Automated vulnerability detection through IAST, without specialist security expertise. Assess turns normal application usage into security tests to identify, track, and prioritize risk. An integral component in the PCI Secure Software Standard.
Automated defenses that operate and scale inside software to block otherwise successful attacks. Defend running software from attacks as part of your PCI DSS and PA DSS operations.
Contrast Security has been independently verified against PCI requirements.
Organizations looking to manage compliance against PCI standards can leverage Contrast Security products along with operational practices to manage PCI compliance with payment applications.
The product applicability guide was created by CoalFire, a respected Payment Card Industry (PCI) and Payment Application (PA) Qualified Security Assessor Company (QSAC).
Contrast Assess helps organizations identify and prioritize vulnerabilities within their development lifecycles.
Contrast integrates powerful detection technology into applications at the right point, so that existing application tests become effective security tests. Compared to other methodologies, Contrast requires less time and expertise to identify more vulnerabilities with greater accuracy.
Contrast Protect provides immediate resolution to many vulnerabilities, along with virtual patches to defend previously unknown 0-day exploits.
The in-app advantage of Contrast Protect enables normal usage to proceed while blocking only legitimate exploits against vulnerable areas. Sensors placed inside the application replace signature-based detection with contextual verification that can differentiate between an attack probe and a vulnerable location.
Contrast Assess and Contrast Protect can provide continuous assessment and protection for applications. The integration of the Contrast Security platform sensors within the application allows the application to be continuously self-assessing and self- protecting. It is recommended that only Contrast Protect be enabled in the production runtime environment.
The accurate detection of Contrast's Runtime Application Self Protection (RASP) approach enables streamlined integration with defect-tracking tools like JIRA and evidence collection by QSAs as part of section 6.3.2b. Features such as Log Enhancement enable teams to collect information that is otherwise not available to a SIEM. No developer intervention or code change is required.
Contrast Assess understands the different types of databases, including NoSQL database like Couchbase, MongoDB, and so forth, and can detect their specific injection issues. Contrast Assess can identify these vulnerabilities with greater accuracy and thoroughness than Static Application Security Testing (SAST) tools.
Maintain an inventory of system components that are in scope for PCI DSS. Contrast provides a Live View of applications, listing the architectural components and connections used by the application.
Organizations can combine the architectural view with other systems to determine full scope of assets that are applicable to PCI.
The Secure Software Standard indicates that, "vulnerabilities in the software and third-party components are tested for and fixed prior to release." Instead of simply listing libraries and CVEs, Contrast Assess leverages runtime knowledge of software composition analysis to identify which libraries are actually loaded as part of the application.
Full coverage of PCI compliance involves a range of controls, technology, and procedures. Contrast integrates into many external systems used by organizations as part of PCI compliance: JIRA, Slack, VictorOps, Visual Studio, and more.
A full Contrast Splunk application is available for dashboard integration. The improved accuracy of Contrast Assess and Protect enable a more robust environment to support incident investigation without the traditional false positives. Other SIEMs are supported for information-sharing.