Traditional code scanning tools for application security (AppSec) bog down DevOps workflows and suffer from major accuracy problems—false positive alerts that must be triaged as well as false negatives that let unknown threats slip past defenses. Contrast Security’s DevOps-Native AppSec Platform alleviates these issues by deploying intelligent agents that instrument the application with smart sensors that observe the flow of data routes in an application in real time. By consistently observing each route as the application runs, the Contrast agent can successfully assess and protect the surface layer and discover application vulnerabilities.
Contrast launched Community Edition, the only free DevOps-Native AppSec Platform designed with developers in mind. Community Edition offers near full access to Contrast’s products (Assess, OSS, and Protect) (Assess, OSS, and Protect), with developers receiving interactive application security testing (IAST), software composition analysis (SCA), and runtime application self-protection (RASP) solutions—all for free. The main limitation with Community Edition is that developers can only instrument and secure one Java or .NET Core application. Also, broader programming language support and some enterprise features such as role-based access control (RBAC) and packaged reporting are reserved for paid users.
The following workflow describes the installation of Contrast Community Edition for Java users via the wizard. Power users or developers may choose different standard installation configurations, such as with Maven.
Setting Up a New Account
The first step in the process is registering for a FREE Contrast Security Community Edition account. New users must confirm the account via an email sent from Contrast.
Once confirmed, users can then log into the Contrast Community Edition dashboard. Upon logging in for the first time, the user will see a sample application to help illustrate how Community Edition works. This blog post offers more details about the sample application and the various dashboard screens.
Onboarding a New Java Application
Contrast Community Edition currently supports two languages—Java and .NET Core. The following tutorial covers the simple steps needed to onboard a new Java application:
- Log into the account.
- Click the “Add Agent” button on the right side of the top navigation bar.
- Select the Java agent from the dropdown and click the “Download Agent” button.
4. Retrieve the configuration file for the Contrast Community Edition instance and place it in a predetermined location. For example: etc/contrast/java/contrast_security.yaml
Users can either copy their own configuration file or download a premade file. Please see the configuration documentation page for more details about where to place the file or other related questions.
5. Next, the user must add the Java agent to a server. Users can find the appropriate web server in the dropdown menu in the next step of the wizard. This will add the agent to the designated server.
6. Restart the server to start up the Java agent.
7. At this point, users can verify their connection with the Contrast user interface via the wizard or return to the “Applications” tab to review the application. This should show the selected application on the designated server.
8. Users can then use Contrast Community Edition to review the application.
Contrast Security Turns DevOps Into DevSecOps
Contrast’s unique instrumentation-based approach to application security streamlines development processes—seamlessly incorporating the process of finding and fixing security vulnerabilities into the process of writing code. This helps developers at all levels save time and money while delivering more secure applications.
This blog post offers a basic agent installation to help get new users started finding vulnerabilities in their Java applications using the free Community Edition version of the Contrast DevOps-Native AppSec Platform. Developers can also sign up for a free demo of Contrast Community Edition to learn more.