Download Contrast Security

Contrast DocumentationWelcome to ContrastHosted (SaaS) versus on-premises deploymentWhen you consider deploying Contrast Security solutions, you have two primary options: a hosted solution (cloud installation) or an on-premises instance. Each approach has its benefits and drawbacks, influenced by cost, control, customization, security, and scalability.Benefits and drawbacks of hosted solutionsBenefitsImmediate access to updates and advanced new features: Updates are readily available without delay, promoting the latest security posture. New features are always supported for hosted solutions.Reduced IT overhead: Contrast manages infrastructure and maintenance and thus, streamlines operations. Also, freedom from system-wide management tasks.Scalability: Easier to scale resources as your needs increase.Cost: Pricing for SaaS deployments are subscription-based, allowing flexibility and scalabilityDrawbacksData management: Data is stored on Contrast servers, instead of locally.However, Contrast complies with these data protection policies:General Data Protection Regulation (GDPR)General Data Protection Regulation-UK (UK-GDPR)California Consumer Privacy Act (CCPA)Protection of Personal Information (APPI)System and Organizational Control Type II Audit (SOC II)Benefits and drawbacks of on-premises solutionsBenefits:Complete control: More control over system-wide settings.Data privacy: Data is stored locally - For deployments that require specific security compliance, sensitive data never leave your company.DrawbacksResource intensive: Requires significant investment in IT, networking, and infrastructure along with coordination, planning and maintenance.Delayed updates: Updates for product enhancements are often delayed after Contrast releases while for hosted solutions receive them immediately.No support for new features: Advanced new features are often not supported for on-premises solutions. For example, Contrast Scan, static SCA. GitHub App for SCA , and Contrast Serverless are not supported for on-premises instances.Contrast feature comparison

To false positives. But, what Contrast identifies are the actual, viable attacks that reach a vulnerability. On average, the security operations center (SOC) should be worried about and focus on just a few a month, treating them as incidents. Last month — December 2024 — Contrast saw 480 million calls to potentially dangerous functions per application. When you look at the attacks Contrast ADR identified, you can see an average of 45 reached each individual application or API. Just about 3 of those, on average, became incidents that needed to be investigated. What this graph shows is the importance of knowing exactly what to investigate to avoid alert fatigue. The next image breaks down the types of viable attacks that Contrast ADR identified and stopped. For the sake of comparing month-to-month averages, we have not included the tens of thousands of attacks on that one single application we discussed in the beginning of this article. Two takeaways this month. One .NET application saw tens of thousands of attacks in just a few days. Within weeks of its public launch, the app saw tens of thousands of attacks. When an attacker focuses on an application, probes it and finds a vulnerability, they are relentless. There’s a high likelihood that the attacks were generated by a bot, by AI or by both. Because Contrast ADR sensors detected the attacks, none was successful. Without question, attacks are up month to month. While one month does not make a trend, it does give credence to our prediction that application attacks will rise this year. AI has allowed attackers to more easily launch attacks on the application layer. AI-powered bots can scan applications for vulnerabilities faster and more efficiently than traditional methods and can then auto-generate payloads for SQL injection, XSS and server-side request forgery (SSRF) attacks based on those discovered vulnerabilities. That’s likely what we saw in January. Of course, ADR stopped the attacks for our customers. We’ll have to see if the attacks continue to increase next month. Contact Contrast Security if you’d like to see what’s really happening in your application layer. Read more: Contrast blog: 12 things to know about ADRContrast blog: How the SOC can navigate the treacherous waters of application threats with ADRContrast blog: 5 ways Contrast Security ADR closes the gap in protection for apps & APIsContrast blog: Why Contrast Security is making the case for Application Detection

Contrast DocumentationUse ContrastScansContrast Scan is a static application security testing (SAST) tool that lets you quickly scan code to identify vulnerabilities in early stages of development.You can use these scan methods:Hosted: Use this scan method if you are able to upload code to the Contrast platform. To start a scan, use the Contrast web interface Scan results are posted in the Contrast web interfaceCLI: Use this scan method if you prefer to use CLI commands to upload code to the Contrast platform. Scan results are posted in the Contrast web interface or an integration such as GitHub or Jenkins.Contrast Scan local engine: Use this scan method for code on your local system. The Contrast platform receives the results but you don't upload local code. Scan results are posted in the Contrast web interface or in an integration such as GitHub or Jenkins.Depending on the type of code you submit for scanning, Contrast Scan uses one of these scan engines:Java binary: Scans Java JAR or WAR files.The Java binary scan supports only web applications (applications that handle HTTP traffic).This type of scan has a more narrow focus than a source code scan. It looks for data that comes from an untrusted source, such as user input and gets to a dangerous sink, like an SQL statement, without sanitization. The scan doesn't report on code that is not security relevant. This type of scan uses Scan policies (for example: the code contains dangerous potential sink calls or the calls or entry points allow untrusted data to enter the application) to find security-relevant code.Source code Scans artifacts for most languages.This type of scan has a wider focus than a Java binary scan. It searches the code for potential vulnerabilities based on a rule set. The results are typically less accurate than a Java binary scan.Scan feature comparisonThis table lists the features that each scan method supports.FeaturesScan local engineContrast hosted platformCLIScan typesMulti-language source code scanJava binaryUpload source code to Contrast platformFile sizeMax file size =1GBIntegrationsSCM integration with GitHub actionPipeline integration (for example, Jenkins)Branch supportFail buildsCustomizationsTimeout settingsMemory settingsResource group assignmentsFile exclusionsScan tasksIn Contrast Scan, you can:Run scans locallyCreate a scan projectArchive a scan projectDelete a scan projectMonitor scansAnalyze scan resultsStart a new scanCancel a scanChange scan settingsUse Contrast Scan with GitHub repositoriesGenerate SAST Attestation reportSee alsoScan supported languages