Skip to content

Automating AppSec

By Chris Schmidt

October 1, 2013


Automating AppSec

As developers, we have tools that we use every day to make ourselves more efficient. We use tools like Maven for dependency management, Jenkins for continuous integration, JIRA for bug tracking, Sonar for development analytics and Fisheye for peer code review. These tools work together to create a cohesive development environment designed to allow us to focus on the main thing we are supposed to be doing: writing code!

The beautiful thing about Contrast™ is that it adds continuous and accurate security testing cleanly into this proven model. With the Contrast API you can integrate security intelligence directly in to your Development Reporting Portal and get the flaws in front of your team when it matters.

Working Contrast™ Into the DevOps Lifecycle

So where does Contrast™ fit into the vast set of automation and development tools? We regularly recommend to our customers that the best place to use Contrast™ is where you are performing your integration testing. Most mature projects will have some type of integration testing in place using tools like Selenium. A common deployment model may look like this:


So what happens if we put the Contrast™ Engine on a container used for test automation? Your existing tests verify the functionality and the Engine performs comprehensive security testing on all the code being exercised by your test cases. Of course this works just as well if you have human testers exercising the code, too.

But Wait! There's More!

So now you are getting good coverage of your application simply by leveraging work that has already been done but this still doesn't put the information in front of the developers in the tools they are already using. The next step is to expose that information to the dashboards that your developers are already looking at every day!

There are any number of dashboard applications written for developers to keep track of their projects, from Sonar to JIRA to custom solutions written in-house. With Contrast™ all of your data is accessible through Simple API calls either using our RESTful Web Services or our convenient Client SDK for Java! 

The Java Client SDK is currently under development at our Contrast-OSS GitHub. It is slotted for official release around Q1 in 2013!   

Once you have included the Client API into your project you can begin accessing your data immediately with just a few calls!

// Initialize the Contrast Client API
contrast = new ContrastConnector(

// Verify the Contrast API Credentials
if (!contrast.checkCredentials()) {
    LOG.log(Level.CONFIG, "Invalid Contrast Credentials!");

AppList applist = contrast.getAllAppData();
for (AppData app : applist.getApps()) {
AppStatsData stats = app.getAppStats();     reportMetric("Vulnerabilities/Critical", stats.getAppVulns().getCriticals());     reportMetric("Vulnerabilities/High"), stats.getAppVulns().getHighs());     reportMetric("Vulnerabilities/Medium"), stats.getAppVulns().getMediums());     reportMetric("Vulnerabilities/Low"), stats.getAppVulns().getLows());     reportMetric("Vulnerabilities/Note", stats.getAppVulns().getNotes()); }

We expose more than just vulnerability counts too! You can drill down in to specific findings and view all the same details that you would see looking directly in the TeamServer!  

Since we also offer our web services as REST endpoints, you can access all the same data from any language you want! Take a look at our API Documentation for details on all the data we currently expose through our platform.

Alright, I have the data! Now what? 

Here's just one example of how the Contrast™ team is using our own API's to expose Contrast™ data to different business owners.

New Relic Platform

We are creating a plugin for the popular New Relic performance monitoring application to expose data about vulnerabilities discovered by Contrast™. Check it out!


We are very excited about the possibilities of where Contrast™ can be integrated into the Development organization with other applications to provide complete development intelligence where and when it matters! 

Have an idea for an integration? Let us know!


Chris Schmidt

Chris Schmidt