Contrast Security Assess vs Snyk comparison

Read 43 Snyk reviews

14,638 Views
10,485 Comparison Views

100% willing to recommend

Contrast Security Assess

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Oct 8, 2024

Contrast Security Assess and Snyk are leading tools in the security space. Users find the pricing and support of Contrast Security Assess to be more favorable, while Snyk attracts with its richer features despite a higher cost.

Features: Contrast Security Assess offers comprehensive vulnerability analysis, robust integration capabilities, and easy deployment. Snyk provides open-source scanning, real-time monitoring, and broader support for multiple languages and platforms.

Room for Improvement: Contrast Security Assess could improve integration with newer technologies, enhance its documentation, and broaden language support. Snyk users desire better reporting capabilities, faster scanning processes, and more performance optimizations.

Ease of Deployment and Customer Service: Contrast Security Assess features a straightforward deployment model and supportive customer service. Snyk offers a simple deployment with rapid customer support response times, including swifter resolution times, which users find essential.

Pricing and ROI: Contrast Security Assess has a competitive setup cost and favorable ROI due to efficient integration capabilities. Snyk, despite a steeper initial cost, holds higher long-term value through a comprehensive feature set, though the initial investment remains a user consideration.

To learn more, read our detailed Contrast Security Assess vs. Snyk Report (Updated: October 2024).

Contrast Security Assess vs. Snyk

October 2024

Download the complete report

Helped 814,649 peers since 2012

Categories and Ranking

Contrast Security Assess

Ranking in Application Security Tools

29th

Average Rating

8.8

Number of Reviews

Ranking in other categories

Static Application Security Testing (SAST) (24th)

Snyk

Ranking in Application Security Tools

4th

Average Rating

8.2

Reviews Sentiment

7.3

Number of Reviews

Ranking in other categories

Container Security (7th), Software Composition Analysis (SCA) (3rd), Software Development Analytics (2nd), DevSecOps (1st)

Mindshare comparison

As of November 2024, in the Application Security Tools category, the mindshare of Contrast Security Assess is 0.5%, down from 0.5% compared to the previous year. The mindshare of Snyk is 7.6%, down from 8.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools

Featured Reviews

Mustufa Bhavnagarwala

CyberRisk Solution Advisor at Deloitte

Nov 27, 2023

A stable solution that provides lots of details on web-based vulnerabilities and source code reviews

Contrast Security Assess has a really good UI and gives the details in more depth. It gives more information about web application vulnerabilities. If third-party libraries, JS files, and JAR files have any CVEs in them, the solution reports that and gives a grade from A to E. It gives good…

Read full review

Jayashree Acharyya

Director at PepsiCo

Mar 4, 2024

Used for image scanning and identifying vulnerabilities, but its integration with other services could be improved

The solution has improved or streamlined our process a lot for securing container images. We wanted to make sure we are deploying the secure Docker images. Snyk allowed us to check whether it is following our standard of docker images or not. We use Azure DevOps as our platform, and Snyk's integration with Azure DevOps was okay. However, Snyk's integration with JFrog Artifactory didn't go well. We use JFrog Artifactory to store the artifacts we download. We wanted to integrate Snyk with JFrog Artifactory to scan the binary artifacts we downloaded, but that broke our JFrog Artifactory for some reason. Instead of using it there, we are calling it directly from the pipeline. Snyk's automation features significantly reduced remediation times a couple of times. Sometimes, our developers scan the code from the environment and find some Java vulnerabilities. We fixed those vulnerabilities in the lower environment itself. The solution does not require any maintenance. The accuracy of Snyk's vulnerability detection is pretty good compared to other tools. I rate the solution's vulnerability detection feature an eight out of ten. I would recommend Snyk to other users because it is easy to implement and integrate with Azure DevOps and GitHub. Overall, I rate the solution a seven out of ten.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."

"No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime."

"We use the Contrast OSS feature that allows us to look at third-party, open-source software libraries, because it has a cool interface where you can look at all the different libraries. It has some really cool additional features where it gives us how many instances in which something has been used... It tells us it has been used 10 times out of 20 workloads, for example. Then we know for sure that OSS is being used."

"This has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries."

"The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of."

"The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low."

"When we access the application, it continuously monitors and detects vulnerabilities."

"I am impressed with the product's identification of alerts and vulnerabilities."

More Contrast Security Assess pros

"Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet."

"Snyk is a good and scalable tool."

"Snyk helps me pinpoint security errors in my code."

"The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."

"The most valuable feature of Snyk is the SBOM."

"Static code analysis is one of the best features of the solution."

"I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."

"Provides clear information and is easy to follow with good feedback regarding code practices."

More Snyk pros

Cons

"Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."

"Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage."

"The setup of the solution is different for each application. That's the one thing that has been a challenge for us. The deployment itself is simple, but it's tough to automate because each application is different, so each installation process for Contrast is different."

"Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."

"The solution should provide more details in the section where it shows that third-party libraries have CVEs or some vulnerabilities."

"I would like to see them come up with more scanning rules."

"To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."

"The solution needs to improve flexibility...The scalability of the product is a problem in the solution, especially from a commercial perspective."

More Contrast Security Assess cons

"The feature for automatic fixing of security breaches could be improved."

"I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks."

"DAST has shortcomings, and Snyk needs to improve and overcome such shortcomings."

"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."

"All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."

"We had some issues integrating into our pipeline, however, they were resolved."

"There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."

"It lists projects. So, if you have a number of microservices in an enterprise, then you could have pages of findings. Developers will then spend zero time going through the pages of reports to figure out, "Is there something I need to fix?" While it may make sense to list all the projects and issues in these very long lists for completeness, Snyk could do a better job of bubbling up and grouping items, e.g., a higher level dashboard that draws attention to things that are new, the highest priority things, or things trending in the wrong direction. That would make it a lot easier. They don't quite have that yet in container security."

More Snyk cons

Pricing and Cost Advice

"The product's pricing is low. I would rate it a two out of ten."

"The solution is expensive."

"It's a tiered licensing model. The more you buy, as you cross certain quantity thresholds, the pricing changes. If you have a smaller environment, your licensing costs are going to be different than a larger environment... The licensing is primarily per application. An application can be as many agents as you need. If you've got 10 development servers and 20 production servers and 50 QA servers, all of those agents can be reporting as a single application that utilizes one license."

"For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of onboarded applications. It suits our model as well, because we have huge traffic. Our number of applications is not that large, so the pricing works great for us."

"The good news is that the agent itself comes in two different forms: the unlicensed form and the licensed form. Unlicensed gives use of that software composition analysis for free. Thereafter, if you apply a license to that same agent, that's when the instrumentation takes hold. So one of my suggestions is to do what we're doing: Deploy the agent to as many applications as possible, with just the SCA feature turned on with no license applied, and then you can be more choosy and pick which teams will get the license applied."

"You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine."

"I like the per-application licensing model... We just license the app and we look at different vulnerabilities on that app and we remediate within the app. It's simpler."

"The solution is less expensive than Black Duck."

"Presently, my company uses an open-source version of the solution. The solution's pricing can be considered quite reasonable owing to the features they offer."

"Cost-wise, it's similar to Veracode, but I don't know the exact cost."

"I would rate the pricing of Snyk at two. I'm currently using the free version, which the company offers before buying the full version. So, the price is affordable, especially for an enterprise."

"It's good value. That's the primary thing. It's not cheap-cheap, but it's good value."

"It is pretty expensive. It is not a cheap product."

"For what Snyk offers, it has the best cost-benefit I have ever seen because you're buying the license per user."

"Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app. Snyk is one of the few that I'm willing to pay that add-on charge, but generally I disqualify products that charge an extra fee to do integrated authentication to our identity provider, like Okta or some other SSO. That is a big negative. We had to pay extra for that. That little annoyance aside, it is expensive. You get a lot out of it, but you're paying for that premium."

More Snyk pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

814,649 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

18%

Manufacturing Company

11%

Computer Software Company

11%

Insurance Company

Financial Services Firm

15%

Computer Software Company

15%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Contrast Security Assess?

When we access the application, it continuously monitors and detects vulnerabilities.

What is your experience regarding pricing and costs for Contrast Security Assess?

The product's pricing is low. I would rate it a two out of ten.

What needs improvement with Contrast Security Assess?

Technical support for the solution should be faster. We have to further analyze what kind of CVEs are in the reported libraries and what part of the code is affected. That analysis can be added to ...

How does Snyk compare with SonarQube?

Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...

What do you like most about Snyk?

The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.

What needs improvement with Snyk?

I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.

Seeker vs Contrast Security Assess

Comparisons

Compared 20% of the time

Veracode vs Contrast Security Assess

Compared 18% of the time

OWASP Zap vs Contrast Security Assess

Compared 13% of the time

SonarQube Server (formerly SonarQube) vs Contrast Security Assess

Compared 9% of the time

Mend.io vs Contrast Security Assess

Compared 8% of the time

More Contrast Security Assess Competitors

GitHub Advanced Security vs Snyk

Compared 13% of the time

SonarQube Server (formerly SonarQube) vs Snyk

Compared 12% of the time

Black Duck vs Snyk

Compared 11% of the time

Wiz vs Snyk

Compared 6% of the time

Fortify Static Code Analyzer vs Snyk

Compared 6% of the time

More Snyk Competitors

Product Reports

Download Contrast Security Assess product report

Contrast Security Assess

November 2024

Download Snyk product report

October 2024

Also Known As

Contrast Assess

No data available

Learn More

Contrast Security

Overview

Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.

Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.

Benefits of Snyk

Some of the benefits of using Snyk include:

Conserves resources: Snyk easily integrates with other security solutions and uses their security features to ensure that the work that users are doing is completely secure. These integrations allow them to protect themselves without pulling resources from their continued integration or continued delivery workflows. Resources can be conserved for areas of the greatest need.

Highly flexible: Snyk enables users to customize the system’s security automation features to meet their needs. Users can guarantee that the automation performs the functions that are most essential for their current project. Additionally, users are able to maintain platform governance consistency across their system.

Keeps users ahead of emerging threats. Snyk employs a database of threats that help it detect and keep track of potential issues. This database is constantly being updated to reflect the changes that take place in the realm of cybersecurity. It also uses machine learning. Users are prepared to deal with new issues as they arise.

Automatically scans projects for threats. Snyk’s command-line interface enables users to schedule the solution to run automatic scans of their projects. Time and manpower can be conserved for the areas of greatest need without sacrificing security.

Reviews from Real Users

Snyk is a security platform for developers that stands out among its competitors for a number of reasons. Two major ones are its ability to integrate with other security solutions and important insights that it can enable users to discover. Snyk enables users to combine its already existing security features with those of other solutions to create far more robust and flexible layers of security than what it can supply on its own. It gives users the ability to dig into the security issues that they may experience. Users are given a clear view of the root causes of these problems. This equips them to address the problem and prevent similar issues in the future.

Cameron G., a security software engineer at a tech company, writes, “The most valuable features are their GitLab and JIRA integrations.The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using. Snyk is something of a bridge that we use; we get our projects into it and then get the information out of it. Those two integrations are crucial for us to be able to do that pretty simply.”

Sean M., the chief information security officer of a technology vendor, writes, "From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."

Sample Customers

Williams-Sonoma, Autodesk, HUAWEI, Chromeriver, RingCentral, Demandware.

StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief