Issue
After installing the .NET Framework agent, my application now runs more slowly or consumes more memory.
Cause
As you might expect, Contrast's analysis makes your application run a little slower. But, the time difference is usually minimal, and the results are definitely worth it.
It's more important to think about how Contrast affects the round-trip time. In typical applications, Contrast doubles the round-trip time for a request that contains a lot of business logic. Contrast only affects the CPU processing time of your application. Round-trip times for static resources don't get measurably worse in most cases. In many applications, a significant amount of time is spent waiting on databases and accessing remote resources. In requests where the total round-trip time is dominated by database or WebService calls, Contrast's effect is less noticeable.
Resolution
If performance is crucial to your environment, consider the following options.
- Ensure that the server meets the recommended system requirements and the server has enough free memory before the .NET Framework agent is installed. (Ideally, applications should use less than half of the memory available when the Contrast .NET agent isn't installed.)
- Only instrument what you need to, by limiting which applications or application pools should be analyzed using allow and deny lists.
- Run Contrast in sampling mode, and change sampling frequency to be less frequent. You can set the sampling options on a per-server basis via the Contrast UI or configure it directly at the agent.
- Limit stack-trace capture for events to
SOME
orNONE
. You can set this directly at the agent. - Disable low-value, high-cost analysis by setting:
assess:
enable_scan_response: false
via the agent configuration to disable the agent's collection of HTTP responses. This improves performance by disabling the following list of lower-value, high-cost rules:
Rule | Severity |
Pages Without Anti-Clickjacking Controls (clickjacking-control-missing ) |
Note |
Forms Without Autocomplete Prevention (autocomplete-missing ) |
Note |
Parameter Pollution (parameter-pollution ) |
Note |
Response Without Content-Security-Policy Header (csp-header-missing ) |
Note |
Response With Insecurely Configured Content-Security-Policy Header (csp-header-insecure ) |
Note |
Anti-Caching Controls Missing (cache-controls-missing ) |
Note |
Response With Insecurely Configured Strict-Transport-Security Header (hsts-header-missing ) |
Note |
Response Without X-Content-Type-Options Header (xcontenttype-header-missing ) |
Note |
Response With X-XSS-Protection Disabled (xxssprotection-header-disabled ) |
Note |
Insecure Authentication Protocol (insecure-auth-protocol ) |
Medium |
- Disable the
stored-xss
rule (see agent configuration). This rule can be very slow on pages that execute SQL queries against SQL Server databases in particular. - Run Contrast during nightly integration tests.
- Run Contrast in an alternate environment (QA system or DEV environment).
- Run Contrast on a single node in a load-balanced environment.
While the options above should provide the biggest boost to performance, you can try the following steps to tune performance further.
- Check that the agent's logging level is set to
WARN
orERROR
. -
Disable collection and analysis of HTTP response bodies by disabling full-content-analysis:
assess:
enable_scan_response: false