Improve route coverage with production traffic
Before you begin
Supported agent versions:
Java 6.6.0 and later
Python 9.4.0 and later
.NET Core 4.3.0 and later
.NET Framework 51.1.0 and later
If you have any questions or concerns before using this feature, contact your Contrast representative for guidance.
Best practices
Turn on IAST (Assess) in the application while it's in a pre-production environment before you deploy the application with IAST in the production environment. Doing so lets you check for compatibility and performance issues.
Only use IAST in production environments for applications that use frameworks that Contrast Assess supports.
Instrument singular instances of the application server.
If you use a load balancer that shifts traffic to different instances, it might be worth instrumenting one or more containers depending on the traffic routing rules.
Limit agent deployments provides additional details for this situation.
For performance impact and reduced overhead for IAST in production mode, reach out to your Contrast CSM. They have detailed data on average response time, average CPU usage, TPS, memory allocation, and more.
For sensitive data masking, Contrast is not storing any sensitive data.
Avoid changing the sampling settings in the agent configuration (YAML) file.
The settings in the agent configuration file override settings in the Contrast web interface. If you need to change sampling settings, it is best to use the web interface for this purpose.
In many cases, hosted customers don't have access to the sampling settings; Contrast manages them instead.
Turn on Assess in production environments
At the time of deployment, enable Assess in the agent configuration file.
Assess: enable: true
When Assess is enabled, deploy an application to Contrast and set one of these options:
System property:
-Dcontrast.server.environment= PRODUCTION
Environment variable:
CONTRAST__SERVER__ENVIRONMENT= PRODUCTION
Agent configuration file (YAML file):
server: Environment: PRODUCTION
This option is case-sensitive.
The easiest method for deploying an agent is to use the Add New agent wizards in the Contrast web interface.
Alternative deployment
An alternative deployment option is to include the lower level sampling configurations for the agent. This case is applicable if you want to do testing in a lower environment and set the server environment appropriately. Follow these steps:
In the agent configuration file, leave the setting for Assess as
enable: false
. You can update this setting in the Contrast web interface if you need to turn off Assess analysis.Update the agent configuration using environment variables or settings in the agent configuration file, as shown in these examples:
Environment variables:
CONTRAST__ASSESS__SAMPLING__ENABLE=true CONTRAST__ASSESS__SAMPLING__BASELINE=20 CONTRAST__ASSESS__SAMPLING__REQUEST_FREQUENCY=2147483647 CONTRAST__ASSESS__SAMPLING__WINDOW_MS=3600000 CONTRAST__ASSESS__CACHE__VULNERABILITY_CACHE_PURGE_MS=3600000 CONTRAST__ASSESS__EVENT_DETAIL=minimal CONTRAST__ASSESS__STACKTRACES=SINK
Agent configuration file (YAML file):
assess: event_detail: "minimal" stacktraces: "SINK" sampling: enable: true request_frequency: 2147483647 baseline: 20 window_ms: 3600000 cache: vulnerability_cache_purge_ms: 3600000
Address performance issues
If you notice a negative performance impact after you enable Assess in production environments, change the sampling rate frequency:
In the Contrast web interface, select Servers in the header.
Select the server where Assess is enabled in a production environment.
Select the Settings icon ().
Select Enable sampling for higher performance.
Change the Analyzation frequency to a lower value.
Note
Settings in the agent configuration file override settings in the Contrast web interface. When you turn on Assess for a production environment in the agent configuration file, the Contrast web interface shows the Assess setting as greyed out or turned off.
If you used the alternative deployment by setting the sampling settings, use this method to address performance issues.
In the Contrast web interface, select Servers in the header.
Select the server where Assess is enabled in a production environment.Tu
Turn Assess to OFF
This setting takes effect only if Assess is not enabled in the agent configuration file.
Effect of using route coverage with production traffic
Using this feature does not result in any data loss. The effects of using this feature are:
Sampling: Contrast analyzes routes only once in the Analyzation frequency window.
Typically, this value is 24 hours.
Sensitive data: Sensitive data is not returned to Contrast. There is no risk of storing real user data in Contrast. This behavior is typically preferred for security purposes.
Stacktrace and.Contrast web interface differences (Java only and .NET only): Java and .NET results show less depth in stacktrace data. In the Contrast web interface, all dataflow data is present, however red highlighting is not displayed.
Performance metrics
Use these performance metrics as a guide for understanding the potential impact of using Assess in your production environments.
For each agent, Contrast does performance testing in their SaaS environments with applications that may produce different results from applications in your environment. Your performance metrics may be different from Contrast metrics.
Language | Metrics |
---|---|
Java | The baseline impact for performance for the default settings increases the baseline of total request time by 2 ms against a baseline of no deployed agents. |
.NET | The baseline impact increases the agent's total request time to 1.5 ms, compared to a baseline of .5 ms for Protect only, which already runs in production environments. |
Node.js | The baseline impact to the test application increases the agent request time by an average of less than 10 ms compared to a baseline of no deployed agents. |
Python | The baseline impact for performance for the default settings increases the baseline of total request time by 56 ms against a baseline of no agent. |