Skip to main content

Add, edit or delete security controls

Before you begin

  • Security controls for input validators and sanitizers apply to Java, .NET Framework, and .NET Core languages only.

  • Security controls for regex validators apply to the Java language only.

Steps

  1. Select User Menu > Policy Management, select Security controls.

    The Security Controls grid shows a list existing security controls, if there are any.

  2. Select the name of an existing security control to edit, or select Add security control to create one.

  3. In the panel that opens, specify this information:

    • Name

    • Language: Select Java , .NET Framework, or .NET Core.

    • Type: Select one of these methods:

      • Input validator accepts user input and take corrective action if unsafe data is received.

      • Sanitizer cleans the data that is passed in, making it safe for consumption by any interpreter. Many sanitizers prevent one type of attack, but not another.

      • Regex validator compares a specified regex pattern in an input string to validate whether it's safe.

    • For input validators or sanitizers, specify the API to use.

      When specifying the API for input validators and sanitizers, consider these conventions:

      • Java:

        Java must include a method name and parameters. Use fully qualified types, intended to target only java.lang.String parameters (not boolean, int, long, short double, float, and so forth).

      • .NET Framework and .NET Core:

        • Include a return type (or void), method name and parameters. Use fully qualified types, intended to target only System.String parameters.

        • Verify that no white space exists between the parameters.

      • Mark the parameters that are going to be validated or sanitized with an asterisk ( * ).

    • For Regex validators, specify this information:

      • Regex pattern: Specify the regex pattern you want to compare with an input string.

        The Regular expression references provides examples of patterns you can use.

      • Application: Specify the applications where you want to apply the regex validator.

    • Applicable vulnerability rules: Choose All, or select one or more individual vulnerabilities.

  4. Select Save to create a new security control. If you are editing an existing security control, you also have the option to delete the security control from this panel with the Delete icon.

  5. At the bottom of the table, you will see Suggestions for potential security controls that Contrast detects, along with their class and method. (You can hide the section by clicking on the caret in the header row.)

    If a security control is automatically discovered for the first time, a notification is sent to all users with at least View permissions for the corresponding applications.

    Hover over the API to see where this suggestion was discovered, and optionally, select the name of the application to see the vulnerabilities in context of that application.

    Use the plus icon (icon-add.svg) at the end of the suggestion row, to add the suggestion as a new security control and include it in the table above. You can edit the Name, API and Type fields inline before adding it. After you add the security control, select the name and verify that the security control is applied to the correct application rules.

    Use the Delete icon (routeRemoveIcon.png) to delete the suggestion. Contrast doesn't repeat suggestions, so once you delete it, an API is never suggested again. There is no way to view historical suggestions or get them back.

Note

Servers may require restart. Contrast provides a list of servers affected by your selection.

Create security controls for specific vulnerabilities

You can also create security controls in the context of a particular vulnerability with a tag event.

If Contrast has captured runtime data flow for a vulnerability, you can select Vulnerabilities > Vulnerability name > Details to see more information about that vulnerability. Potential security controls that are detected trigger a tag event and this is shown as a low severity (green) event. Expand the event and you can select Add a security control.

Also, if you mark a vulnerability as Not A Problem with the reason "Goes through an internal security control," you can define that security control at that time.

In this section: