • .NET Framework or .NET Core must include return type (or void), method name and parameters. Use fully qualified types, intended to target only System.String parameters.

      • Mark the parameters that are going to be validated or sanitized with an asterisk ( * ).

    • Applicable vulnerability rules: You can choose All, or select one or more individual vulnerabilities.

  4. Select Save to create a new security control. If you are editing an existing security control, you also have the option to delete the security control from this panel with the Delete icon.

  5. At the bottom of the table, you will see Suggestions for potential security controls that Contrast detects, along with their class and method. (You can hide the section by clicking on the caret in the header row.)

    If a security control is automatically discovered for the first time, a notification is sent to all users with at least Viewer permissions for the corresponding applications.

    Hover over the API to see where this suggestion was discovered, and optionally, select the name of the application to see the vulnerabilities in context of that application.

    Use the plus icon at the end of the suggestion row, to add the suggestion as a new security control and include it in the table above. You can edit the Name, API and Type fields inline before adding it.

    Use the Delete icon to delete the suggestion. Contrast doesn't repeat suggestions, so once it's deleted, an API is never suggested again. There is no way to view historical suggestions or get them back.

Note

Servers may require restart. Contrast provides a list of servers affected by your selection.

Tip

You can also create security controls in the context of a particular vulnerability with a tag event.

If Contrast has captured runtime data flow for a vulnerability, you can select Vulnerabilities > Vulnerability name > Details to see more information about that vulnerability. Potential security controls that are detected trigger a tag event and this is shown as a low severity (green) event. Expand the event and you can select Add a security control.

Also, if you mark a vulnerability as Not A Problem with the reason "Goes through an internal security control," you can define that security control at that time.