Contrast介绍
Contrast Security is the provider of accurate, continuous, real-time application security for your entire application portfolio.
Contrast works within each application to make it secure during the entire development lifecycle with two products: Assess and Protect.
The Contrast agent begins securing your code by adding sensors to the entire software stack of your applications - from runtime to custom code - to directly measure vulnerabilities and attacks. Contrast Assess continuously monitors all your code, including your libraries, for known and unknown vulnerabilities, and produces accurate results without dependence on application security experts. The agent's accuracy is thanks to Contrast's patented Deep Security Instrumentation technology, which integrates the most effective elements of Interactive (IAST), Static (SAST) and Dynamic (DAST) application security testing technology; software composition analysis (SCA); and configuration analysis.
Contrast Protect blocks both automated and advanced threats attacking web applications and API, and provides valuable and timely application layer threat intelligence across the entire application portfolio. Once instrumented with Protect, applications will immediately self-report information about an attack, including the attacker, method of attack, applications affected, frequency, volume and level of compromise. Protect also provides specific guidance to engineering teams about where applications were attacked and how threats can be remediated.
项目在docker容器中运行,Contrast配置步骤:
- 构建项目为war包
- dockerfile中添加项目配置信息和contrast agent信息,可参考如下:
FROM xx/ooo/liberty-base:latest
COPY --chown=1001:0 GradleSample.war /config/dropins/
COPY contrast.jar /opt/ibm/wlp/usr/servers/defaultServer/resources/contrast/
COPY server.xml /opt/ibm/wlp/usr/servers/defaultServer/server.xml
COPY jvm.options /opt/ibm/wlp/usr/servers/defaultServer/jvm.options
USER root
EXPOSE 9080 9443
ENTRYPOINT ["/opt/ibm/helpers/runtime/docker-server.sh"]
CMD ["/opt/ibm/wlp/bin/server", "run", "defaultServer"]
- jvm.options中配置agent信息,可参考如下:
-javaagent:/opt/ibm/wlp/usr/servers/defaultServer/resources/contrast/contrast.jar
-Dapplication.group=xx
-Dcontrast.override.appname=xxx
-Dcontrast.server=xxx
-Dcontrast.env=Development
-Dcontrast.config.path=${yourpath}/contrast.yml
注意:对于IBMer 使用IBM购买的contrast服务时,必须添加上面的group,如果不清楚自己的项目应该属于哪个分组,可参考申请contrast账户时的分组信息,或者寻求team manager帮助。
- contrast.yml配置信息如下(下面几个是必要的,其它非必要配置信息请参考文档自定义添加):
ENV CONTRAST__API__URL https://ce.contrastsecurity.com/Contrast/
ENV CONTRAST__API__API_KEY Y6Xv6205656565656WteLOAyiRluTWIAf
ENV CONTRAST__API__USER_NAME agent_9871-c274-4f95-a82d-ef0987c6599@MingsOrg
ENV CONTRAST__API__SERVICE_KEY YT1G123456L28YWQ
- 上述的Contrast key,api-url等在Contrast UI的用户Organization Setting中获取。
项目运行并查看Contrast结果
上述配置完成后,根据dockerfile构建image,并运行。最后在ContrastUI中查看当前运行项目的安全情况。如下图所示:
ContrastUI
