Application scoring guide

Contrast provides letter grades to your applications so that you can gauge their general performance. The grade represents an aggregate score based on the amount of the application that's been exercised as well as the amount and seriousness of the vulnerabilities that have been detected during the analysis process. The grades map to scores as follows:

  • A: 90-100

  • B: 80-89

  • C: 70-79

  • D: 60-69

  • F: 35-59

Scores are determined by the average of your application's library score and custom code score.

Tip

For example, for your overall score:

If you are running Contrast on an application with a library score of 85 and a custom code score of 68, your overall score would be 77, which would be a C.

85+68 = 153
153/2 = 77

The base custom code score reflects the security of the application that you've written. It starts at 100 and penalty points are subtracted for the number and severity of the vulnerabilities present in your application.

Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects of exploitation would be. For example, a SQL injection is considered Critical because automated tools exist to exploit them without expertise, and an attacker can exfiltrate your entire database contents without any foreknowledge of your application or schema. However, using an old, broken hashing algorithm like SHA-1 is weighted as Low because it has been known to exhibit serious weaknesses, and practical exploitation requires the resources of a very skilled attacker with extensive backing.

Tip

For example, for your custom code score:

If your application had 20 critical vulnerabilities, 10 high vulnerabilities, 5 mediums and 1 low, your custom code score would be:

100-20*x-10*y-5*z-w=

To improve your score:

  • Enable Protection Rules and CVE Shields to remove protected vulnerabilities from the score calculation.

  • Remediate critical and high vulnerabilities in your custom code.

  • Address the vulnerable libraries.

  • Update out-of-date libraries.