Skip to content

Contrast Scan now supports security testing for C# applications for .NET Web Forms

Contrast Scan now supports security testing for C# applications for .NET Web Forms

Contrast is pleased to announce another major milestone in our expanding breadth of coverage for Contrast Scan. Contrast Scan now supports security testing for C# applications using ASP.NET Web Forms, one of the longest standing frameworks in the .NET ecosystem. Users running .NET Framework v.4.7 and above can take advantage of this new capability to shift security testing left within native developer pipelines. 

Contrast already boasts mature runtime testing for .NET Core and .NET Framework through Contrast Assess. Adding SAST support for C# applications running .NET Web Forms compliments our already robust runtime testing suite by enabling customers to shift security within developers’ native pipelines for reliably fast and accurate results across their .NET portfolio. 

.NET Web Forms: Tried and Tested

.NET Web Forms, or more specifically, ASP.NET Web Forms has been around for nearly 20 years and is still maintained by Microsoft to this day. It is a tried and tested framework for building web applications with pre-built HTML controls for accessing any data store. Web Forms continues to be among the most widely adopted frameworks for business-level applications processing sensitive customer data. A testament to its longevity, .NET Web Forms stands as the most popular framework among the over 2,000 .NET applications tested by Contrast. 

C# Security: Getting Started with Contrast Scan 

Contrast Scan can test for security vulnerabilities in your C# application within existing development pipelines via a simple command-line input or GitHub Action. Contrast also provides automated scripts for embedded testing within a host of other CI tools. To showcase this in action, check out our tutorial video below: 


What security risks are a factor for C# apps running .NET Web Forms? 

One of the most common vulnerability categories affecting C#  / .net security is SQL Injection which has consistently been cited in the OWASP Top 10 since its initial inception in 2013. There are many other high-severity vulnerabilities to be aware of including LDAP Injection, Command Injection, Path Traversal, among others. AppSec Managers can have the peace of mind knowing Contrast Scan addresses C# security by identifying all of these vulnerability types and more, while developers gain the added advantage of delivering secure code before committing to production.

Pipeline-Native SAST for Fast and Accurate Results

Contrast Scan’s pipeline-native approach is all about delivering fast, accurate and actionable security findings within developers’ native CI/CD environments. We tested WebGoat.NET and found that Contrast Scan delivered results in just under a minute - 59 seconds to be exact. Other competing SAST tools would take four times as long to scan the same application. Further still, Contrast Scan prioritizes exploitable vulnerabilities to ensure only actionable findings are presented. Testing of WebGoat.NET yielded accuracy scores nearly 30% higher than legacy SAST tools. Simply put, Contrast Scan finds exploitable vulnerabilities while simultaneously weeding out false positives. 

The Contrast Platform covers your .NET portfolio end-to-end

Contrast covers your .NET portfolio from the earliest phases of development all the way through production. Coupled with Contrast’s existing runtime testing and protection solutions for .NET Core and .NET Framework, pipeline-native security testing for application using Web Forms ensures continuous security testing for your .NET portfolio across each stage of the development lifecycle - from build, to test, to production. 

To see what pipeline-native security testing can do for your business, reach out to us for a demo

Joe Coletta, Product Marketing Manager, Contrast Security

Joe Coletta, Product Marketing Manager, Contrast Security

Joe Coletta is a Sr. Product Marketing Manager at Contrast Security focusing on Open Source Security. Entering the AppSec field as a Security Program Manager, Joe has consulted dozens of organizations of varying sizes on how to work cross-functionally in order to scale their application security programs. Applying this frontline knowledge to a product marketing career, Joe develops go-to-market resources that capture the voice of AppSec practitioners in both Security and Development. On a personal note, Joe divvies his free time between reading, drawing, and Brazilian Jiu Jitsu