Platform
Contrast Secure Code Platform

Contrast Scan (SAST)

Contrast Assess (IAST)

Contrast Protect (RASP)

Contrast Software Composition Analysis (SCA)

Contrast Serverless (Cloud Native)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Automating AppSec

October 1, 2013

As developers, we have tools that we use every day to make ourselves more efficient. We use tools like Maven for dependency management, Jenkins for continuous integration, JIRA for bug tracking, Sonar for development analytics and Fisheye for peer code review. These tools work together to create a cohesive development environment designed to allow us to focus on the main thing we are supposed to be doing: writing code!

The beautiful thing about Contrast™ is that it adds continuous and accurate security testing cleanly into this proven model. With the Contrast API you can integrate security intelligence directly in to your Development Reporting Portal and get the flaws in front of your team when it matters.

Working Contrast™ Into the DevOps Lifecycle

So where does Contrast™ fit into the vast set of automation and development tools? We regularly recommend to our customers that the best place to use Contrast™ is where you are performing your integration testing. Most mature projects will have some type of integration testing in place using tools like Selenium. A common deployment model may look like this:

So what happens if we put the Contrast™ Engine on a container used for test automation? Your existing tests verify the functionality and the Engine performs comprehensive security testing on all the code being exercised by your test cases. Of course this works just as well if you have human testers exercising the code, too.

But Wait! There's More!

So now you are getting good coverage of your application simply by leveraging work that has already been done but this still doesn't put the information in front of the developers in the tools they are already using. The next step is to expose that information to the dashboards that your developers are already looking at every day!

There are any number of dashboard applications written for developers to keep track of their projects, from Sonar to JIRA to custom solutions written in-house. With Contrast™ all of your data is accessible through Simple API calls either using our RESTful Web Services or our convenient Client SDK for Java!

The Java Client SDK is currently under development at our Contrast-OSS GitHub. It is slotted for official release around Q1 in 2013!

Once you have included the Client API into your project you can begin accessing your data immediately with just a few calls!

// Initialize the Contrast Client API
contrast = new ContrastConnector(
        contrastConfig.getUsername(),
        contrastConfig.getServiceKey(),
        contrastConfig.getApiKey(),
        contrastConfig.getHostname()
);

// Verify the Contrast API Credentials
if (!contrast.checkCredentials()) {
    LOG.log(Level.CONFIG, "Invalid Contrast Credentials!");
    System.exit(1);
}

AppList applist = contrast.getAllAppData();
for (AppData app : applist.getApps()) {
    AppStatsData stats = app.getAppStats();
    reportMetric("Vulnerabilities/Critical", stats.getAppVulns().getCriticals());
    reportMetric("Vulnerabilities/High"), stats.getAppVulns().getHighs());
    reportMetric("Vulnerabilities/Medium"), stats.getAppVulns().getMediums());
    reportMetric("Vulnerabilities/Low"), stats.getAppVulns().getLows());
    reportMetric("Vulnerabilities/Note", stats.getAppVulns().getNotes());
}

We expose more than just vulnerability counts too! You can drill down in to specific findings and view all the same details that you would see looking directly in the TeamServer!

Since we also offer our web services as REST endpoints, you can access all the same data from any language you want! Take a look at our API Documentation for details on all the data we currently expose through our platform.

Alright, I have the data! Now what?

Here's just one example of how the Contrast™ team is using our own API's to expose Contrast™ data to different business owners.

New Relic Platform

We are creating a plugin for the popular New Relic performance monitoring application to expose data about vulnerabilities discovered by Contrast™. Check it out!

We are very excited about the possibilities of where Contrast™ can be integrated into the Development organization with other applications to provide complete development intelligence where and when it matters!

Have an idea for an integration? Let us know!

runtime-application-self-protection-rasp

DevOps

Chris Schmidt

The *OTHER* Security Problem with Your Insecure Libraries

A Continuous AppSec DashBoard in 8 Minutes Flat

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub