Add an application to your organization by completing the following steps.
You can access the Add Agent wizard from any page by clicking the button in the top navigation.
After choosing a language, you can customize your settings by checking the box for Custom Agent Profile before downloading the agent. Choose a name for your profile; check Use HTTP Proxy to configure HTTP Proxy settings, if desired. Once one or more custom profiles are created, you can select them from the dropdown or click Manage Profiles to copy, rename and delete saved profiles.
Select your container to view the installation instructions for the specific language and container you selected. For more information, go to the Installation overview article.
To determine users' access to an application, you can specify the access control group to which an application will belong before initial startup. Use the appropriate workflow for your language to set the group name in the agent configuration for your application.
When Contrast recognizes the group you named, it automatically associates the application with that group, and allows all group members to access the application with the role determined by the group. If a user specifies a group that doesn't exist or isn't set by an Admin to allow this function, Contrast ignores the group association but still onboards the application. You can then add the application to a group using the standard workflow.
For Java, add the system property
contrast.group to make your new startup command.
-Dcontrast.group="Contrast Testing" -javaagent:/path/to/contrast.jar
For .Net, you can configure group access at the application or server level.
Contrast.AppGroupproperty to the
appSettingsgroup in the application's web.config file.
Contrast.AppGroupto the DotnetAgentService.exe.config file for the agent server.
For Node.js, you can choose from two configuration methods.
"appGroup":"groupname"to the contrast_security.yaml file.
contrast: url: https://app.contrastsecurity.com user_name: contrast_user api_key: demo service_key: demo application: group: insertGroupNameHere
--application.group "groupname"to command line arguments or the
npm commandin your package.json file.
node-contrast index.js --application.group "groupname"
npm run contrast -- --application.group "groupname"
For Ruby, add the
group field to the
application section of the contrast_security.yaml file from Contrast.
Example configuration for the group
application: group: Contrast Testing
Before you begin browsing an application, it's important to restart your server. The wizard includes this step to guarantee that you don't forget.
To confirm that your agent was correctly installed, Contrast displays reported information from the server. Once you see these updates, you can complete the wizard, and begin browsing directly from the Application Overview page.
Note: Each application in the same organization must have an unique name. If multiple applications have the same name, Contrast incrementally appends each instance of the display name [e.g., App1, App1 (1), App1 (2)].
Once you bring an application online, and it's reporting results, you can assign a license to the application. Without a license, vulnerability findings, application activity and visibility of how the application is being used in real time aren't available. All applications in Contrast start with a temporary license by default. You can't transfer licenses between applications that are active or archived. To free a license from one application and assign it to another, you must reset and fully delete the licensed application. Once the application is deleted, the license returns to the organization pool.
You must be an Organization Admin to assign a license to an individual application. Complete the following steps to enable a license from the Applications page or an application's Overview tab.
Organization and Super Admins can automatically apply licenses to new applications in the Organization Settings and System Settings pages, respectively. For more information about applying and managing licenses, read Manage Licenses.
The ability to compare differences across environments as code travels is a key piece of application security. Contrast provides constant visibility throughout the software development process from the moment code is written to when it’s pushed to production.
Go to the Servers page to set up environments. You can set the environment for each server to Development, QA or Production.
To see a side-by-side comparison of each environment for an application, select your application in the Applications page grid, and designate servers in the application Overview page. To designate new servers, click the links to Set Up Servers for each environment.
Once setup is finished, Contrast can get busy finding weaknesses, and you can identify and compare the security risks associated to each environment.
Go to the Vulnerabilities tab from the application's Overview page to see a list of all vulnerabilities found in that application. Contrast shows you all the vulnerabilities it's discovered including SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Traversal, XML External Entity Processing (XXE), Cross-Site Request Forgery (CSRF), Java Deserialization and many more. View and manage basic information in the vulnerabilities grid; or, click on a vulnerability for more details, including the type of vulnerability, guidance on how to fix it, line of code and the ability to replay the attack.
Note: For Contrast to find weaknesses and present findings, you must exercise your application. You can then track, share and receive remediation guidance for each vulnerability that Contrast reports.
For more information on analyzing, managing and exporting reports on vulnerabilities, read the following articles:
Contrast observes the flow of data through routes in each of your applications. An application “route” is a combination of three distinct data points: the URL of the route, the HTTP verb associated with the request (e.g., Get or Post), and a unique signature based on that route's controller action. With Contrast's route coverage, you can see detailed information on the components of your application - such as which routes have been exercised versus which ones have not - and make decide where to focus your testing efforts.
Hint: When you consistently exercise each route in your application, the Contrast agent can successfully Assess and Protect the surface layer of your application, and discover vulnerabilities.
Contrast supports route coverage for the following frameworks:
For supported frameworks, route coverage consists of two parts:
While coverage is enabled automatically for most Contrast agents, you must use the following property to specify the application name when deploying the Java agent:
-Dcontrast.standalone.appname=<example_name>. If you don't include this property, the Java agent may only observe - but not discover - routes in your application.
Note: The Java and Node agents only report coverage information for the specifically instrumented frameworks listed above. For unsupported frameworks, neither agent displays any routes.
To see Contrast findings in the UI, select an application from the Applications grid. In your application's Overview tab, view the number of Routes Exercised compared to the number of total routes in your application. Click on the figure or select the Route Coverage tab to view details for each route that Contrast has identified in the application.
Each layer of the chart represents routes that have been discovered by Contrast (but never exercised with the agent), exercised with the Contrast agent, and exercised and found to be vulnerable. Click on each layer to see how Contrast's findings have been updated each day.
View details on each route - including the servers on which it exists and the number of vulnerabilities found - in the Route grid. Click on the route signature to view the HTTP verb and URL, or click on the name of a server to go to the server's Overview page. Click on the vulnerability count in a grid row to view more information about each vulnerability in the application's Vulnerabilities page. (The number of critical vulnerabilities are noted with a red warning mark.)
Use the dropdown menu to filter routes, or the search field to find specific routes in the grid. The date range (calendar) filter simultaneously updates your view in the grid and the chart. Users with administrator-level permissions can also click the reset icon to remove all routes listed in the grid.
Contrast uses third-party, open-source library assessment to identify which libraries are used, the depth of their usage and the number of vulnerabilities that exist in them, including previously unidentified Common Vulnerabilities and Exposures (CVEs). This assessment makes you aware of libraries that may be vulnerable and impact the security of your application.
Go to the Libraries tab from the application's Overview page to see a list of all libraries being used within that application. You can also go to the main Libraries page to see an overview of all libraries across your portfolio and manage them in bulk.
Contrast provides you with a grade for:
Contrast calculates this grade based on three things:
Contrast gives letter grades to your applications so that you can gauge their general performance. The grade represents an aggregate score based on the amount of the application that's been exercised as well as the amount and seriousness of the vulnerabilities that have been detected during the analysis process.
The overall application score is the average of your application's Library Score and Custom Code Score. In this example, the Library Score is 85 and the Custom Code Score is 68. Therefore, the overall Contrast Score is 77. Scores are calculated as shown below.
(Base Library Score) + (bonus for active CVE shields) = (final Library Score)
67+18 = 85
Custom Code Score
(Base Custom Code Score) + (bonus for active Protection Rules) = (final Custom Code Score)
56+12 = 68
85+68 = 153
153/2 = 77
The darker portion of the Library Score bar illustrates improvement attributed to active CVE Shield defenses deployed in the Production server environment. In the Custom Code Score bar, it shows improvement from active Protection Rules deployed in the Production server environment.
The base Library Score is derived from the security on which your application sits (i.e., the frameworks and libraries that make up your application). Security factors include language, existence of known CVEs and the age of the libraries used.
The base Custom Code Score is the security of the application that you've written. The score starts at 100; the number and severity of the vulnerabilities present in your application drive this score down.
Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects of exploitation would be.
Example: An SQL injection is considered Critical because automated tools exist to exploit them without expertise, and an attacker can exfiltrate your entire database contents without any foreknowledge of your application or schema.
On the other hand, using an old, broken hashing algorithm like SHA-1 is weighted as Low. Although it's been known to exhibit serious weaknesses, practical exploitation requires the resources of a very skilled attacker and likely the backing of a large organization or nation state.
Custom Code Score = 100 - (Number of Criticals ∗ 20) - (Number of Highs ∗ 10) - (Number of Mediums ∗ 5) - (Number of Lows ∗ 1)
The bottom floor for the overall Contrast score is 35.
Contrast suggest the following strategies to improve your score.