Getting Started with Contrast Security Community Edition for Java

Traditional code scanning tools for application security (AppSec) bog down DevOps workflows and suffer from major accuracy problems—false positive alerts that must be triaged as well as false negatives that let unknown threats slip past defenses. Contrast Security’s DevOps-Native AppSec Platform alleviates these issues by deploying intelligent agents that instrument the application with smart sensors that observe the flow of data routes in an application in real time. By consistently observing each route as the application runs, the Contrast agent can successfully assess and protect the surface layer and discover application vulnerabilities.

Contrast Security launched its Community Edition in 2018 to make these capabilities available to organizations of all sizes and means. Contrast Community Edition is a free and full-strength application security platform that provides “always-on” security across all phases of the software development life cycle (SDLC)—from development to production.

The following workflow describes the installation of Contrast Community Edition for Java users via the wizard. Power users or developers may choose different standard installation configurations, such as with Maven.

Setting Up a New Account

The first step in the process is registering for a FREE Contrast Security Community Edition account. New users must confirm the account via an email sent from Contrast.

Once confirmed, users can then log into the Contrast Community Edition dashboard. Upon logging in for the first time, the user will see a sample application to help illustrate how Community Edition works. This blog post offers more details about the sample application and the various dashboard screens.

Onboarding a New Java Application

Contrast Community Edition currently supports two languages—Java and .NET Core. The following tutorial covers the simple steps needed to onboard a new Java application: 

  1. Log into the account.
  1. Click the “Add Agent” button on the right side of the top navigation bar. 
  1. Select the Java agent from the dropdown and click the “Download Agent” button.


Select the Java agent from the dropdown

     4. Retrieve the configuration file for the Contrast Community Edition instance and place it in a predetermined location. For example: etc/contrast/java/contrast_security.yaml


Configuring the agent

Users can either copy their own configuration file or download a premade file. Please see the configuration documentation page for more details about where to place the file or other related questions.  

    5. Next, the user must add the Java agent to a server. Users can find the appropriate web server in the dropdown menu in the next step of the wizard. This will add the agent to the designated server.


Installing the agent

    6. Restart the server to start up the Java agent.


Restart the server to activate Contrast Community Edition

    7. At this point, users can verify their connection with the Contrast user interface via the wizard or return to the “Applications” tab to review the application. This should show the selected application on the designated server.  

    8. Users can then use Contrast Community Edition to review the application.

Contrast Security Turns DevOps Into DevSecOps

Contrast’s unique instrumentation-based approach to application security streamlines development processes—seamlessly incorporating the process of finding and fixing security vulnerabilities into the process of writing code. This helps developers at all levels save time and money while delivering more secure applications.

This blog post offers a basic agent installation to help get new users started finding vulnerabilities in their Java applications using the free Community Edition version of the Contrast DevOps-Native AppSec Platform. Developers can also sign up for a free demo of Contrast Community Edition to learn more.

*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by Justin Leo - Technical Product Manager, Java and Python. Read the original post at: