Supported Browsers

The Contrast interface is a HTML 5-based browser application based on AngularJS, and works well with the latest version of any modern browser. Contrast actively tests the interface with the following browsers and versions:

  • IE 11+
    (After December 2017, Contrast no longer supports IE 10.)
  • Safari 8+
  • Chrome 40+
  • Firefox 37+

Opera and older versions of Firefox, IE, and Safari browsers may still operate well, but some features might not display as intended.

Navigation

The Contrast interface is used for configuring Contrast agent deployments and triaging application weaknesses as we continuously monitor them. The UI provides a single view to analyze application vulnerabilities, discover vulnerable and out-of-date third-party libraries, and detect attacks. We also provide visibility into various environments to see how an application’s hidden risks are being handled through the development cycle.

To get the best experience out of Contrast, familiarize yourself with the components of the UI that you'll use most often.

Here at Contrast, we work hard to engage and guide our users. Don’t hesitate to give us some suggestions!

Navigation

The top navigation bar is persistent as you move through Contrast - giving easy access to core pieces at any time. There are two versions of the top navigation bar depending on your system role and access levels. Most users will interface with the organization view. Users with system administration capabilities will have the luxury of toggling between the organization view and system administration view.

Organization view

Component Description
Organization Dashboard Provides detailed insight for an organization’s portfolio. Get the big picture of all assets being managed, the health of applications, and overall status of findings. Return to this page at any time via the Contrast Security logo.
Applications Searchable list of an organization’s applications. Perform various functions including application licensing, merging, tagging, archiving and restoring. Take a deep dive into any application for more information.
Servers Searchable list of an organization’s servers. Perform various functions including server environment designation, enabling Assessment and/or Protection, settings, tagging and deleting. Take a deep dive into any server for more information.
Libraries Searchable list of libraries being used by all the applications in an organization. Perform limited functions including tagging and taking a look at manifests. Also provides statistics for known vulnerabilities present in libraries and out-of-date libraries.
Vulnerabilities Searchable list of vulnerabilities discovered by all the applications in an organization. Perform various functions including marking status, merging, sharing, tagging, exporting, and deleting. Take a deep dive into any vulnerability for more information and guidance for fixing it.
Attacks Searchable list of attacks that are occurring/have occurred on all the applications in an organization. View attacks at the highest level or delve into the individual attack events. Perform various functions including blacklisting IPs, generating reports and creating exclusions or virtual patches.
Search Search any asset in Contrast by name or vulnerability ID to quickly jump to details.
Add Agent Download an agent to begin monitoring your applications.
Notifications Provides real-time feedback when key events happen through this in-application notification channel. Get notified about new vulnerabilities, active attacks, or offline servers and be able to react immediately.
User Menu Provides access to subsidiary pages of Contrast such as personal account information, Organization Settings, Policy Management (if permissions allow), Reports, Release Notes and Help. If part of multiple organizations, toggle between them here as well.

System Administration view

If you have system administration capabilities, you will be able to switch from the organization view to the system administration view in the user menu. When doing so, the top navigation bar changes. This is only available on an Enterprise-on-Premises (EOP) installation.

Administration Page Description
Administrator Dashboard Provides detailed insight across all organizations. A summary of assets and users being managed as well as a view into vulnerabilities and licensing. Return to this page at any time via the Contrast Security logo.
Organizations Searchable list of all organizations. An administrator can manage organizations and perform various functions including locking, granting or revoking licenses, viewing a license summary, and enabling Protection features for any organization.
Applications Searchable list of all applications (including archived) across all organizations. An administrator can modify licenses and edit application names.
Servers Searchable list of all servers across all organizations. An administrator can view and edit server names.
Vulnerabilities Searchable list of all vulnerabilities discovered along with their current status. Delve into any vulnerability for read-only information.
Users Management of users. An administrator can search, add, edit, and delete users.
Groups Management of system or organization access control groups. An administrator can search, add, edit, and delete groups from here.
Stats Summary of Contrast performance metrics for the JVM, connected agents, and authenticated users.
Administrator Menu Provides access to subsidiary administration pages of Contrast such as System Settings, Policy Management, and Help.

Grid Actions

Contrast displays primary assets and findings - applications, servers, libraries, vulnerabilities and attacks - in table format with rows of data. Use the search field to quickly find the data you need. You can also use the quick views to refine data by the most frequently used categories.

In each grid, complete actions to manage your organization - such as merging applications or sending a vulnerability to your bugtracker - for individual or multiple items. For individual items, hover over the grid row, and select the appropriate icon for each action. For multiple items, use the check marks to select each row, and use the icons in the bottom action bar to complete each action.

Sorting and filtering

Sort and filter data in the grids to adjust your focus. Use the dropdown menu above the grids to select a quick view of findings in certain categories, such as licensed applications or open vulnerabilities. You can also use the filters in the grid columns to find specific sets of findings, such as servers with the same tags. The Sort menu above the right corner of the grid lets you sort all findings in your current view by certain variables, such as application name (alphabetically), in ascending or descending order.

The Details

From any main page, you can drill into an asset or finding's details by clicking on its name within the table row. Contrast highlights metrics on the asset or finding for a quick snapshot of core data. Use the tabs in each details page to find more details on related pieces, view activity more closely, access review policy, or capture comments and collaborate with team members.

Introduction

Welcome to Contrast! This is your guide to everything you need to know to get started in the interface. Start with onboarding your applications and then move on to environments, libraries and vulnerabilities – you’ll be up and running before you know it. As always, if you have any more questions, let the Contrast Support team know by emailing support@contrastsecurity.com.

Onboard Your Application

Once you've logged onto Contrast, click the Add Agent button on the top right, which brings you to an agent download page. A wizard walks you through each step of the process.

For more information on adding an application, read Add Applications.

Use the Application

The application server shows up right away in Contrast under the Servers tab. However, the application won’t appear in Contrast until you browse through it and generate some traffic. When an application first appears in Contrast, it’s listed as a trial application. As a trial application, the interesting information is blurred out under the application's Vulnerabilities tab. (Note that the same vulnerabilities appear on the Vulnerabilities page.)

To see all the information, these applications must be licensed. For more information on licensing your application, read the article on License Applications.

Manage Applications

Go to the Applications page to see findings, scores, manage licenses, settings and more. Read the Manage Applications article for more details.

Improve Your Application Score

Get your application secure by remediating vulnerabilities or enabling Protect rules. We provide you with a grade to show you how well your application is performing. Visit the Contrast Scoring Guide for more information.

Track Libraries

Be aware of libraries that may be vulnerable and bring them up to date by going to the Libraries tab in the application's overview page.

Contrast provides you with a grade for the library, known Common Vulnerabilities and Exposures (CVEs), latest version and release date, used and total classes in the library, and the application that's using the library. Contrast calculates this grade based on three things: the age of the library, how many versions behind the library is, and the number of known CVEs that affect the library.

For more information, read Library Analysis.

Set Up Environments

In the Servers page, you can set the environment for each server to Development, QA or Production. Select your application in the grid to compare the differences across environments as code travels and track vulnerabilities in the Overview page. Contrast sets up a shell for you to designate servers; once that’s in place, Contrast can get busy finding weaknesses.

For more information, go to Set Up Environments.

Reports

Go to the application's Overview page to generate reports of security issues that Contrast identifies while monitoring your application. To learn more, see the Vulnerability Trend report.

Discover Vulnerabilities

Go to the Vulnerabilities tab in the application's Overview page to get a list of all vulnerabilities discovered. Then track, share and get remediation guidance for each one.

How vulnerabilities work

If a vulnerability is reported and Contrast has never seen it before, Contrast creates a new vulnerability. However, if that vulnerability already exists, Contrast updates the existing entry, issue count and number of days since it was last detected.

Example: This vulnerability was reported to Contrast five times for one server. Instead of showing up as five vulnerabilities, Contrast updates this entry and increments the count. As Contrast continues to see the same findings, the count goes up. If you dive into the Notes tab within this vulnerability, you notice a list of the servers in which this vulnerability was found.

Manage Vulnerabilities

Go the Vulnerabilities page to view details on each one and get rid of weaknesses in your application. You can also perform tasks like tagging and updating severity levels. Read how to Manage Vulnerabilities to understand them even better.

Analyze Findings

Contrast discovers any code flaws, which are presented with a severity level to help you prioritize your tasks. For each reported vulnerability, you can mark a status and create tags as needed. The following chart shows available statuses and behaviors when a vulnerability is marked and found again.

Status Marked Found Again
Confirmed Stays Open No Change
Suspicious Stays Open No Change
Not a Problem Closed - Requires Justification Stays Closed
Remediated Closed Reopened as Reported
Reported Default No Change
Fixed Closed Stays Closed

Track Findings

Contrast gives you the ability to send vulnerability data to bugtracker integrations or to users via email. You can set up bugtrackers and other integrations - including Slack, HipChat or any generic WebHook integration - by going to the user menu > Organization Settings > Integrations tab in the sidebar. You can tell Contrast to notify you if there are any new high or critical vulnerabilities found in your application.

For more information, read the article on Integrations.

Fix Findings

Find information on solutions and techniques to resolve a vulnerability by delving into Contrast's overview of the issue, which explains why it was flagged. Contrast also provides a How To Fix section which gives steps on resolving the issue.

Confirm the fix

There are a couple of ways to verify that you fixed a vulnerability.

Replay the request. If the issue is remediated and marked accordingly, you can replay the HTTP request under the HTTP Info tab in the vulnerability's details page to see if the issue is fixed. If it isn't fixed, the issue reappears with a status of Reported.

Check build number. You can assign a build version number to an application for tracking; this data, if available, also applies to any vulnerabilities found in the application. You can use the number to verify whether an issue still exists by selecting the "Open" quick view of the Vulnerabilities grid and searching for the build number.