Contrast Security Assess Reviews

The product scans runtime and that is our main use case. We have deployed it for one application in our testing environment, and for the other one on in our Dev environment. Whatever routes are exercised with those environments are being scanned by Contrast.

It has helped us to improve the overall security posture of the company. We are able to address the findings before they have been reported by a third-party. It helps to identify things before someone else reports them or they have been widely exposed. It definitely improves the security posture of our applications, as a whole. It also improves our own security processes within the company, the way we catch the findings and resolve them. It has also helped us to gain our customers' trust.

Contrast helps save time and money by fixing software bugs earlier in the software development life cycle. We have installed the app in our Dev environment, so it's way before anything goes into production. It helps us shift left in our SDLC and it definitely helps us fix findings before the code is pushed to production.

The tool has good, strong findings. We have other static analysis tools, but Contrast has found high-priority issues which other tools have not found. The capability of the tool to scan and throw errors that other tools don't catch is important.

No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime.

There is also a feature in the tool where you can actually specify that this or that is not a problem and mark it as false positive, and it doesn't show up again on your dashboard. It's pretty easy. You can filter out your false positives and be good to go. We have seen a reduction in the number of false positives because, once you mark something as a false positive, that particular one doesn't show up.

I would like to see them come up with more scanning rules. I don't know how it was done within the tool, but there is always room for improvement.

We recently had a call with the vendor. We were talking about a finding where it combined all of the instances of the finding into one. Whenever a new instance shows up that finding is being reported again. We want it to work so that once we mark it as "not a problem" the new one will be reported as a new finding, rather than an old finding popping up as a new instance.

I have been using Contrast Security Assess for about eight or nine months. I joined my current company last September and I've been using it since then. In our company we have applications to work on, as subject matter experts for security. I have onboarded my applications into Contrast. After onboarding, I scan and tune the scan, and then list the non-true positives and false positives. I work with governing team to fix the issues. 

It's been stable. It hasn't gone down from the time we installed it on our cloud. The scans are running every day. We have very great support from the Contrast team so they would be able to help us if we were stuck anywhere.

It's easily scalable. We are planning to spread it to other teams and we are planning on one more application from within our team. It's just a matter of installing it on the proper cloud and it's good to go. It's easy to configure and you just have to decide which environment you want it on and make a few configuration changes.

In our company, it's mainly security who maintains and uses the tool. We haven't onboarded any of the developers or security champions within the company because we just started with it and we want to get to know the tool entirely. Then we can pass it on to other people in the company. For now, we, as the security team, are using it. Our team has 10 to 11 people. There are a few people from the DevOps team who have access to it to do the configuration stuff, and that team is another four or five people.

Contrast's tech support is very helpful. They answer our questions and address our concerns. It's been easy and smooth with them.

We did not have a previous solution. Contrast is a one-of-a-kind tool. It does runtime scanning so this is the only runtime scanning tool we have had.

Before me, one of my teammates was working on a different application and he was the first person to use Contrast. Then we bought three licenses. There is one more person who used it before me, for a different application. We have had good findings there as well. I have put to use the second license and we have one more license to use. We have identified an application to onboard, and we have also spread the word to different teams within the company and they're working closely with the Contrast team to use it in a different way. We are using the cloud version and they're still deciding on how to use it. We are just starting with Contrast but use of it is expanding within our company.

By "application" I mean monolithic, big applications. We currently have two such applications in Contrast and we will be working on the third one. We are looking to do more.

The setup wasn't complex. It was pretty simple. We worked with an internal team that deals with the firewalls, because that's how it has to be configured. Because it was new to us, it took time for us to understand. But otherwise, it was smooth and we were able to configure it pretty quickly. Everything together took under three months. It might have taken less time but it was during the December/January time frame so we weren't available and people from other teams weren't available.

We have an internal process where we connect with other stakeholders to come up with a plan. We worked with a different team to be able to configure it and to be able to run a scan. We also worked closely with them for key rotation and other maintenance stuff connected to the tool. We have a lot of processes internally on how to manage the tool and how to maintain the tool and to make sure it's running scans continuously and that the key rotation is done. We have our own internal processes and our own strategy to maintain it and manage the program.

There is also regular maintenance from Contrast, making sure that it doesn't go down.

We have definitely seen ROI. We have been able to onboard our applications and scan them. The scan is happening continuously, every day, and it does report new findings. We have been able to triage them and fix them, address the defects of the software, even before they were posted to Prod. This will help reduce our attack surface and make our products more secure.

You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine.

There were other companies that the people involved in evaluations were looking at, but I was not involved in that process.

It depends on the company, but if you want to manage and maintain and onboard, I would recommend having Contrast as part of your toolkit. It is definitely helpful. My advice would be to install it on the environment in which there are more routes exercised, whether it is the testing environment or Dev, to get most out of the tool.

In terms of configuration, we have Contrast on one of the applications in our testing environment and we have the other in the Dev environment. To decide on that took us some time because we didn't have access to all the environments of a single application.

Findings-wise, Contrast is pretty good. It's up to the app engineer to identify whether a finding is due to the functionality of the application or it really is a finding.

Contrast does report some false positives, but there are some useful findings as well from the tool. It cannot give you only true positives, so it's up to humans to make out which ones are true which ones are false. Applications do behave in different ways, and the tool might not understand that. But there are definitely a few findings which have been helpful. It's a good tool. Every other tool also has false positives and it's better than some other tools.

We are not actively using the solution's OSS feature, through which you can look at third-party open source software libraries, because we have other tools internally for third-party library scanning.

It's been a good journey so far.

Contrast Security Assess is one of the first players in this market, so they have experience and customers, especially abroad. Overall, it's a good product. But, again, if you are commercially weak, you remain a single supplier. In any given market with only one supplier, the market cannot function. It is important to have competition, and one should gain market share through flexibility. It will be too late in two years, as many companies claim to be doing IAST. It's like selling there's no Desktop antivirus versus traditional antivirus. Everybody shall do signature-less virus detection. Otherwise, you're out of the market. This scenario is very similar here, especially in the forward applications.

The solution needs to improve flexibility and provide a complete ecosystem like its competitor named, Synopsys. An ecosystem could appeal to their large customers because they are looking for a complete solution, not just a best-in-class solution, but something which integrates into the rest of the development framework.

I have been using Contrast Security Assess since 2017.

It is a stable solution.

The scalability of the product is a problem in the solution, especially from a commercial perspective.

There must be an integration with the ecosystem and application development landscape. So once the solution is integrated with many tools, it is scalable. It's different from the product, which is scalable because the product is one of the steps within a complex process.

To complete the process, you must integrate the solution with other tools.

I have no direct experience with the initial setup, but I needed a couple of proofs of concept for comparing Contrast with one of its Spanish competitors.

The solution is expensive.

The IAST adoption in Italy, at least, is slow. My customers' feedback is that their commercial aptitude could be more flexible. It needs to be more flexible. They need to understand that they have an opportunity window that will last only a few years. And they are selling to win market share now, wherein in the next two years, everybody will be doing IAST. Whether it is good or bad, more or less, everybody will be doing that because the proposition is unbeatable.

I recommend others to try the solution because it is the most rewarding investment you can make in security access, apart from end-user training and user-awareness training.

But my bad side is that I think three, four years in advance. For example, I made a marketing campaign on VPNs in nineteen ninety-eight. Because VPNs were unbeatable, and it took another ten years before the market took off.

So I'm sure it will happen. Especially in the Italian market, there are market specifics because, in Italy, most of the development is outsourced, and very little development is done in-house.

So the big customers usually do not make the investment. The company which generates the code should be tailored to be bought by the leading company, which then uses the product to assess the work. Technology vendors usually focus on technology, and companies focus on organizational processes. So I was trying to sell outlets, which now are IBM source good edition, Upscaler. I was selling outlets to telecoms and proposing ounce levels as portfolio management. So that they have thousands of applications and you have a tool that assesses any given application's security. And the problem was that the guys in charge of the portfolio were not supposed to have access to the code.

So there was an additional problem stopping the customer from buying a perfect technological solution. They could manage the security, but the guys managing the application portfolio were not supposed to add access to the source code. And so they were not the proper organization for the thing to happen. And this is a problem which in large customers is quite frequent. But, again, you should see any market, a single customer, the needs, the processes, the power struggle, and data on a power struggle; it's more complicated though it can be done.

I would give Synopsys a nine because no one is at ten today.

I have ranked Contrast just below Synopsys because Synopsys has the size and the scope, and they have an internal vertically integrated solution apart from all the partnerships you could have. Since Contrast is a much smaller company, they should enter into some partnerships.

I rate the overall solution an eight out of ten.

A good use case is a development team with an established DevOps process. The Assess product natively integrates into developer workflows to deliver immediate results. Highly accurate vulnerability findings are available at the same time as functional /regression testing results. There is no wait for time-consuming static scans.

Assess works with several languages, including Java and .NET, which are common in enterprise environments, as well as Node.JS, Ruby and Python. 

Assess is valuable for several reasons, but time-saving factors are high on the list. Compared to a typical development environment with a SAST tool, Assess saves developer time and reduces the time-to-market. With Assess there is no waiting for a slow static scan to complete. Vulnerability findings are reported during testing and the reported findings are highly accurate, with very few false positives. Other SAST tools often emit a great number of false positives that must be investigated and resolved before the code can be released, consuming the time of developers and the security team chasing invalid vulnerability reports. Assess also provides clear and actionable guidance on how to fix each vulnerability, saving more time. 

Assess integrates with a many common tools to generate notifications and tickets, such as JIRA tickets. The result is that application security vulnerabilities can be handled by developers as just another type of bug found during testing. Application security becomes part of the development process rather than a step that is done “after” development. The temptation to skip the security testing step to meet a release deadline is eliminated.

The combination of real-time analysis and accurate vulnerability reports can really accelerate time-to-market. One large customer was even able to eliminate the human signoff before release to production. This customer had a solid DevOps process with automated application testing, but still had the security testing and review process delaying releases. With Assess in their pipeline they were able to automate the release decision. Apps that passed functional tests and reported only vulnerabilities below a certain criticality threshold would be automatically released directly to production.

Contrast is good at listening to its customers and setting product directions based on their feedback. Contrast continues to improve along multiple axes. One axis is languages and platforms. Support for Python was recently added and Go is in beta.

Another axis is the deployment and configuration of agents. Contrast offers a lot of flexibility in agent management but is working on enhancements to improve centralized control.

I've used this product for about three years.

Operational stability of the platform has been excellent.

The Assess agent is designed to run with the app in a preproduction environment. The agent monitors the operation of the application to which it is bound. This monitoring of course uses some processing resources and time, but the impact is usually not detectable by a human user of a web app. The additional processing might impact a loaded production system, so Contrast recommends that the Assess agent not be used in production.

However, some customers deploy Assess in production occasionally because they view the live production traffic as a source of additional test activity.

Contrast is a well-designed SaaS platform and scales well. There are no practical limits on the number of users or apps. 

The technical support is excellent, with a knowledgeable team and access to the necessary resources. 

The agent installation is straightforward. Typically, for an initial user (developer) and application, Customer Success or Professional Services can just walk them through the setup over the phone. The dashboard requires no installation (SaaS), so the developer can exercise the app + agent and see vulnerabilities immediately.

Some deployments are more complex, but deployment complexity generally reflects the complexity of the customer and their overall situation. A large customer may have many business units, app teams, apps, and languages, requiring some planning. 

Start with a small app team initially, before scheduling a larger rollout. Teams that have been using SAST tools find that using Assess changes how they think about appSec in their development workflow and helps them identify process modifications that maximize the value of the tool.

Overall, on a scale from one to ten, I would give this solution a rating of ten. The product is strong and improving, support is responsive and effective, and supported integrations work for many customers.