Skip to main content

Vulnerability management policies

Vulnerability policies let administrators with Organization RulesADmin or Organization Administrator roles define a set of criteria that, when triggered, either changes the status of a vulnerability or flags it for review. The criteria that define the policy includes vulnerability rules, severity, application, and route.

You can set in-app notifications when vulnerabilities violate these policies. Administrators are notified of violations in-app and by email.

Auto-verification policies

Auto-verification policies automatically change the status of a vulnerability that meets specific criteria to Remediated - Auto-verified:

  • Contrast marks a vulnerability as Remediated - Auto-Verified if Contrast does not discover it on the same route across two different sessions. If two sessions report the exact same session metadata, Contrast views the two sessions as a single session.

    This action applies to vulnerability policies with a route-based trigger.

  • If a vulnerability that Contrast previously marked as Remediated - Auto-Verified reappears when the same route is exercised, its status changes to Reported. Contrast updates the details in the Activity tab on the vulnerability details page.

  • If a vulnerability that Contrast previously marked as Remediated - Auto-Verified reappears when the same route is exercised after you disable or delete an auto-verification policy, the vulnerability status changes to Reported. Contrast updates the details in the Activity tab on the vulnerability details page.

An auto-verification policy can have a route-based or a time-based trigger .

Violation policies

Violation policies trigger a violation notice when a vulnerability matches a set of specific criteria. If triggered, you see the vulnerability in red text in the vulnerabilities list. Use the vulnerabilities filter to view only vulnerabilities with policy violations.

Image shows a vulnerability in red with the policy tooltip message

Policy triggers

These trigger types activate a vulnerability policy:

  • Route:Triggers an auto-verification policy when a vulnerability is seen, or not seen, on a specific route. This trigger is available for technologies where Contrast can identify routes.

  • Time: Triggers a violation or auto-verification policy after a certain amount of days.

Session metadata for route-based auto-verification

For optimal results from route-based vulnerability polices, add session metadata to the agent configuration files:

  • Providing unique session metadata allows Contrast to create a baseline of findings that lets it verify whether a vulnerability was remediated based on route comparisons.

  • Using the Test Run session metadata field is the best way to ensure that Contrast is tracking routes and vulnerabilities across an entire test run even you restart the agent and the application multiple times during the run.

    Contrast creates a unique session ID for every unique metadata-value pair. Using session metadata in this manner combines multiple test runs into a single test session. This action is useful in situations where different code paths on the same route are tested.

Environments

For optimal results, configure the vulnerability policies to apply to the environments where you are using test automation. If you are running the same application on multiple servers, ensure that each server is configured for the Development, QA, or Production environment.

Multiple policy actions

If multiple policies affect the same vulnerability, these rules determine how Contrast applies the policies:

  • Auto-verification policies take precedence over violation policies. For example, if an auto-verification deadline applies first, the vulnerability is closed and never flagged.

  • Between two time-based triggers, the action with the closest deadline applies first. For example, if a violation deadline applies first, the vulnerability is flagged and then auto-verified when the later deadline applies.