Recently, as our customers have looked at scaling out their Contrast deployments throughout their development lifecycle, one of the most requests I heard more and more was “Can Contrast help me to track and measure how we are doing against our security policies?” Absolutely, that’s right in our wheelhouse!
Our mission has always been to simplify application security through technology and automation. With that goal and our customers' requests in in mind, we recently released a couple of application security policy settings in Contrast: Vulnerability Remediation and Library Use. Settings are geared toward allowing the application security leads to set a security goal, and allow Contrast to alert them when something out of bounds.
For example, an AppSec lead could set a policy that all SQL Injection vulnerabilities must be remediated within 14 days of discovery. If any SQL injection vulnerability stays open beyond those 14 days, Contrast will send an alert to the application security team, letting them know a developer may need a hand closing out a critical problem. Set the policy once and Contrast will take care of all the analysis. The right people will get a notification if something needs attention, so everyone can get on with the rest of their day.
Figure 1. Contrast Dashboard displaying XSS vulnerabilities.
We’ve done something similar with libraries. There are literally hundreds or thousands of libraries across all your applications. Multiple customers have told me that trying to keep track of them is a) difficult and b) really annoying. So, we took a couple of the most requested use cases and implemented them as a policy. The first is making sure that libraries are not falling too far behind the latest version. With library policies, you can set a policy that states that libraries shouldn't be X versions older than the latest published version. If Contrast detects a library that’s in violation, we’ll send the AppSec team a notification. They can proactively work with the developers to schedule the library for update in a future release. We also allow for blacklisting specific libraries, in the event there’s a specific version of a library that should never be used. Same deal here, if Contrast finds it, we'll let the AppSec team know.
Keep your feedback coming! We are always happy to hear about how we can improve to make your lives a little easier and your applications a lot more secure.