Our gift to you: completely revamped grids for all your applications, servers and vulnerabilities!
Redesigned and enhanced grids for applications, servers, and vulnerabilities make the most important data easier to find and streamline your daily tasks. Improvements include, but are certainly not limited to, filters per column, enhanced search functions, instantly visible tags and easier access to row actions. If you have questions or suggestions for more improvements, use the Give Us Feedback button above any of the grids.
Assign key:value pairs to applications during onboarding for better organization and tracking. Go to Organization Settings > Applications to define custom fields - such as such as Application ID, Business Unit and Point of Contact - for new and existing applications. Contrast even provides a preformatted configuration property to copy and use in your own files.
Configure your VSTS integration to send tickets to a specific backlog for a subproject.
The Java team expanded coverage of the Protect Expression Language Injection rule to also cover RichFaces CVEs, including CVE-2018-14667. We improved the accuracy of a Regular Expression DoS rule as well as the reliability of a Protect CSRF rule. We also fixed an issue where the agent could fail to enable Assess rules if all rules were enabled.
In an upcoming release, the Java agent will move to a mandatory one application per JVM reporting model. This change provides more consistency across agent configuration and reporting across technology stacks. It also better reflects current best practices in web application packaging and deployment, targeting cloud infrastructures with dynamically deployable and scalable application clusters. The new model also eliminates the sometimes unreliable heuristics (based request context path) currently used to partition requests to specific applications, and will provide better reporting as a result.
In preparation for the new model, application naming properties
contrast.standalone.appname are being deprecated and replaced by
application.name. As of a future release, the deprecated properties will no longer be honored. Java System Properties will be updated to reflect each stage of these changes.
The .NET agent installer no longer requires a DotnetAgentSettings.ini file; it now requires a contrast_security.yaml file. Unlike the .ini file, the YAML file supports all of the .NET agent’s configuration options.
The agent now detects new values for application version, group and tags in re-deployed web.config files without requiring a restart of the agent. Changes in Protect rule modes take effect without requiring a restart of the agent. The .NET team also completed the following bug fixes:
In version 1.36.0, the Node team improved the accuracy of our hard-coded keys vulnerability detection. We fixed a bug that caused some vulnerability reports to be rejected due to having an invalid data type set for the server's port value. We also fixed a bug in the agent's startup process that, under certain policy conditions, prevented the agent from discovering route coverage information for Express.js applications.
For the 2.0.10 release, Ruby team worked to enhance the agent's Assess functionality. We moved several method patches to C and refactored how extensions are generated to more reliably instrument applications in Assess mode. We also resolved a bug around parameter tracking in Assess, which allows for more accurate dataflow detection.
Version 1.4.0 brings new Protect enhancements for XSS, Path Traversal and Command Injection. The Python team also improved our library analysis architecture to be more memory efficient and use less processes. We made configuration updates to include backward compatibility of existing YAML files.
As of Contrast version 3.5.8, the auto-updating version of the Java agent is no longer available for download. The auto-update feature is not compatible with Contrast's design changes made to support the Java Platform Module System included in Java beginning with version 9. Existing agents with the auto-update feature will continue to function; however, once Contrast releases an agent capable of supporting Java 9+, they will no longer update to the latest version.
For more details on Java agent updates, see the Java summary below.
See your Protect data logs in SumoLogic via integration with the SIEM API. Browse through logs, and quickly find exactly what you’re looking for.
Contrast upgraded to MySQL 5.7 for embedded MySQL.
The Java agent team improved accuracy of the Assess Path Traversal rule on Spring applications. We added better Assess support for Jersey 2.0, including route detection for Jersey 2.0+ applications. The agent also supports configuration of common configuration properties via environment variables.
The .NET team fixed a bug in which the agent wasn't respecting the legacy
TeamServerValidateCert configuration setting. We also fixed a bug in which the agent failed to restart properly when profiler chaining was enabled and the Assess or Protect mode was changed. We made improvements to:
System.Charvalues in the trigger event of Assess vulnerabilities
The agent supports Azure Application Service-hosted applications that are hosted outside of the wwwroot/bin directory.
The Node agent now supports Node 10, the latest long-term support (LTS) version of Node. The Node team also updated support for TLS connections to Contrast UI using common configuration options. We modified the logging levels for the agent to match the other agents, and closed a bug in the Winston logger. We also enhanced logging around
Ruby team has released the Assess agent! The Ruby agent also supports the common configuration entries to customize TLS connections to Contrast UI. Due to performance issues, we removed log enhancers for classes loaded after the agent has initialized. (This functionality will be re-enabled in the next release.)
The Python agent now supports communication to the Contrast Service using Unix sockets. The Python team updated configuration to support customized TLS connections to the Contrast UI. The agent also supports a periodic thread for verifying connection status in Contrast UI.
Set up administrative approval for vulnerability closures and see route coverage for Jersey applications.
Use our new option to require administrative approval when a user attempts to close a vulnerability. Go to the Organization Settings > Applications page to choose which closed statuses and severities require approval. When a user attempts to close a vulnerability with a status and severity you’ve chosen, the it goes into a Pending state until you approve or deny the change.
The Jenkins 2.8 plugin lets you query by build numbers or vulnerability timestamps, and also fail a build for only new vulnerabilities. For large-scale deployments, the plugin also supports the use of application UUIDs instead of application names.
The Java agent now reports route-based application coverage for Jersey 2.26+. The Java team fixed an issue in which the agent would fail to instrument certain Equinox classes as well as a false positive when applications used
HttpServletRequest.getContextPath. Springboot applications using the
contrast.standalone.appname configuration accurately reports libraries.
The .NET agent team added “System.Web.Mvc.UrlHelper.IsLocalUrl” as a validator for unsafe redirects, and improved agent performance when analyzed application communicates with web services using HttpClient. We also fixed bugs where:
Check back next month for an update on our latest (and greatest) work.
The Ruby agent team is preparing the final updates for GA of the Ruby Assess agent. The team has also been working on performance by optimizing the initial inventory message and moving library analysis into its own thread. We fixed an issue where Rails under Passenger wasn't correctly generating routes for GET requests as well as a separate issue where Sinatra wasn't starting in Assess mode and
class_eval was being used.
Python has been continuing to implement the REP Protect rules with the Path Traversal rule complete. The Python agent team made a few updates to the implementation of the common configuration properties, including support for the global enable flag, more support for ENV overrides, and a fix where an ENV variable allows the entire configuration section to be omitted in the YAML file.
Use YAML-based common configuration properties for all of our agents, and track your vulnerabilities with our Agile Central integration.
Send vulnerabilities to Agile Central (FKA Rally) with our one-way integration that lets you set fields like Project Name, Defect State, Environment, Priority and more.
We changed the default filtering in the Applications grid to show you only licensed applications. Of course, you can still filter by your other favorite categories to make your search even easier.
The Java team fixed a bug that caused Assess events to be labeled with the wrong type as well as a bug where user-provided Sanitizers that returned a new object could break data flow analysis. We added support of YAML-based common configuration options. We also improved reliability of Assess data flow analysis.
Users can now enable “profiler chaining” to allow the .NET agent to work alongside other third-party profilers such as New Relic, App Dynamics and Dynatrace. Set
agent.dotnet.enable_chaining=true in the contrast_security.yaml common configuration file (or
ProfilerChainingEnabled=true in the XML-based configuration file). The team made improvements to Protect to handle attacks via JSON deserialization within ASPNET MVC applications, instrumentation reliability within Web API applications, and Assess accuracy for interned strings within XML reading. We also fixed bugs where instrumentation lead to a crash on 32-bit applications on Windows Server 2008, the agent didn't use the configured agent data directory, and the agent would always use the “QA” environment settings for servers.
The Node team added additional Assess rules - HTTP Only and Secure Flag Missing - for the Hapi 17 framework as well as additional support for session management. The team fixed issues related to file paths in the Windows OS, rendering of null values in templates, and an auto-update issue. We also added additional common configuration options, and implemented initial metadata support for instrumented applications.
The Ruby team has been working on performance enhancements to the agent. The team made asynchronous inventory and route analysis the default. We deferred instrumentation until explicitly enabled, refactored our gem analysis algorithm, and streamlined many of the utility methods. The agent is updated to align with changes to the common configuration options, and added initial metadata support. In addition, the team is working towards general availability of the Ruby Assess features with the completion of the following Assess rules: XXE, NoSQL Injection and Unvalidated Redirect.
The Python team has continued to implement advanced Protect rules with updates to the Path Traversal rule. The agent now supports changes to the common configuration options, and added initial metadata support. The service layer added support for binary request bodies.
Want to find more details but spend less time searching? Use the new page for application route coverage and reorganized sections for all your keys.
Keep track of security for your entire application in the new Route Coverage tab. Contrast breaks down the data for discovered - including exercised and unexercised routes - as well as the specific routes with critical vulnerabilities. See the Agent Updates section for each agent's current list of supported frameworks.
Set global vulnerability threshold conditions in the Contrast Jenkins plugin. Teams may then override the conditions for specific jobs.
Only OrgAdmin-level users and above can see empty servers in the Contrast UI. (Servers that have applications will be visible as they are today and honor all the usual access rules.)
We've moved the keys around a bit to make them easier to find. Go to the user menu > Organization Settings > Profile page to see your Organization ID, API key, and Agent Service key; or, go to the Profile > Your Account tab to find your personal keys.
The Java agent team improved the agent's handling of XML inputs, and reduced the amount of memory used by the agent's Assess analysis. We also implemented route coverage for Spring MVC 4.
The .NET agent team has improved performance by enabling the CLR to inline methods not instrumented by Contrast. We improved error handling when certain reports to Contrast fail. We also implemented route coverage for MVC 4, MVC5, WebForms, ASMX, WCF and Web API frameworks.
The Node agent team added Protect support for Hapi 17, and is finishing up support for Assess rules in that framework. We fixed an issue in reporting traces to the Contrast UI in Assess mode as well as an issue where propagation wasn't being followed through custom
toString method calls.
The Ruby agent team has been focused on performance issues, including adding a timeout in cases where IP resolution appeared to take longer than a few seconds on startup and optimizing the XXE rule source input generation. We fixed an issue where rake tasks had a namespace conflict. We also completed route coverage for Rails and Sinatra frameworks.
The Python agent team implemented auto-start of the service when the instrumented application is started. We improved the application name generation for display in the Contrast UI. We also enabled the route coverage feature.
Just in: Ruby agent 2.0 and improvements for your integrations!
Contrast stores the credentials you entered in your last Jira configuration, and automatically applies them when you set up the next one. You can also manage your credentials by adding news ones or editing an existing set.
EOP users can set proxy settings and rest assured that all integration traffic will flow through it.
The Java team reduced the amount of memory used by agent’s Assess analysis. We fixed an issue where certain
java.lang.String methods, if added as sanitizers or validators, could cause application errors. We also added a new Malformed Header rule as well as protection against CVE-2018-1261.
The .NET team improved the performance of the agent’s communication with the Contrast interface as well as the accuracy of unvalidated redirect analysis when the data source was
System.Web.HttpRequest.RawUrl. Also, the Azure App Service Site Extension now checks for framework requirements.
The Node team added agent compatibility with the NewRelic APM agent. In the Protect feature, we improved the NoSQLi rule with support for classifier detection in MongoDB, and SQLi now has a new hook in the MySQL query interface. In the Assess feature, we can now track data propagation through user-defined input to the required statement, and we improved data flow on global constructors (e.g.,
The Ruby agent entered 2.0 with an embedded service that eliminates the need for a second gem. The embedded service starts on application launch, is compatible with multiple applications on the same server, and can be controlled via rake tasks. The 2.0 version of the agent includes improvements in how the application name is determined and better application version determination.
The Python agent has safer common configuration loading, and can accept configuration items from command line and environment variables. The team also added additional tests for Django applications with MySQL.
Good work, Python! The Protect agent is ready for the big time!
Contrast now allows users to set the Application Code attribute of an application by passing the
contrast.application.code System property to the Java agent. The Java team also added System property
contrast.stderr for directing Contrast logs to STDERR instead of a log file, improved accuracy for XSS detection, and fixed a deadlock at start-up which affects WebLogic 12. When bot-blocking is enabled, the Java agent will always block the Mozilla bot even when the user hasn't included any bots to block in their Contrast application configuration
The .NET team added an Assess rule for HSTS header missing as well as support for
Contrast.AppName in DPAPI protected configs. We also fixed a concurrency issue that could cause an
InvalidOperationException along with issues where headers set in global.asax weren't analyzed by Assess sensors and incorrect sources were reported for some Assess vulnerabilities.
The Node team made a variety of performance and compatibility improvements including: better compatibility with the New Relic APM agent, fixing an issue with PostgreSQL options, and compatibility with applications that run
uglify-js in their deployment pipeline. The agent also handles the case where the package.json isn't included in a application. Finally, the team added some propagation enhancements for better Assess accuracy in
The Ruby team improved class name resolution from the code file paths.
Python Protect enters General Availability with this release! Remaining tasks for the Python team included tracking routes identified in the application for coverage statistics. We also added a new default location for configuration files under /etc/contrast.
With .NET agent support for Azure App Service, a new applications grid to try out, and the Beta release of the Ruby Assess agent on its way, Contrast just upgraded your summer plans.
Use the new version of the Contrast Maven Plugin! It's automatically integrated with TravisCI and CircleCI build numbers, and there’s no need to manually configure JVM arguments.
With our new applications grid in Beta, we’ve given you more direct access to filters while retaining them as you work, provided more insight to your vulnerabilities, and cleaned up the UI for more simplicity. Go to the Applications page to give it a try, and then let us know what you think!
The Java agent team fixed over-reporting of Expression Language Injection, and improved accuracy of SQL-Injection and XSS rules for Protect. We also added protection against CVE-2018-1273. We now recognize several Assess sanitizers from Freemarker v2.3.2+. We also improved performance of the agent's Assess analysis in scenarios when calling ToString on an object lead to multiple exceptions in that class’s implementation of ToString. We improved reliability of agent initialization, library discovery, and the Java agent launcher downloading the Java agent from Contrast.
Contrast now supports analysis of .NET applications hosted Azure App Service. See Manual Installation and Express Installation for Azure for instructions on how to add the .NET agent to applications hosted by Azure App Service. While .NET team was working on that, we also:
Oh, and the agent will no longer falsely identify a weak hash algorithm in Microsoft reporting services.
The Node agent team resolved issues related to an incorrect value being read from the PostgreSQL sensor when emitting event data. Additional sanitation methods for mustache templates are now supported. We've investigated and closed a string literal to string object transformation issue, a related issue where tag ranges after string concatenation were not being resolved as an integer value, and ensured that a propagation for strings handles as edge case where the length of the tag range is 0. The inventory mode now supports library versions in additional non-standard formats. Finally, the agent now supports code using the spread operator in additional contexts.
The Ruby agent team fixed a bug in class name resolution from the require library paths. We also fixed an issue with the used class count, and closed an issue where an internal context object was being called with an incorrect argument. In preparation for the Ruby Assess Beta coming this summer, we implemented the stored XSS rule, and updated the trace event reporting to the Contrast application.
The Python agent team is preparing for general availability of the Python Protect agent at the end of the second quarter. We've fixed issues related to the used class count, and updated the library version reporting the Contrast application. We've also made updates in the stack frame reporting for attacks, and updated the installation instructions for the Flask web framework.
Does dealing with issues feel like herding cats? Use new integration options and enhanced Jenkins plugin features to help yourself out!
Use our Jenkins plugin with a proxy or try a new flag to disregard Contrast findings for a specific Jenkins job. You can even try Results Only mode: Contrast will set the job status of a build to a customized status, like as "Not Build", "Aborted" or "Unstable".
In the tradition of JIRA, VSTS/TFS and Bugzilla support, we present to you GitHub issues - yet another way to send those vulnerabilities out of Contrast (and your applications)!
Get ready for even more vulnerability details with Slack! New info includes server, application and rule names as well as time of detection.
Java Protect accuracy just got better! We improved analysis of encoded attacks and added detection of command injection used by JexBoss. Work was completed to improve reliability of both agent initialization and timeout within the value specified by
-Dcontrast.timeout configuration. We boosted performance of Assess analysis against J2EE applications as well as fixing locking and concurrent modification of policy.
.NET Assess fixed a few bugs - one where the data flow analysis stopped when data went through a "potential security control" and another where limited vulnerabilities would be rejected by Contrast. We made improvements to memory usage by reducing the number of allocations used by Assess data flow analysis, and implemented new rules:
In addition, performance was enhanced by consolidating several IPC messages, and a fix was put in place when instrumenting "Outsystems" third-party components. The .NET agent installer will now read the
RestartIISOnConfigChange configuration value from the DotnetAgentSettings.ini file. See Assess Rules for more information.
Node Protect has multiple performance improvements in the handling of source inputs by rule, and added a stricter demarcation of the Assess and Protect contexts. We fixed an issue in the CSRF rule that could cause timeouts in blocked requests. Specifically for our Assess feature, we resolved an issue where required paths were not strings. Node has improved auto-update to correctly check Contrast UI version numbers and now supports the YAML-based common configuration file. As Node 4 is at the end of its life, this is the last agent to officially support Node 4. And we're looking forward to supporting Node 10 in October!
Ruby works toward beta-level Assess support at the end of Q2. For the Protect agent, we had updates to our SQLi rule, exclusions honor the "all" condition from the Contrast UI, and configuration files can be added to a standard Contrast directory. There's also a new feature where the request body can be excluded from results sent to the Contrast UI. We had an issue where the CVE-2017-0898 shield was blocking assets in development mode, but it's fixed now! We've updated our library dependencies in both the agent and the service reducing the potential for incompatibilities in user environments.
Python Protect is available to beta partners. We added Pyramid support as well as better reporting on the XSS rule in the Contrast UI. We fixed an issue where specific regex patterns were causing an exception in Python 2.7.5 and Python 2.7.6. We addressed the problem where older versions of pip were causing an exception and fixed a false negative issue in the SQLi rule. The agent correctly applies IP blacklist configurations to the `X-Forwarded-For header.
With the Python agent in beta and Protect features available for Node, it's like a whole new world. (A new fantastic point of view...)
Wondering about the daily breakdown of your Protect license usage? Head over to the Organization Statistics page to find out. We’ll show you the number of servers protected, peak daily usage and much more.
When you export a vulnerability, the Vulnerability Overview and Notes fields are sent over with all of the regular info for new JIRA or VSTS/TFS tickets.
Ensure that your applications are compliant to the OWASP Top 10 2017 standard, and generate reports based on the compliance standard.
The Java team improved blocking of Protect Path Traversal Rule and added protection against CVE-2017-8046. We also fixed a bug where the agent could fail to block at perimeter an attack embedded within JSON/XML.
The .NET team added an XXE Rule for Protect and improved agent accuracy (i.e., Protect Command Injection and Assess handling of ASP.NET server variables). We reduced the agent’s impact to performance of Web API applications by ~7% as well as the number of allocations used by the agent’s Assess analysis. We also fixed the following issues:
The Protect features of the Node agent officially entered GA this month with some final work on the CSRF rule, additional patterns for the CMD injection rule, a better matcher for the Bot Blocker rule, a fix for virtual patches and better stack trace reporting. We've also updated our error reporting when the config file isn't found, allowed for global environment variables to supersede configuration options, and added configuration flags for disabling Protect and Assess features. Finally, we've had a few updates for better Windows support and better technology reporting from the agent.
The Ruby agent updated the SQL injection to resolve a false negative, and simplified access to the configuration object in multi-process web server environments. We added a fix to limit the size of the pending message queue when the service is unavailable and provide better feedback if the logging directory is in a non-writable state. We've also made our gem dependencies less strict to reduce the possibility of gem conflicts for the service layer.
The Python Protect agent begins its beta phase with support of the full set of Protect rules and a new, high-speed service layer.