Skip to main content

Assess analysis fine-tuning

Production servers withContrast Assess enabled should always use the Production tuning or a Custom tuning profile that Contrast provides. For lower environments, if you notice performance issues after you instrument your application with a Contrast agent, consider fine-tuning the way Contrast does strategic analysis of your code. The Assess analysis fine-tuning settings are part of your server configuration.

Contrast provides options that instruct the agent to only perform analysis on a rate-limited subset of requests. The agent intelligently prioritizes capturing requests to routes it has not seen before since startup. If an application is responding to the same request often, the agent doesn't need to analyze it multiple times, but it will periodically re-instrument routes to capture any variations in the data flows.

Contrast includes pre-build performance tuning profiles that will evolve over time to make sure that most production applications have a healthy balance between the time it takes to get full coverage of an application and the amount of overhead introduced by this instrumentation.

How analysis fine-tuning works

  1. If the Contrast agent sees the same URL being called multiple times, it analyzes the URL based on the the number of times specified in a baseline setting.

  2. Afterwards, if the Contrast agent continues to see the same URL, it only checks the URL based on an analyzation frequency setting.

  3. Contrast retains samples for the number of seconds specified for a retention window setting. After the time specified for the retention window setting elapses, Contrast analyzes the URL again, according to the baseline setting.

The fine-tuning options that Contrast provides are designed to balance application performance with analysis frequency and depth. These pre-configured settings are based on the environment and whether the code is likely to be changing frequently:

  • Frequently changing code in development or QA environments benefits from more frequent and complete analysis in a shorter retention window. This setting ensures that you find vulnerabilities as code evolves In these environments, the frequency and depth of analysis takes precedence over application performance.

  • Stable code in production environments benefits from less frequent and complete analysis in a longer retention window. This setting ensures that you still find vulnerabilities but without a significant effect on application performance. In these environments, application performance takes precedence over the depth and frequency of analysis.

In this section: