Skip to content
Permalink
Browse files

chore(contrast): Doc update (#207)

Added additional information on why this is necessary, clarity on both Contrast features (Assess and Protect) and how they work.
  • Loading branch information...
cianscott authored and ruxandrafed committed Dec 7, 2018
1 parent a820c23 commit 120105741fb2cb6684e136060d708cc5e4cc5430
Showing with 5 additions and 3 deletions.
  1. +5 −3 development/contrast.md
@@ -4,13 +4,13 @@

Our build pipelines use [npm audit](https://docs.npmjs.com/getting-started/running-a-security-audit) to test for CVEs (common vulnerabilities and exposures). Therefore we are not be able to deploy new builds with known bugs. However, CVEs can occur to existing, deployed production applications as well. We need a dashboard to visualize all of the CVEs in our running applications, so that they can be mitigated as soon as possible.

The web is a dangerous place and our sites face attacks constantly. We must monitor attacks across hundreds of applications, holistically.
The web is a dangerous place and our sites face attacks constantly. We must monitor attacks across hundreds of applications, holistically. In addtion, we need a security methodology that can discover vulnerabilities early without blocking developers or delaying production release due to long security scanning.

## What

Contrast Assess runs build-time dynamic analysis alongside your test suite to check for possible software [vulnerabilities](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project) in your application and its dependencies, while in development and QA environments. This is known as Interactive Application Security Testing (IAST).
Contrast Assess runs static and dynamic analysis alongside your test suite to check for possible software [vulnerabilities](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project) in your application and its dependencies, while in development and QA environments. This is known as Interactive Application Security Testing (IAST). This enables developers to find vulnerabilities early in the development phase and throughout, preventing the need for dynamic security scanning at the end of the project.

Contrast Protect intercepts attacks before they hit production. This is known as Runtime Application Self Protection (RASP).
Contrast Protect intercepts attacks before they hit production. Protect will monitor HTTP requests and responses and block any malicious payload identified. This is known as Runtime Application Self Protection (RASP).

## How

@@ -20,6 +20,8 @@ Setup documentation can be found [here](https://github.com/telus/security/blob/m

When your application is running locally, in pre-production or production, you can see your host live in the Contrast Dashboard. Issues can be converted into JIRA tickets, and notifications of attacks or vulnerabilities can be sent to slack.

Contrast Assess will identity vulnerabilities when E2E scripts or QA testing have commenced. Protect can be enabled via the Contrast dashboard.

## Who

@delivery

0 comments on commit 1201057

Please sign in to comment.
You can’t perform that action at this time.