My app runs slower with the .NET Framework Agent enabled

  • Updated

Issue

After installing the .NET Framework agent, my application now runs more slowly or consumes more memory.

Cause

As you might expect, Contrast's analysis makes your application run a little slower. But, the time difference is usually minimal, and the results are definitely worth it.

It's more important to think about how Contrast affects the round-trip time. In typical applications, Contrast doubles the round-trip time for a request that contains a lot of business logic. Contrast only affects the CPU processing time of your application. Round-trip times for static resources don't get measurably worse in most cases. In many applications, a significant amount of time is spent waiting on databases and accessing remote resources. In requests where the total round-trip time is dominated by database or WebService calls, Contrast's effect is less noticeable.

Resolution

If performance is crucial to your environment, consider the following options.

  • Ensure that the server meets the recommended system requirements and the server has enough free memory before the .NET Framework agent is installed. (Ideally, applications should use less than half of the memory available when the Contrast .NET agent isn't installed.)
  • Only instrument what you need to, by limiting which applications or application pools should be analyzed using allow and deny lists.
  • Run Contrast in sampling mode, and change sampling frequency to be less frequent.  You can set the sampling options on a per-server basis via the Contrast UI or configure it directly at the agent
  • Limit stack-trace capture for events to SOME or NONE. You can set this directly at the agent
  • Disable low-value, high-cost analysis by setting:
    assess:
      enable_scan_response: false

via the agent configuration to disable the agent's collection of HTTP responses.  This improves performance by disabling the following list of lower-value, high-cost rules:

Rule Severity
Pages Without Anti-Clickjacking Controls  (clickjacking-control-missing) Note
Forms Without Autocomplete Prevention (autocomplete-missing) Note
Parameter Pollution (parameter-pollution) Note
Response Without Content-Security-Policy Header (csp-header-missing) Note
Response With Insecurely Configured Content-Security-Policy Header (csp-header-insecure) Note
Anti-Caching Controls Missing (cache-controls-missing) Note
Response With Insecurely Configured Strict-Transport-Security Header (hsts-header-missing) Note
Response Without X-Content-Type-Options Header (xcontenttype-header-missing) Note
Response With X-XSS-Protection Disabled (xxssprotection-header-disabled) Note
Insecure Authentication Protocol (insecure-auth-protocol) Medium
  • Disable the stored-xss rule (see agent configuration).  This rule can be very slow on pages that execute SQL queries against SQL Server databases in particular.
  • Run Contrast during nightly integration tests.
  • Run Contrast in an alternate environment (QA system or DEV environment).
  • Run Contrast on a single node in a load-balanced environment.

While the options above should provide the biggest boost to performance, you can try the following steps to tune performance further.

  • Check that the agent's logging level is set to WARN or ERROR.
  • Disable collection and analysis of HTTP response bodies by disabling full-content-analysis:

    assess:
    enable_scan_response: false

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request