Skip to main content

Improve route coverage with production traffic

Before you begin

  • Supported agent versions:

    • Java 6.6.0 and later

    • Python 9.4.0 and later

    • .NET Core 4.3.0 and later

    • .NET Framework 51.1.0 and later

  • If you have any questions or concerns before using this feature, contact your Contrast representative for guidance.

Best practices

  • Turn on IAST (Assess) in the application while it's in a pre-production environment before you deploy the application with IAST in the production environment. Doing so lets you check for compatibility and performance issues.

  • Only use IAST in production environments for applications that use frameworks that Contrast Assess supports.

  • Instrument singular instances of the application server.

    If you use a load balancer that shifts traffic to different instances, it might be worth instrumenting one or more containers depending on the traffic routing rules.

    Limit agent deployments provides additional details for this situation.

  • For performance impact and reduced overhead for IAST in production mode, reach out to your Contrast CSM. They have detailed data on average response time, average CPU usage, TPS, memory allocation, and more.

  • For sensitive data masking, Contrast is not storing any sensitive data.

  • Avoid changing the sampling settings in the agent configuration (YAML) file.

    The settings in the agent configuration file override settings in the Contrast web interface. If you need to change sampling settings, it is best to use the web interface for this purpose.

    In many cases, hosted customers don't have access to the sampling settings; Contrast manages them instead.

Turn on Assess in production environments

  1. At the time of deployment, enable Assess in the agent configuration file.

    Assess:
        enable: true
  2. When Assess is enabled, deploy an application to Contrast and set one of these options:

    • System property:-Dcontrast.server.environment= PRODUCTION

    • Environment variable:CONTRAST__SERVER__ENVIRONMENT= PRODUCTION

    • Agent configuration file (YAML file):

      server:
        Environment: PRODUCTION

      This option is case-sensitive.

    The easiest method for deploying an agent is to use the Add New agent wizards in the Contrast web interface.

Alternative deployment

An alternative deployment option is to include the lower level sampling configurations for the agent. This case is applicable if you want to do testing in a lower environment and set the server environment appropriately. Follow these steps:

  1. In the agent configuration file, leave the setting for Assess as enable: false. You can update this setting in the Contrast web interface if you need to turn off Assess analysis.

  2. Update the agent configuration using environment variables or settings in the agent configuration file, as shown in these examples:

    Environment variables:

    CONTRAST__ASSESS__SAMPLING__ENABLE=true
    CONTRAST__ASSESS__SAMPLING__BASELINE=20
    CONTRAST__ASSESS__SAMPLING__REQUEST_FREQUENCY=2147483647
    CONTRAST__ASSESS__SAMPLING__WINDOW_MS=3600000
    CONTRAST__ASSESS__CACHE__VULNERABILITY_CACHE_PURGE_MS=3600000
    CONTRAST__ASSESS__EVENT_DETAIL=minimal
    CONTRAST__ASSESS__STACKTRACES=SINK

    Agent configuration file (YAML file):

    assess:
      event_detail: "minimal"
      stacktraces: "SINK"
      sampling:
        enable: true
        request_frequency: 2147483647
        baseline: 20
        window_ms: 3600000
      cache:
        vulnerability_cache_purge_ms: 3600000
    

Address performance issues

If you notice a negative performance impact after you enable Assess in production environments, change the sampling rate frequency:

  1. In the Contrast web interface, select Servers in the header.

  2. Select the server where Assess is enabled in a production environment.

  3. Select the Settings icon (icon-settings.svg).

  4. Select Enable sampling for higher performance.

  5. Change the Analyzation frequency to a lower value.

Note

Settings in the agent configuration file override settings in the Contrast web interface. When you turn on Assess for a production environment in the agent configuration file, the Contrast web interface shows the Assess setting as greyed out or turned off.

If you used the alternative deployment by setting the sampling settings, use this method to address performance issues. 

  1. In the Contrast web interface, select Servers in the header.

  2. Select the server where Assess is enabled in a production environment.Tu

  3. Turn Assess to OFF

    This setting takes effect only if Assess is not enabled in the agent configuration file.

Effect of using route coverage with production traffic

Using this feature does not result in any data loss. The effects of using this feature are:

  • Sampling: Contrast analyzes routes only once in the Analyzation frequency window.

    Typically, this value is 24 hours.

  • Sensitive data: Sensitive data is not returned to Contrast. There is no risk of storing real user data in Contrast. This behavior is typically preferred for security purposes.

  • Stacktrace and.Contrast web interface differences (Java only and .NET only): Java and .NET results show less depth in stacktrace data. In the Contrast web interface, all dataflow data is present, however red highlighting is not displayed.

Performance metrics

Use these performance metrics as a guide for understanding the potential impact of using Assess in your production environments.

For each agent, Contrast does performance testing in their SaaS environments with applications that may produce different results from applications in your environment. Your performance metrics may be different from Contrast metrics.

Language

Metrics

Java

The baseline impact for performance for the default settings increases the baseline of total request time by 2 ms against a baseline of no deployed agents.

.NET

The baseline impact increases the agent's total request time to 1.5 ms, compared to a baseline of .5 ms for Protect only, which already runs in production environments.

Node.js

The baseline impact to the test application increases the agent request time by an average of less than 10 ms compared to a baseline of no deployed agents.

Python

The baseline impact for performance for the default settings increases the baseline of total request time by 56 ms against a baseline of no agent.