Add Applications

Add an application to your organization by completing the following steps.

Step 1: Download the agent

You can access the Add Agent wizard from any page by clicking the button in the top navigation.

After choosing a language, you can customize your settings by checking the box for Custom Agent Profile before downloading the agent. Choose a name for your profile; check Use HTTP Proxy to configure HTTP Proxy settings, if desired. Once one or more custom profiles are created, you can select them from the dropdown or click Manage Profiles to copy, rename and delete saved profiles.

Step 2: Install on your server

Select your container to view the installation instructions for the specific language and container you selected. For more information, go to the Installation overview article.

Choose an access control group

To determine users' access to an application, you can specify the access control group to which an application will belong before initial startup. Use the appropriate workflow for your language to set the group name in the agent configuration for your application.

When Contrast recognizes the group you named, it automatically associates the application with that group, and allows all group members to access the application with the role determined by the group. If a user specifies a group that doesn't exist or isn't set by an Admin to allow this function, Contrast ignores the group association but still onboards the application. You can then add the application to a group using the standard workflow.

For more details, read how to Create and Manage Access Groups.

Agent configurations

For Java, add the system property contrast.group to make your new startup command.

Example:

 -Dcontrast.group="Contrast Testing" -javaagent:/path/to/contrast.jar

For .Net, you can configure group access at the application or server level.

  • To add the individual application to the group, add the Contrast.AppGroup property to the appSettings group in the application's web.config file.
  • To add all applications on a server to a group, add Contrast.AppGroup to the DotnetAgentService.exe.config file for the agent server.

For Node.js, you can choose from two configuration methods.

  • You can add "appGroup":"groupname" to the contrast_security.yaml file.

Example:

 contrast:
   url: https://app.contrastsecurity.com
   user_name: contrast_user
   api_key: demo
   service_key: demo
 application:
   group: insertGroupNameHere
  • You can also add --application.group "groupname" to command line arguments or the npm command in your package.json file.

Examples:

 node-contrast index.js --application.group "groupname"
 npm run contrast -- --application.group "groupname"

For Ruby, add the group field to the application section of the contrast_security.yaml file from Contrast.

Example configuration for the group Contrast Testing:

 application:
    group: Contrast Testing

Step 3: Restart your server

Before you begin browsing an application, it's important to restart your server. The wizard includes this step to guarantee that you don't forget.

Step 4: Browse your application

To confirm that your agent was correctly installed, Contrast displays reported information from the server. Once you see these updates, you can complete the wizard, and begin browsing directly from the Application Overview page.

Note: Each application in the same organization must have an unique name. If multiple applications have the same name, Contrast incrementally appends each instance of the display name [e.g., App1, App1 (1), App1 (2)].

License Applications

How It Works

Once you bring an application online, and it's reporting results, you can assign a license to the application. Without a license, vulnerability findings, application activity and visibility of how the application is being used in real time aren't available. All applications in Contrast start with a temporary license by default. You can't transfer licenses between applications that are active or archived. To free a license from one application and assign it to another, you must reset and fully delete the licensed application. Once the application is deleted, the license returns to the organization pool.

Apply a License

You must be an Organization Admin to assign a license to an individual application. Complete the following steps to enable a license from the Applications page or an application's Overview tab.

  • Identify the application to license in the Applications page grid.
  • In the dropdown menu, select Apply License.
    You can also click the Unlicensed link beside the application name in the grid or the application's Overview tab, and then click the button to Apply License in the dialog that appears.

  • The application is no longer marked as "Unlicensed", and all findings are visible.

Organization and Super Admins can automatically apply licenses to new applications in the Organization Settings and System Settings pages, respectively. For more information about applying and managing licenses, read Manage Licenses.

Set Up Environments

The ability to compare differences across environments as code travels is a key piece of application security. Contrast provides constant visibility throughout the software development process from the moment code is written to when it’s pushed to production.

Go to the Servers page to set up environments. You can set the environment for each server to Development, QA or Production.

To see a side-by-side comparison of each environment for an application, select your application in the Applications page grid, and designate servers in the application Overview page. To designate new servers, click the links to Set Up Servers for each environment.

Once setup is finished, Contrast can get busy finding weaknesses, and you can identify and compare the security risks associated to each environment.

View Vulnerabilities

Go to the Vulnerabilities tab from the application's Overview page to see a list of all vulnerabilities found in that application. Contrast shows you all the vulnerabilities it's discovered including SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Traversal, XML External Entity Processing (XXE), Cross-Site Request Forgery (CSRF), Java Deserialization and many more. View and manage basic information in the vulnerabilities grid; or, click on a vulnerability for more details, including the type of vulnerability, guidance on how to fix it, line of code and the ability to replay the attack.

Note: For Contrast to find weaknesses and present findings, you must exercise your application. You can then track, share and receive remediation guidance for each vulnerability that Contrast reports.

More Information

For more information on analyzing, managing and exporting reports on vulnerabilities, read the following articles:

Route Coverage

About Route Coverage

Contrast observes the flow of data through routes in each of your applications. An application “route” is a combination of three distinct data points: the URL of the route, the HTTP verb associated with the request (e.g., Get or Post), and a unique signature based on that route's controller action. With Contrast's route coverage, you can see detailed information on the components of your application - such as which routes have been exercised versus which ones have not - and make decide where to focus your testing efforts.

Hint: When you consistently exercise each route in your application, the Contrast agent can successfully Assess and Protect the surface layer of your application, and discover vulnerabilities.

Agent configuration

Contrast supports route coverage for the following frameworks:

  • Java: Jersey 2.26+ and Spring MVC 4.x
  • .NET: ASP.NET MVC (versions 4 and 5), WebForms, WebAPI and WCF
  • Node: Express
  • Ruby: Rails and Sinatra
  • Python: Django, Pyramid and Flask

For supported frameworks, route coverage consists of two parts:

  • Discovered routes: the full list of routes that Contrast has detected in an application
  • Observed routes: the routes in which Contrast has detected traffic

While coverage is enabled automatically for most Contrast agents, you must use the following property to specify the application name when deploying the Java agent: -Dcontrast.standalone.appname=<example_name>. If you don't include this property, the Java agent may only observe - but not discover - routes in your application.

Note: The Java and Node agents only report coverage information for the specifically instrumented frameworks listed above. For unsupported frameworks, neither agent displays any routes.

View Route Details

To see Contrast findings in the UI, select an application from the Applications grid. In your application's Overview tab, view the number of Routes Exercised compared to the number of total routes in your application. Click on the figure or select the Route Coverage tab to view details for each route that Contrast has identified in the application.

Each layer of the chart represents routes that have been discovered by Contrast (but never exercised with the agent), exercised with the Contrast agent, and exercised and found to be vulnerable. Click on each layer to see how Contrast's findings have been updated each day.

View details on each route - including the servers on which it exists and the number of vulnerabilities found - in the Route grid. Click on the route signature to view the HTTP verb and URL, or click on the name of a server to go to the server's Overview page. Click on the vulnerability count in a grid row to view more information about each vulnerability in the application's Vulnerabilities page. (The number of critical vulnerabilities are noted with a red warning mark.)

Use the dropdown menu to filter routes, or the search field to find specific routes in the grid. The date range (calendar) filter simultaneously updates your view in the grid and the chart. Users with administrator-level permissions can also click the reset icon to remove all routes listed in the grid.

Keep Track of Libraries

Contrast uses third-party, open-source library assessment to identify which libraries are used, the depth of their usage and the number of vulnerabilities that exist in them, including previously unidentified Common Vulnerabilities and Exposures (CVEs). This assessment makes you aware of libraries that may be vulnerable and impact the security of your application.

Go to the Libraries tab from the application's Overview page to see a list of all libraries being used within that application. You can also go to the main Libraries page to see an overview of all libraries across your portfolio and manage them in bulk.

Contrast provides you with a grade for:

  • the library
  • known CVEs
  • the latest version and release date
  • used and total classes in the library
  • the application that's using the library

Contrast calculates this grade based on three things:

  • age of the library
  • number of versions that postdate the library
  • number of known CVEs that affect the library

For more information, read about library analysis and management.

Scoring Guide

Contrast gives letter grades to your applications so that you can gauge their general performance. The grade represents an aggregate score based on the amount of the application that's been exercised as well as the amount and seriousness of the vulnerabilities that have been detected during the analysis process.

Overall Score

The score show below is the result of running Contrast on the WebGoat application, a purposefully vulnerable application maintained by OWASP.



The overall application score is the average of your application's Library Score and Custom Code Score. In this example, the Library Score is 85 and the Custom Code Score is 68. Therefore, the overall Contrast Score is 77. Scores are calculated as shown below.

Library Score
(Base Library Score) + (bonus for active CVE shields) = (final Library Score)
67+18 = 85

Custom Code Score
(Base Custom Code Score) + (bonus for active Protection Rules) = (final Custom Code Score)
56+12 = 68

Overall Score
85+68 = 153
153/2 = 77

The darker portion of the Library Score bar illustrates improvement attributed to active CVE Shield defenses deployed in the Production server environment. In the Custom Code Score bar, it shows improvement from active Protection Rules deployed in the Production server environment.

Library Score

The base Library Score is derived from the security on which your application sits (i.e., the frameworks and libraries that make up your application). Security factors include language, existence of known CVEs and the age of the libraries used.

Custom Code Score

The base Custom Code Score is the security of the application that you've written. The score starts at 100; the number and severity of the vulnerabilities present in your application drive this score down.

Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects of exploitation would be.

Example: An SQL injection is considered Critical because automated tools exist to exploit them without expertise, and an attacker can exfiltrate your entire database contents without any foreknowledge of your application or schema.

On the other hand, using an old, broken hashing algorithm like SHA-1 is weighted as Low. Although it's been known to exhibit serious weaknesses, practical exploitation requires the resources of a very skilled attacker and likely the backing of a large organization or nation state.

Custom Code Score = 100 - (Number of Criticals ∗ 20) - (Number of Highs ∗ 10) - (Number of Mediums ∗ 5) - (Number of Lows ∗ 1)

Score to Grade Mapping

The bottom floor for the overall Contrast score is 35.

Score Improvement

Contrast suggest the following strategies to improve your score.

  • Enable Protection Rules and CVE Shields to remove protected vulnerabilities from the score calculation.
  • Remediate critical and high vulnerabilities in your custom code.
  • Address the vulnerable libraries.
  • Update out-of-date libraries.

Application Policy

Placeholder article (NEEDS TO BE WRITTEN)