The Contrast interface is a HTML 5-based browser application based on AngularJS, and works well with the latest version of any modern browser. Contrast actively tests the interface with the following browsers and versions:
Opera and older versions of Firefox, IE, and Safari browsers may still operate well, but some features might not display as intended.
The Contrast interface is used for configuring Contrast agent deployments and triaging application weaknesses as we continuously monitor them. The UI provides a single view to analyze application vulnerabilities, discover vulnerable and out-of-date third-party libraries, and detect attacks. We also provide visibility into various environments to see how an application’s hidden risks are being handled through the development cycle.
To get the best experience out of Contrast, familiarize yourself with the components of the UI that will most often be used.
Here at Contrast, we work hard to engage and guide our users. Don’t hesitate to give us some suggestions!
The top navigation bar is persistent as you move through Contrast - giving easy access to core pieces at any time. There are two versions of the top navigation bar depending on your system role and access levels. Most users will interface with the organization view. Users with system administration capabilities will have the luxury of toggling between the organization view and system administration view.
|Organization Dashboard||Provides detailed insight for an organization’s portfolio. Get the big picture of all assets being managed, the health of applications, and overall status of findings. Return to this page at any time via the Contrast Security logo.|
|Applications||Searchable list of an organization’s applications. Perform various functions including application licensing, merging, tagging, archiving and restoring. Take a deep dive into any application for more information.|
|Servers||Searchable list of an organization’s servers. Perform various functions including server environment designation, enabling Assessment and/or Protection, settings, tagging and deleting. Take a deep dive into any server for more information.|
|Libraries||Searchable list of libraries being used by all the applications in an organization. Perform limited functions including tagging and taking a look at manifests. Also provides statistics for known vulnerabilities present in libraries and out-of-date libraries.|
|Vulnerabilities||Searchable list of vulnerabilities discovered by all the applications in an organization. Perform various functions including marking status, merging, sharing, tagging, exporting, and deleting. Take a deep dive into any vulnerability for more information and guidance for fixing it.|
|Attacks||Searchable list of attacks that are occurring/have occurred on all the applications in an organization. View attacks at the highest level or delve into the individual attack events. Perform various functions including blacklisting IPs, generating reports and creating exclusions or virtual patches.|
|Search||Search any asset in Contrast by name or vulnerability ID to quickly jump to details.|
|Add Application||Provides universal access to onboard an application at any time to begin monitoring.|
|Notifications||Provides real-time feedback when key events happen through this in-application notification channel. Get notified about new vulnerabilities, active attacks, or offline servers and be able to react immediately.|
|User Menu||Provides access to subsidiary pages of Contrast such as personal account information, Organization Settings, Policy Management (if permissions allow), Reports, Release Notes and Help. If part of multiple organizations, toggle between them here as well.|
If you have system administration capabilities, you will be able to switch from the organization view to the system administration view via the User menu. When doing so, the top navigation bar changes. This is only available on an Enterprise On-Premises (EOP) installation.
|Administrator Dashboard||Provides detailed insight across all organizations. A summary of assets and users being managed as well as a view into vulnerabilities and licensing. Return to this page at any time via the Contrast Security logo.|
|Organizations||Searchable list of all organizations. An administrator can manage organizations and perform various functions including locking, granting or revoking licenses, viewing a license summary, and enabling Protection features for any organization.|
|Applications||Searchable list of all applications (including archived) across all organizations. An administrator can modify licenses and edit application names.|
|Servers||Searchable list of all servers across all organizations. An administrator can view and edit server names.|
|Vulnerabilities||Searchable list of all vulnerabilities discovered along with their current status. Delve into any vulnerability for read-only information.|
|Users||Management of users. An administrator can search, add, edit, and delete users.|
|Groups||Management of system or organization access control groups. An administrator can search, add, edit, and delete groups from here.|
|Stats||Summary of Contrast performance metrics for the JVM, connected agents, and authenticated users.|
|Administrator Menu||Provides access to subsidiary administration pages of Contrast such as System Settings, Policy Management, and Help.|
Many pages within Contrast contain rows of data presented in table format. These tables have a built-in search mechanism to easily get to data of interest. Searches are performed on multiple columns and quickly display matched rows as you type. Coupled with the search field in many cases, Contrast provides quick views for immediate access to most frequently used filters.
Each table offers column sorting to alter the ordering of the data in exactly the way you want. In addition, tables offer actions that allow you to perform operations on individual rows or in bulk by selecting many rows. The goal? Get you to your data fast.
Advanced filtering is available on each main listing of assets and findings - Applications, Servers, Libraries, Vulnerabilities, and Attacks. Simply click the Advanced link next to the search field. Here you’ll find panels of various data sets that allow you to limit the result set and hone in on the pieces that interest you.
For example, you could apply a filter to a list of Vulnerabilities to view only Cross-Site Scripting vulnerabilities that have a Critical severity and have yet to be remediated.
From any main page, you can drill into an asset or finding by clicking on its name within the table row. Contrast highlights metrics on the asset or finding for a quick snapshot of core data. Navigate the sub-pages to get more details on related pieces, view activity more closely, access review policy, or capture comments and collaborate with team members.
Welcome to Contrast! This is your guide to everything you need to know to get started in the interface. Start with onboarding your applications and then move on to environments, libraries and vulnerabilities – you’ll be up and running before you know it. As always, if you have any more questions, let the Contrast Support team know by emailing firstname.lastname@example.org.
Once you've logged onto Contrast, click the Add Applications button on the top right, which brings you to an agent download page. A wizard walks you through what needs to be done. What language is your application primarily in – Java, .NET or Node.js? If you're using Java, you'll notice that there are two options: Java and Java 1.5. The only difference is that Java includes the functionality to do automatic updates, which isn’t available in Java 1.5.
When you download an agent, the file should be called contrast.jar. This file needs to stay in its current form and shouldn’t be renamed. Once you download the contrast.jar file, regardless of your application server, Contrast needs to pass in -javaagent:/path/to/server/contrast.jar to your application server's JVM. Once complete, restart your application server.
For more information on adding an application, please read the article on Adding an Application.
The application server shows up right away in Contrast under the Servers tab. However, the application won’t appear in Contrast until you browse through it and generate some traffic. When an application first appears in Contrast, it’s listed as a trial application. As a trial application, the interesting information is blurred out under the application's Vulnerabilities tab. (Note that the same vulnerabilities appear on the Vulnerabilities page.)
To see all the information, these applications must be licensed. For more information on licensing your application, read the article on Licensing an Application.
Go to the Applications page to get detailed information, see findings, scores, manage licenses, settings and more. Read the Manage Applications article for more details.
In the Servers page, you can set the environment for each server to Development, QA or Production. Select your application in the grid to compare the differences across environments as code travels and track vulnerabilities in the Overview page. Contrast sets up a shell for you to designate servers; once that’s in place, Contrast can get busy finding weaknesses.
For more information, including screenshots, go to the Set Up Environments article.
Go to the Vulnerabilities tab in the application's Overview page to get a list of all vulnerabilities discovered. Then track, share and get remediation guidance for each one.
If a vulnerability is reported and Contrast has never seen it before, Contrast creates a new vulnerability. However, if that vulnerability already exists, Contrast updates the existing entry, issue count and number of days since it was last detected.
Example: This vulnerability was reported to Contrast five times for one server. Instead of showing up as five vulnerabilities, Contrast updates this entry and increments the count. As Contrast continues to see the same findings, the count goes up. If you dive into the Notes tab within this vulnerability, you notice a list of the servers in which this vulnerability was found.
Get your application secure by remediating vulnerabilities or enabling Protection rules. We provide you with a grade to show you how well your application is performing. Visit the Contrast Scoring Guide for more information.
Be aware of libraries that may be vulnerable and bring them up to date by going to the Libraries tab in the application's Overview page.
Contrast provides you with a grade for the library, known Common Vulnerabilities and Exposures (CVEs), latest version and release date, used and total classes in the library, and the application that's using the library. Contrast calculates this grade based on three things: the age of the library, how many versions behind the library is, and the number of known CVEs that affect the library.
For more information, read the article on Library Analysis.
Go the Vulnerabilities page to view details on each one and get rid of weaknesses so your application isn't compromised. Read the Manage Vulnerabilities article to understand them even better.
Contrast discovers any code flaws, which are presented with a severity level to help you prioritize your tasks. For each reported vulnerability, you can mark a status and create tags as needed. The following chart shows available statuses and behaviors when a vulnerability is marked and found again.
|Confirmed||Stays Open||No Change|
|Suspicious||Stays Open||No Change|
|Not a Problem||Closed - Requires Justification||Stays Closed|
|Remediated||Closed||Reopened as Reported|
What’s better than assigning a vulnerability to a user? Creating tags for each vulnerability. These tags can be names of users, groups or just about anything. They are very useful when trying to navigate through vulnerabilities. To create a tag, go to the application's Overview page and select the Vulnerabilities tab. The Tag Vulnerabilities option is grayed out until you select the vulnerability you want to tag.
Example: You create tagA and assign a few vulnerabilities with it. When you try to browse through your vulnerabilities and want to only look at ones with tagA, you can filter for just those.
These tags can be created for applications and servers as well. To learn more about filters, please read the Using Contrast Overview.
Go to the application's Overview page to generate reports of security issues that Contrast identifies while monitoring your application. To learn more, see the Vulnerability Trend report.
Contrast gives you the ability to send vulnerabilities to bugtracker integrations or by email for users who don't have access to Contrast. You can set up these and a bunch of other integrations - including Slack, HipChat or any generic WebHook integration - by selecting Organization Settings in the User menu and then Integrations in the sidebar. You can tell Contrast notify you if there are any new high or critical vulnerabilities found in your application.
For more information, read the article on Integrations.
Find information on solutions and techniques to resolve a vulnerability by delving into Contrast's overview of the issue, which explains why it was flagged. Contrast also provides a How To Fix section which gives steps on resolving the issue.
You fixed your vulnerability, but how can you verify that in Contrast? There are a few things you can do from the application page:
Replay the request: If the issue is remediated and marked accordingly, you can replay the HTTP request under the HTTP Info tab in the Vulnerabilities tab to see if the issue is fixed. If it isn't fixed, the issue reappears with a status of Reported.
Check build number:
For each application, you can assign it a build version number. By adding the property
-Dcontrast.override.appversion to the
-javaagent command, you can use this as a filter and verify whether the issue still exists for this build version by clicking the Advanced link and the Build Number dropdown.
Check by time unit tests: You can also filter by the time at which your unit tests were run, and set a date range to view your vulnerabilities in the Set Date Range input field above the vulnerabilities grid.