Add Applications

Add an application to your organization by completing the following steps.

Download the Agent

You can access the Add Agent wizard from any page by clicking the button in the top navigation.

After choosing a language, you can customize your settings by checking the box for Custom Agent Profile before downloading the agent. Choose a name for your profile; check Use HTTP Proxy to configure HTTP Proxy settings, if desired. Once one or more custom profiles are created, you can select them from the dropdown or click Manage Profiles to copy, rename and delete saved profiles.

Configuration

Custom metadata

You may be asked to provide custom metadata for applications in certain organizations. All required fields are marked with an asterisk ( * ).

Use one of the following options to include the key:value pairs in your configuration file:

  • Select the option to Use preconfigured properties, and enter the appropriate information in the provided fields. Once you've completed the required fields, you can click the button to Download Config File.
  • Select the option to Create manually. Click the button to Copy the formatted properties - including the necessary values to connect to Contrast - to paste into your configuration file. You must then add the required property values for the application metadata.

Note: If you do not include required metadata values, the application may fail onboarding.

Once your applications are onboarded, the information you provided in these fields is displayed in the Applications grid and the application's Overview tab.

Access control groups

To determine users' access to an application, you can specify the access control group to which an application will belong before initial startup. Use the appropriate workflow for your language to set the group name in the agent configuration for your application.

When Contrast recognizes the group you named, it automatically associates the application with that group, and allows all group members to access the application with the role determined by the group. If a user specifies a group that doesn't exist or isn't set by an administrator to allow this function, Contrast ignores the group association but still onboards the application. You can then add the application to a group using the standard workflow.

For more details, read how to Create and Manage Access Groups.

Agent configurations

For Java, add the system property contrast.group to make your new startup command.

Example:

 -Dcontrast.group="Contrast Testing" -javaagent:/path/to/contrast.jar

For .NET, you can configure group access at the application or server level.

  • To add the individual application to the group, add the contrast.application.group or Contrast.AppGroup property to the appSettings group in the application's web.config file.

    Example:

    <appSettings>
     <add key="contrast.application.group" value="insertGroupNameHere" />
    </appSettings>
    
  • To add all applications on a server to a group, add application.group to the contrast_security.yaml file for the agent server.

    Example:

    application:
     group: insertGroupNameHere
    

For Node.js, you can choose from two configuration methods.

  • You can add "appGroup":"groupname" to the contrast_security.yaml file.

Example:

 contrast:
   url: https://app.contrastsecurity.com
   user_name: contrast_user
   api_key: demo
   service_key: demo
 application:
   group: insertGroupNameHere
  • You can also add --application.group "groupname" to command line arguments or the npm command in your package.json file.

Examples:

 node-contrast index.js --application.group "groupname"
 npm run contrast -- --application.group "groupname"

For Ruby, add the group field to the application section of the contrast_security.yaml file from Contrast.

Example configuration for the group Contrast Testing:

 application:
    group: Contrast Testing

Install on Your Server

Select your container to view the installation instructions for the specific language you selected. For more information, go to the Installation overview article.

Restart Your Server

Before you begin browsing an application, it's important to restart your server. The wizard includes this step to guarantee that you don't forget.

Browse Your Application

To confirm that your agent was correctly installed, Contrast displays reported information from the server. Once you see these updates, you can complete the wizard, and begin browsing directly from the Application Overview page.

Note: Each application in the same organization must have an unique name. If multiple applications have the same name, Contrast incrementally appends each instance of the display name [e.g., App1, App1 (1), App1 (2)].

License Applications

How It Works

Once you bring an application online and it's reporting results, you can assign a license to the application. All applications in Contrast start with a temporary license by default. Without a license, you can't see vulnerability findings, application activity or visibility of how the application is being used in real time. You can't transfer licenses between applications that are active or archived.

To free a license from one application and assign it to another, you must reset and fully delete the licensed application. Once the application is deleted, the license returns to the organization pool.

Apply a License

You must be an OrgAdmin to assign a license to an individual application. To see unlicensed applications in your organization, look for the Unlicensed link beside the application name in the grid or the application's Overview page, or go to the Unlicensed quick view.

To apply a license, select the Unlicensed link beside the application name in the grid or the application's Overview page. In the dialog that appears, click the button to Apply License. Once completed, the application is no longer marked as "Unlicensed", and all findings are visible.

OrgAdmins and SuperAdmins can automatically apply licenses to new applications in the Organization Settings and System Settings pages, respectively. For more information about applying and managing licenses, read Manage Licenses.

Set Up Environments

The ability to compare differences across environments as code travels is a key piece of application security. Contrast provides constant visibility throughout the software development process from the moment code is written to when it’s pushed to production.

Go to the Servers page to set up environments. You can set the environment for each server to Development, QA or Production.

To see a side-by-side comparison of each environment for an application, select your application in the Applications page grid, and designate servers in the application Overview page. To designate new servers, click the links to Set Up Servers for each environment.

Once setup is finished, Contrast can get busy finding weaknesses, and you can identify and compare the security risks associated to each environment.

Route Coverage

About Route Coverage

Contrast observes the flow of data through routes in each of your applications. An application “route” is a combination of three distinct data points: the URL of the route, the HTTP verb associated with the request (e.g., Get or Post), and a unique signature based on that route's controller action. With Contrast's route coverage, you can see detailed information on the components of your application - such as which routes have been exercised versus which ones have not - and decide where to focus your testing efforts.

Hint: When you consistently exercise each route in your application, the Contrast agent can successfully Assess and Protect the surface layer of your application, and discover vulnerabilities.

Agent configuration

Contrast supports route coverage for the following frameworks:

  • Java: Jersey 2, Spring MVC 4, Struts 1, and Struts 2
  • .NET: ASP.NET MVC (versions 4 and 5), WebForms, WebAPI and WCF
  • .NET Core: ASP.NET Core MVC (versions 2.1, 2.2, 3.0 and 3.1) and ASP.NET Core Razor Pages (versions 2.1, 2.2, 3.0 and 3.1)
  • Node: Express, Hapi 17+, Koa and Kraken
  • Ruby: Rails and Sinatra
  • Python: Django, Pyramid and Flask

For supported frameworks, route coverage consists of two parts:

  • Discovered routes: the full list of routes that Contrast has detected in an application
  • Observed routes: the routes in which Contrast has detected traffic

While coverage is enabled automatically for most Contrast agents, you must use the following property to specify the application name when deploying the Java agent: -Dcontrast.agent.java.standalone_app_name=<example_name>. If you don't include this property, the Java agent will only observe - but not discover - routes in your application.

Note: The Java and Node agents only report coverage information for the specifically instrumented frameworks listed above. For unsupported frameworks, neither agent displays any routes.

View Route Details

To see Contrast findings in the UI, select an application from the Applications grid. In your application's Overview tab, view the number of Routes Exercised compared to the number of total routes in your application. Click on the figure or select the Route Coverage tab to view details for each route that Contrast has identified in the application.

Each layer of the chart represents routes that have been discovered by Contrast (but never exercised with the agent), exercised with the Contrast agent, and exercised and found to be vulnerable. Click on each layer to see how Contrast's findings have been updated each day.

View details on each route - including the servers on which it exists and the number of vulnerabilities found - in the Route grid. Click on the route signature to view the HTTP verb and URL, or click on the name of a server to go to the server's Overview page. Click on the vulnerability count in a grid row to view more information about each vulnerability in the application's Vulnerabilities page. (The number of critical vulnerabilities are noted with a red warning mark.)

Use the dropdown menu to filter routes, or the search field to find specific routes in the grid. The date range (calendar) filter simultaneously updates your view in the grid and the chart. Users with administrator-level permissions can also click the reset icon to remove all routes listed in the grid.

Export route details

To view and share route details outside of the Contrast UI, use the download icon above the grid to Export Routes to CSV. The spreadsheet includes a list of the application's routes, details about the server on which they were found and when the routes were last exercised as well as a list of vulnerabilities, the severity and status of each, and details about when the vulnerabilities were detected.

Flow Map

The application flow map provides an interactive view of where data and resources are shared within your organization and beyond it.

How It Works

Every time you exercise an application, the Contrast UI uses data reported from your Contrast agent to create a detailed diagram of your application, the layers of technologies within it and the back-end systems to which it connects. As more applications are exercised within your organization and their back-end systems are identified by the agent, Contrast also identifies which applications are connected to the application you're currently viewing by shared back-end systems.

The diagram in each application's Flow Map tab organizes information into three connected sections: Application Architecture, Back-End Systems and Connected Applications. By viewing all of the connections to your application, you can see the entire landscape of systems and resources that are associated with the application. By focusing on connections between individual systems and applications, you can also determine if users and connected applications in your organization have appropriate access to the current application and sensitive data potentially associated with it.

The agent performs application matching through string credentials. Other instrumented applications that share common string credentials - e.g., REST endpoints, database connection, or other unique host and port combinations - are displayed as connected applications. If the agent isn't currently reporting data for the current application, the Back-End Systems and Connected Applications sections are left blank.

Application Architecture

The Application Architecture section breaks down the view, presentation and service layers of the application's front end. You can also see foundational information about the application, including the environments in which it's deployed, letter grade, vulnerability statuses and attack status.

Layers

The View column displays the layer of technologies that determine what a browser sees and processes. The Presentation column displays the layer of libraries that generates the application view. The Service column displays the layer comprised of the database, LDAP driver or back-end code performing the application logic.

Hover on an item in any of the lists to see how many instances of each type of library are used in the application, or click on the library to go to the library's page in the UI. If the agent reports any vulnerabilities, a warning icon appears beside the library in which they were found; hover over the icon for links to the vulnerabilities' Overview pages.

Browsers

If the application is being accessed by another user while you're viewing the flow map, the Browser tab appears with a list of the browsers on which it's being accessed. Hover over the icons to see more details, such as the browser type and version.

Back-End Systems

The Back-End Systems columns displays each of the systems to which your application is connected. Hover on the cylinder icon for databases, the globe icon for URLs, or the plug icon for LDAP databases to see more details on each system; click on an icon to highlight its connection to other applications. A solid line with lock indicates that the connection is encrypted; a dashed line shows that the connection is unencrypted or the state of encryption is unknown.

Connected Applications

The Connected Applications column lists each of the applications that are connected to the primary application by a back-end system. To see connected applications that meet specific criteria, click the funnel icon to select filters from the dropdown menu, such as environment, application language and custom tags. The menu also shows session metadata fields for the primary application (not the connected applications), if available. Click the See Flowmap link to go to the Flow Map tab for that application.

Note: If a user isn't part of the necessary access group to view details for a connected application, the affected application is omitted from their view in the column.

Keep Track of Libraries

Contrast uses third-party, open-source library assessment to identify which libraries are used, the depth of their usage and the number of vulnerabilities that exist in them, including previously unidentified Common Vulnerabilities and Exposures (CVEs). This assessment makes you aware of libraries that may be vulnerable and impact the security of your application.

Go to the Libraries tab from the application's Overview page to see a list of all libraries being used within that application. You can also go to the main Libraries page to see an overview of all libraries across your portfolio and manage them in bulk.

Contrast provides you with a grade for:

  • the library
  • known CVEs
  • the latest version and release date
  • used and total classes in the library
  • the application that's using the library

Contrast calculates this grade based on three things:

  • age of the library
  • number of versions that postdate the library
  • number of known CVEs that affect the library

For more information, read about library analysis and management.

Scoring Guide

Contrast gives letter grades to your applications so that you can gauge their general performance. The grade represents an aggregate score based on the amount of the application that's been exercised as well as the amount and seriousness of the vulnerabilities that have been detected during the analysis process.

Overall Score

The score show below is the result of running Contrast on the WebGoat application, a purposefully vulnerable application maintained by OWASP.



The overall application score is the average of your application's Library Score and Custom Code Score. In this example, the Library Score is 85 and the Custom Code Score is 68. Therefore, the overall Contrast Score is 77. Scores are calculated as shown below.

Library Score
(Base Library Score) + (bonus for active CVE shields) = (final Library Score)
67+18 = 85

Custom Code Score
(Base Custom Code Score) + (bonus for active Protection Rules) = (final Custom Code Score)
56+12 = 68

Overall Score
85+68 = 153
153/2 = 77

The darker portion of the Library Score bar illustrates improvement attributed to active CVE Shield defenses deployed in the Production server environment. In the Custom Code Score bar, it shows improvement from active Protection Rules deployed in the Production server environment.

Library Score

The base Library Score is derived from the security on which your application sits (i.e., the frameworks and libraries that make up your application). Security factors include language, existence of known CVEs and the age of the libraries used.

Custom Code Score

The base Custom Code Score is the security of the application that you've written. The score starts at 100; the number and severity of the vulnerabilities present in your application drive this score down.

Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects of exploitation would be.

Example: An SQL injection is considered Critical because automated tools exist to exploit them without expertise, and an attacker can exfiltrate your entire database contents without any foreknowledge of your application or schema.

On the other hand, using an old, broken hashing algorithm like SHA-1 is weighted as Low. Although it's been known to exhibit serious weaknesses, practical exploitation requires the resources of a very skilled attacker and likely the backing of a large organization or nation state.

Custom Code Score = 100 - (Number of Criticals ∗ 20) - (Number of Highs ∗ 10) - (Number of Mediums ∗ 5) - (Number of Lows ∗ 1)

Score to Grade Mapping

The bottom floor for the overall Contrast score is 35.

Score Improvement

Contrast suggest the following strategies to improve your score.

  • Enable Protection Rules and CVE Shields to remove protected vulnerabilities from the score calculation.
  • Remediate critical and high vulnerabilities in your custom code.
  • Address the vulnerable libraries.
  • Update out-of-date libraries.

Application Policy