Contrast is a passive technology. Contrast changes your bytecode at runtime to install our sensors, but doesn't change your data or how your code flows.
Contrast collects a lot of application analytics like URLs, file paths, jar names, and other relatively non-sensitive information. It also sends all the data related to security-relevant events.
If a method occurs that's an integral part of a vulnerability, all the aspects of that event - the object, return value, parameters and more - are sent back to the Contrast site. This process allows you to analyze the collected data and decide if any of it is sensitive.
Example: If a XSS vulnerability in the login code, the username and password will probably be sent back as part of the XSS trace. If Contrast is installed on a Development or QA environment, as recommended, it's not likely that any Production or sensitive data is involved.
Contrast is an Interactive Application Security Testing (IAST) tool. Therefore, it's only aware of the sections of an application that it's seen.
To effectively monitor your application, the Contrast agent must be running on your server while the application is exercised. During this phase, Contrast reports the new URLs as it encounters them. The same process happens when new URLs are added to your application after the initial introduction of the agent. In most cases, the amount that the number of URLs grow over time scales down logarithmically, and the minor growth you'll see won't have a significant effect on your overall score.
If you're facing a complex issue in the Contrast interface, Contrast might request that you send a HAR file to help the support teams fix the problem more quickly.
A HAR file helps troubleshoot the following issues:
The following instructions are written for users on Google Chrome. If you don't already have the browser installed, you can get it here.
An animated GIF of the process:
Contrast identifies libraries by their SHA-1 digest, and updates library definitions periodically. As a result, Contrast might not recognize new libraries when agents report them.
Note: If any library repackaging occurs for Java clients, which WebSphere does by default, the digest is different. To prevent repackaging, you can add the following JVM system property:
For Java clients, issues with library version recognition result from the way that Contrast data sources store information about a library's version. Some of the versions are formatted to include the year at the beginning, and so the sort method reads them as a more recent version. The problem should phase itself out as the industry is moving to a more normalized version convention.
Contrast takes this into account when grading a library file, and reduces the impact of the file's age.
Contrast doesn't know that a class has been used from a Java or .NET library file until it sees the class in your application. Further testing of your application should increase these numbers to give you a more accurate analysis of class usage.