Contrast Security Plugin

Write secure code faster

Contrast optimally chooses from several application security testing approaches (IAST, SAST, SCA) according to the vulnerability type to produce accurate security results.

Leverage security instrumentation from Contrast to:

• get accurate vulnerability results
• automate security testing through your existing functional tests
• obtain clear, concise, and actionable remediation guidance

The technology

Via agents (tiny files that live with your application), Contrast embeds security sensors in the packaged binary upon application startup.

Data flow through the application, in conjunction with other important runtime context such as...

• the entirety of data and control flows
• internal logic
• configuration and architecture
• presentation view
• libraries and frameworks
• application server

activates an intelligent pattern-matching engine that produces highly accurate security insights, a technology called interactive application security testing (IAST).

Getting Set Up

1. A Contrast Security account. You can create a free one here for Contrast Community Edition. Supported languages:
   • Free: Java, .NET Core
   • Paid: Node.JS, Python, Ruby, .NET Framework
2. Follow onboarding instructions in the installation wizard within the Contrast UI. Docs can be found here.
3. Run functional tests to trigger data flow through your application (and thus the IAST engine).
4. Authenticate to your Contrast account via the extension settings page (see section below).
5. Navigate to the Contrast view in the Activity bar (left hand side of VS Code editor). Click "Test Connection" and then "Refresh" to get a list of vulnerabilities in your application.
6. It is recommended that you turn off autoscrolling in your output panel by selecting the lock.

More plugin documentation can be accessed in Contrast documentation.

Features

• Main view (list of vulnerabilities in your application)

• Overview of the vulnerability

• Security risk introduced by the vulnerability

• Details of the vulnerability

• HTTP Request exposing the vulnerability

• Concise and actionable guidance for vulnerability remediation

• Developer sandbox (private vulnerability views) enabled by:

  • Filtering on vulnerability metadata: status, tags, environment, detection date, application
  • Filtering on session metadata: committer, commit hash, branch, git tag, repository, test run, version, build number

Extension Settings

You may obtain values for the following fields from your Contrast portal section "Your Account".

• API Key: account authentication token
• Organization ID: unique Contrast organization identifier
• URL: Contrast host instance
• Authorization Header: security mechanism to authenticate packet origin

Get in Touch

Drop a note to support@contrastsecurity.com for any questions, comments, and feedback!