Skip to content

CodeSec by Contrast Security – Evaluator Guide

By Orlando Villanueva

June 2, 2022

DevSecOps

AWS

AppSec

scan

CodeSec

Serverless

GitHub

CodeSec by Contrast brings enterprise-level security right to your development workflow for free. Make code and serverless security simple and efficient with quick scan times, market-leading accuracy, actionable results and seamless integration. Here at Contrast, we created this guide to not only show developers what CodeSec can offer, but also give them the tools to test it and see for themselves just how fast, accurate, and seamless CodeSec can be!

CodeSec Delivers

• Fastest and most accurate scanner: Delivers up to 10x faster scan rates. Recognized as the fastest and most accurate Java scanner in the market.
• Immediate and actionable results: Scan code for traditional environments and serverless functions, find 70% more critical vulnerabilities and receive actionable results with 6x more true positives in seconds. Prioritizes vulnerabilities and provides actionable remediation guidance.
• From start to finish in minutes: Frictionless and seamless sign-up process with a GitHub or Google Account. Optionally, use a provided GitHub Action to automate the linkage to your GitHub pipeline — from zero to secure in less than five minutes. Enables developers to automate common workflows.

CodeSec Features

CodeSec offers the following capabilities through a simple command line interface (CLI): 

• CodeSec – Scan:  Optimize code security for Java, Javascript and .NET with fast, industry-leading scans and actionable remediation guidance.
• CodeSec – Serverless: Take advantage of a new ground-breaking application security tool for serverless environments in AWS Lambda Functions (Java + Python) that detects cloud-native vulnerabilities quickly and accurately while providing actionable remediation guidance.
• CodeSec – SCA:  Coming this summer 2022

Time To Test It Out!

1. FINDING SAMPLE PROJECTS

1. You may not have access to a source code project, or if you do – your project may not have any vulnerabilities. If so, we got you covered!
2. The ‘CodeSec – Scan’ operates on Java, .Net WebForms and plain client side JavaScript code. Try the following suggestions for projects which are deliberately vulnerable: 
   1. Java: The scan takes place on a built binary – .jar or .war files. 
      Try the official WebGoat releases from : https://github.com/WebGoat/WebGoat/releases
   2. .NET: The scan tool supports WebForms and processes a built .exe file or .zip. Try a build of WebGoat for .net.
   3. Client Side JS: The scan tool supports native JavaScript code and processes a .JS file or a  zipped collection of files in .zip format.
      

2. INSTALL

1. Open a command-prompt or terminal, then install with NPM or Homebrew
2. If already installed then choose from the following commands:
   1. npm install -g @contrast/contrast
      
      Or
   2. brew tap contrastsecurity/tap
      brew install contrast
      

 

3. AUTHENTICATE

1. Once Contrast is installed into your terminal. It’s time to authenticate with your GitHub or Google account, by entering the following command:
   1. contrast auth
2. Once this command is entered, a new tab in your browser will open, asking you to connect with either your GitHub or Google Account.
   
3. Once connected your terminal will update and you are now ready to start scanning!

4. START SCANNING

Contrast CodeSec provides the following capabilities once installed into your terminal:

1. CodeSec Scan – Use the contrast scan command to run a SAST scan. CodeSec is recognized as the fastest & most accurate JAVA scanner in the market. Contrast will search for suitable files to scan or use -f to specify a file.
   
   Once a scan is complete.
   Results are categorized by vulnerability type with actionable guidance to help developers understand what the vulnerability is and how to fix it.
   
   
2. CodeSec Serverless – CodeSec also supports scanning Java + Python lambda functions. To run a lambda scan, ensure AWS credentials (AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) are configured in your local environment. Then you are ready to use the contrast lambda command to scan your AWS Lambda functions. 
   
   Once a scan is complete.
   Results are categorized by vulnerability type with actionable guidance to help developers understand what the vulnerability is and how to fix it.
   

More Exciting Features are coming to CodeSec this summer!

To learn more about CodeSec and all its updates Click Here

Register for our upcoming live demo or visit us at RSAC 2022 (Booth #1055 in the Moscone South Expo Hall).

DevSecOps

AWS

AppSec

scan

CodeSec

Serverless

GitHub

Orlando Villanueva

Sr.Product Marketing Manager – CodeSec

Previous

Cybersecurity Insights with Contrast CISO David Lindner | 5/27

Subscribe to the Contrast Blog

By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.

CodeSec by Contrast brings enterprise-level security right to your development workflow for free. Make code and serverless security simple and efficient with quick scan times, market-leading accuracy, actionable results and seamless integration. Here at Contrast, we created this guide to not only show developers what CodeSec can offer, but also give them the tools to test it and see for themselves just how fast, accurate, and seamless CodeSec can be!

CodeSec Delivers

• Fastest and most accurate scanner: Delivers up to 10x faster scan rates. Recognized as the fastest and most accurate Java scanner in the market.
• Immediate and actionable results: Scan code for traditional environments and serverless functions, find 70% more critical vulnerabilities and receive actionable results with 6x more true positives in seconds. Prioritizes vulnerabilities and provides actionable remediation guidance.
• From start to finish in minutes: Frictionless and seamless sign-up process with a GitHub or Google Account. Optionally, use a provided GitHub Action to automate the linkage to your GitHub pipeline — from zero to secure in less than five minutes. Enables developers to automate common workflows.

CodeSec Features

CodeSec offers the following capabilities through a simple command line interface (CLI): 

• CodeSec – Scan:  Optimize code security for Java, Javascript and .NET with fast, industry-leading scans and actionable remediation guidance.
• CodeSec – Serverless: Take advantage of a new ground-breaking application security tool for serverless environments in AWS Lambda Functions (Java + Python) that detects cloud-native vulnerabilities quickly and accurately while providing actionable remediation guidance.
• CodeSec – SCA:  Coming this summer 2022

Time To Test It Out!

1. FINDING SAMPLE PROJECTS

1. You may not have access to a source code project, or if you do – your project may not have any vulnerabilities. If so, we got you covered!
2. The ‘CodeSec – Scan’ operates on Java, .Net WebForms and plain client side JavaScript code. Try the following suggestions for projects which are deliberately vulnerable: 
   1. Java: The scan takes place on a built binary – .jar or .war files. 
      Try the official WebGoat releases from : https://github.com/WebGoat/WebGoat/releases
   2. .NET: The scan tool supports WebForms and processes a built .exe file or .zip. Try a build of WebGoat for .net.
   3. Client Side JS: The scan tool supports native JavaScript code and processes a .JS file or a  zipped collection of files in .zip format.
      

2. INSTALL

1. Open a command-prompt or terminal, then install with NPM or Homebrew
2. If already installed then choose from the following commands:
   1. npm install -g @contrast/contrast
      
      Or
   2. brew tap contrastsecurity/tap
      brew install contrast
      

3. AUTHENTICATE

1. Once Contrast is installed into your terminal. It’s time to authenticate with your GitHub or Google account, by entering the following command:
   1. contrast auth
2. Once this command is entered, a new tab in your browser will open, asking you to connect with either your GitHub or Google Account.
   
3. Once connected your terminal will update and you are now ready to start scanning!

4. START SCANNING

Contrast CodeSec provides the following capabilities once installed into your terminal:

1. CodeSec Scan – Use the contrast scan command to run a SAST scan. CodeSec is recognized as the fastest & most accurate JAVA scanner in the market. Contrast will search for suitable files to scan or use -f to specify a file.
   
   Once a scan is complete.
   Results are categorized by vulnerability type with actionable guidance to help developers understand what the vulnerability is and how to fix it.
   
   
2. CodeSec Serverless – CodeSec also supports scanning Java + Python lambda functions. To run a lambda scan, ensure AWS credentials (AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) are configured in your local environment. Then you are ready to use the contrast lambda command to scan your AWS Lambda functions. 
   
   Once a scan is complete.
   Results are categorized by vulnerability type with actionable guidance to help developers understand what the vulnerability is and how to fix it.
   

More Exciting Features are coming to CodeSec this summer!

To learn more about CodeSec and all its updates Click Here

Register for our upcoming live demo or visit us at RSAC 2022 (Booth #1055 in the Moscone South Expo Hall).