Secure your Python Flask Application with Contrast Security

This repository is an example of how to install the Contrast Security Agent in a Python Flask application.

The agent runs as part of your Python application code and serves as an all-encompassing static code scanner, SCA tool, IAST agent and runtime self-protection tool. For more information, check out their website and Community Edition.

• Original vulnerable application source code taken from: dolevf/Damn-Vulnerable-GraphQL-Application
• Only changes made are to instrument the application with Contrast Security

---

Instrument a python application with Contrast Security

A step-by-step guide for implementing the Agent in this specific application, instrumentation requirements vary per technology stack. Please refer to the official Contrast Security Documentation for more information.

1. Install the Agent

The agent is installed as a package from PyPi and can be found here. You can either install it manually using the pip command or by adding it to your project's requirements.txt or setup.py configuration.

pip install contrast-agent

2. Provision middleware components

Wrap the Flask application app object with the Contrast Security Agent middleware component.

📑Damn-Vulnerable-GraphQL-Application/app.py#9-13:

...
import contrast
from contrast.flask import ContrastMiddleware       # <-- Import here

app = Flask(__name__, static_folder="static/")
app.wsgi_app = ContrastMiddleware(app)              # <-- Wrap middleware here
...

3. Configure the Contrast Agent

Using the YAML template provided, or by downloading a YAML template from the Contrast web portal, we can configure the agent:

contrast_security.yml:

api:
  url: https://eval.contrastsecurity.com/Contrast
  api_key: XXX
  service_key: XXX
  user_name: XXX@XXX

application:
    name: VulnerableApp-Python-Demo
    code: demo-3

agent:
  service:
    host: localhost
    port: 30555

⚠️ Do not commit API credentials to your GitHub repo!: A template contrast_security.yml.dist file has been provided for your convenience. Copy this file to contrast_security.yml and add your API details. This file is already added to .gitignore - ensure you don't accidentally remove this or add it anyway.

The Dockerfile in this repo adds this file into the build at the default location of /opt/contrast/contrast_security.yaml.

4. Run your application

Now run your application and browse around the pages as you normally would. If everything worked, then when you next go to your Contrast Security dashboard you'll see details for the new application and any security issues that have been detected.

---

Resources used

A list of resources that I found particularly useful when attempting this:

Contrast Documentation

• Contrast Security Docuemntation
  • Agents -> Python agent
    • Install the Python agent with PyPI
    • Configure middleware (Flask)
    • Configure the agent (YAML config)

Further Reading

• https://github.com/Contrast-Security-OSS/vulnpy
• dolevf/Damn-Vulnerable-GraphQL-Application