Agent installation guide
Overview
This guide offers examples for using Contrast Security’s .NET Framework or Core agents with Azure App Services. We encourage you to take this guide, make it your own, and distribute it to teams who need to instrument applications this way.
The main portion of the guide details the most popular methods customers use to instrument .NET Framework or Core applications with Azure App Services to see security data in Contrast.
Main steps
- Add the Contrast .NET Core or Framework Agent Site Extension
- Add Configuration options
- Instrument your application
Supported technologies
Before you begin, please be sure Contrast supports your preferred tools and environments for .NET Framework or Core agents:
Supported technologies for .NET Framework
Supported technologies for .NET Core
This guide assumes you have:
- Some familiarity with DevOps practices and how Azure Portal works
- Some familiarity with Azure App Service
-
The information and access you need to connect Contrast .NET agents to the Contrast dashboard:
Install the .NET Framework agent
Install the .NET Core agent
Known issues
Only Azure Portal (web UI), Policy, and REST API natively support site extensions. This guide is limited to examples of how to instrument your applications that can be automated.
Instructions
1. Add the Contrast .NET Core or Framework Agent Site Extension
To add the Contrast Agent as a Site Extension via the Azure Portal:
- Navigate to the App Service in the Azure portal
- Open the “Extensions” blade for the App Service
- Search for and choose the .NET Framework or .NET Core Contrast extension, depending on which type of application want to instrument
- Accept the licensing terms
- Click OK to add the agent as a Site Extension
To add the Contrast .NET Framework Site Extension to an App Service named "myAppService" in Resource Group "myResourceGroup" using the Azure CLI:
az resource create --resource-group 'myResourceGroup' --resource-type Microsoft.Web/sites/siteextensions --name myAppService/siteextensions/Contrast.NET.Azure.SiteExtension --properties "{}"
or as follows for the Contrast .NET Core Site Extension:
az resource create --resource-group 'myResourceGroup' --resource-type Microsoft.Web/sites/siteextensions --name myAppService/siteextensions/Contrast.NetCore.Azure.SiteExtension --properties "{}"
Once the extension is added, the portal will immediately display a list of the installed agents similar to the following:
2. Add Configuration options
At a minimum, the following Application Settings are required to allow the Contrast Agent to communicate activity to the Contrast UI:
CONTRAST__API__URL=https://app.contrastsecurity.com/Contrast |
To add the Application Settings to an App Service via the Azure Portal:
- Navigate to the App Service in the Azure portal
- Open the “Configurations” blade
- Add App Settings indicated above as name/value pairs.
To add the Application Settings to an App Service named "myAppService" in Resource Group "myResourceGroup" using the Azure CLI:
az webapp config appsettings set --resource-group 'myResourceGroup' --name 'myAppService' --settings CONTRAST__API__URL=https://app.contrastsecurity.com CONTRAST__API__API_KEY={Your API KEY} CONTRAST__API__SERVICE_KEY={Your Service key} CONTRAST__API__USER_NAME={Your agent user}
You can get API values (agent keys) from the Contrast UI or by downloading a YAML file for the .NET Core or Framework agent. For more, see Contrast documentation: Find the agent keys
The API_KEY
, SERVICE_KEY
and USER_NAME
should be considered sensitive data and handled accordingly.
3. Instrument your application
You can now run the application with Contrast enabled. It will automatically instrument any application that is running inside of the App Service, and you should begin to see data in Contrast.
You can also verify that Contrast is running by checking the logs. To do so:
- Navigate to “Advanced Tools” for the app service in the Azure portal
- Select Go.
- In the resulting “Kudu Services” window, click on the “Debug console” menu at the top and choose “CMD”.
- Select the LogFiles directory.
- Select the Contrast directory.
- Select the “dotnet” directory of the “dotnet-core” directory
- You will see an agent log named <PID>_Sensors_ROOT_<NNN>.log
- Select the pencil icon for the most recent log to view its contents.
- You will see contents similar to the following:
2023-11-14 20:47:13.7303 INFO 8096:3 NLogManager Replaying buffered logs (0 events were discarded)... .. .. 2023-11-14 20:47:04.9210 INFO 8096:3 ServerStartReporter Reporting server 'PerformanceTest - East US' startup to Contrast. 2023-11-14 20:47:05.0277 INFO 8096:3 ServerRequest Sending server startup with environment = , version = 51.0.15.0, tags = 2023-11-14 20:47:06.7157 INFO 8096:9 ServerRequest Received Server Config from Contrast for PerformanceTest - East US - 'Azure Web App' 2023-11-14 20:47:06.9673 INFO 8096:9 ServerStartReporter Received server configuration from Contrast. Server 'PerformanceTest - East US'. Assess: True, Protect: False, Protect RulesVersion: 2.0.0.336, LogLevel: ERROR 2023-11-14 20:47:07.0456 INFO 8096:9 ServerStartReporter Assess mode resolves to enable: 'True' 2023-11-14 20:47:07.0456 INFO 8096:9 ServerStartReporter Protect mode resolves to enable: 'False' 2023-11-14 20:47:07.0456 ALWAYS 8096:3 SensorsInitializer Reporting application with name:'WebGoat.NET', group:'', code:'', tags:'app tag', metadata:'', sessionId:'', sessionMetadata:'buildNumber=Build1April18' 2023-11-14 20:47:07.0576 INFO 8096:3 ApplicationStartReporter Reporting application 'WebGoat.NET' startup to Contrast. 2023-11-14 20:47:07.3552 INFO 8096:8 AppCreateResponseProcessor Handled application creation response. Current session for 'WebGoat.NET' is 9ceb1fbd696cdcc7128b379b1b889476. Application status is now ShouldBeAnalyzed.