Skip to main content

Add, edit or delete security controls

Security controls apply to Java, .NET Framework, and .NET Core languages only.

Steps

  1. Select User Menu > Policy Management, select Security controls.

    The Security Controls grid shows a list existing security controls, if there are any.

  2. Select the name of an existing security control to edit, or select Add security control to create one.

  3. In the panel that opens, specify this information:

    • Name

    • Language: Select Java , .NET Framework, or .NET Core.

    • Type: Select either one of these methods:

      • Input validators accept user input and take corrective action if unsafe data is received.

      • Sanitizers clean the data that is passed in, making it safe for consumption by any interpreter. Many sanitizers prevent one type of attack, but not another.

    • API: When specifying the API, consider these conventions:

      • Java must include method name and parameters. Use fully qualified types, intended to target only java.lang.String parameters (not boolean, int, long, short double, float, and so forth).

      • .NET Framework and .NET Core :

        • Include a return type (or void), method name and parameters. Use fully qualified types, intended to target only System.String parameters.

        • Verify that no white space exists between the parameters.

      • Mark the parameters that are going to be validated or sanitized with an asterisk ( * ).

    • Applicable vulnerability rules: You can choose All, or select one or more individual vulnerabilities.

  4. Select Save to create a new security control. If you are editing an existing security control, you also have the option to delete the security control from this panel with the Delete icon.

  5. At the bottom of the table, you will see Suggestions for potential security controls that Contrast detects, along with their class and method. (You can hide the section by clicking on the caret in the header row.)

    If a security control is automatically discovered for the first time, a notification is sent to all users with at least Viewer permissions for the corresponding applications.

    Hover over the API to see where this suggestion was discovered, and optionally, select the name of the application to see the vulnerabilities in context of that application.

    Use the plus icon (icon-add.svg) at the end of the suggestion row, to add the suggestion as a new security control and include it in the table above. You can edit the Name, API and Type fields inline before adding it. After you add the security control, select the name and verify that the security control is applied to the correct application rules.

    Use the Delete icon (routeRemoveIcon.png) to delete the suggestion. Contrast doesn't repeat suggestions, so once you delete it, an API is never suggested again. There is no way to view historical suggestions or get them back.

Note

Servers may require restart. Contrast provides a list of servers affected by your selection.

Create security controls for specific vulnerabilities

You can also create security controls in the context of a particular vulnerability with a tag event.

If Contrast has captured runtime data flow for a vulnerability, you can select Vulnerabilities > Vulnerability name > Details to see more information about that vulnerability. Potential security controls that are detected trigger a tag event and this is shown as a low severity (green) event. Expand the event and you can select Add a security control.

Also, if you mark a vulnerability as Not A Problem with the reason "Goes through an internal security control," you can define that security control at that time.

In this section: