Contrast for developers
The Contrast platform
Your first step is understanding the technologies in the Contrast platform so you can choose an appropriate analysis strategy.
Contrast Scan
Contrast Scan is a static application security testing (SAST) tool that lets you quickly scan code to identify vulnerabilities in early stages of development.
Why use Contrast Scan?
Contrast Scan provides exceptional speed without sacrificing accuracy. It takes just a few minutes and clicks to start a scan. In addition, you can use a local scan engine to avoid uploading your content to the Contrast platform directly. Contrast Scan is a good choice for client-side code such as Angular, React ,or Vue.js based applications.
Contrast Serverless
For functions as a service (FaaS)-style serverless, Contrast Serverless protects you in a number of ways:
It does some static and dynamic analysis to detect vulnerabilities.
It does some SCA analysis for open source libraries.
It also analyzes your functions to determine the least privilege configuration necessary for your serverless functions to operate but closes off avenues for attackers.
For serverless offerings like AWS Fargate, you can use Contrast Assess. For Azure Functions, you can use both Contrast Serverless and Contrast Assess. You can use the Contrast CLI to access a subset of the functionality, which also provides you with a pipeline integration option. However, the primary mode for Contrast Serverless is identifying and protecting all the functions in your cloud-provider account with only a few clicks and a few minutes worth of work.
Why use Contrast Serverless?
It provides you with a comprehensive list of your functions and enables you to make them secure from attack
No additional time or retooling of DevOps pipelines is required to benefit from serverless function scanning
No extra overhead is needed to look at invalid data
Contrast Serverless assists you in making your code more secure by guiding you to select appropriate policies.
Contrast SCA
Contrast has always provided runtime Software Composition Analysis (SCA) capability with Assess, but now, you can also use Contrast SCA to detect vulnerabilities in your 3rd party dependencies (mostly open source) statically using a command line interface (CLI) and through our GitHub integrations, that allows bulk onboarding of projects to Contrast
Why use Contrast for SCA instead of other good (and often free or inexpensive) SCA tools?
Contrast SCA lets you focus only on what matters. Contrast runtime SCA provides a unique ability to not only tell if your application dependency manifests specify a vulnerable version of a vulnerable library but it can tell you which libraries are actually invoked, and to what degree, at runtime. This ability lets you lower the priority on the 70% that aren’t invoked at runtime. Contrast SCA can also detect libraries that are not listed in the manifests but injected at runtime by the environment -- a blindspot for pure static SCA solutions like most free ones.
Contrast Assess
Contrast Assess is the interactive application security testing (IAST) part of the Contrast platform. The core of an IAST tool is sensor modules, software libraries included in the application code. These sensor modules keep track of application behavior while the interactive tests are running. IAST analyzes code in runtime to find vulnerabilities, like static application security testing (SAST) tools do prior to compile and execution. It analyzes runtime behavior, like dynamic application security testing (DAST) tools. It also serves as the collector for our runtime Software Composition Analysis (SCA) capability. So, you can think of Contrast Assess as four tools in one.
Why use Contrast Assess?
Assess has a fraction of the false positives while finding up to twice the true positives as other SAST tools, without adding any additional scan wait times for both SAST and DAST tools. That’s because with Contrast Assess, each interaction of the application by a user or your automated QA tests raises valuable telemetry about the security of the code in operation. This information makes IAST the simplest and least intrusive security process to add earlier in the development cycle, since no changes to your process are needed and will add no delays to your release schedule
Contrast Protect
Contrast Protect, is a runtime application self-protection (RASP) tool. Using the same technology as Assess, it blocks traffic that would have resulted in a successful attack.
Why should you integrate Protect into builds that you deploy to production?
Contrast Protect provides negative-day protection for zero-day attacks. The three-year-old version of Protect was able to block the infamous Log4Shell remote code execution attacks. For actively developed applications, this gives you time to upgrade, avoiding the late-night rush when a new zero-day emerges.
For maintenance-mode applications, it might serve as a long-term protection allowing you to stay focused on new applications. It also provides developers with actionable threat intelligence because it not only tells you attacks are occurring (information you may or may not be getting from your security team) but it also shows you the code paths used by the blocked attackers so you can easily eliminate them.