Contrast Security Assess Reviews

It is used primarily to help put a layer of security around some of our legacy applications that were built quite some time ago. It's also used to provide better quality assessments on the vulnerabilities of some of these applications, compared to some of the other tools that we've been using.

We're using the SaaS platform.

The solution’s OSS feature, through which we can look at third-party open-source software libraries, give us better visibility into such libraries compared to any other tool on the market, because this is the only tool that I'm aware of that offers that capability. It's not affecting our software development a whole lot because we're not holding developers accountable to that level of metrics, but it's valuable insight to have.

In a way, Assess helps developers incorporate security elements while they are writing code. Not while they're actually writing it, but certainly while they're fixing it, because it provides really impactful feedback on how to go back and fix that code, and the best practices on how to fix it.

It also saves time and money by helping us fix software bugs earlier in the software development life cycle. The enterprise that I'm with has not, historically, prioritized any kind of security remediation at all. It considers all of it to be in a context they call "technical debt." This solution allows the organization to prioritize how to best use the labor hours allocated for technical debt. The savings are an intuitive inference to make in this case. I'm personally seeing that it's easier to get things remediated, versus where they weren't being remediated at all because the quality of the results from those other tools was just terrible. Now that I'm seeing that action being taken on them, it's very rewarding. I can nearly guarantee that we've saved time and money. I just don't know exactly how much.

The most valuable feature is the IAST part. Institutionally, we're not quite at the point of using Contrast for the Protect functionality because we have other tools that overlap with the web application firewall component of it. But for the Assess component, there's a direct correlation to other tools that we've used and the failures of those tools. Contrast, in terms of providing that vulnerability assessment, it provides an immediate benefit there.

The effectiveness of the solution’s automation via its instrumentation methodology is a solid eight out of 10.

The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low. The number of false positives from this product is much lower compared to competing tools that we use right now: WebInspect and AppScan. It reduces the number of false positives we encounter by more than 50 percent.

The effectiveness of the solution’s automation via its instrumentation methodology is good, although it still has a lot of room for growth. The documentation, for example, is not quite up to snuff. There are still a lot of plugins and integrations that are coming out from Contrast to help it along the way. It's really geared more for smaller companies, whereas I'm contracting for a very large organization. Any application's ability to be turnkey is probably the one thing that will set it apart, and Contrast isn't quite to the point where it's turnkey.

Also, Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to the servers where your app is hosted. That can be quite cumbersome from a change-management perspective.

I've been using Contrast Security Assess since October of last year, making it about nine months.

Overall, the stability is quite good. 

We've had a couple of support-related problems. Contrast is funny because there are many aspects of it that they don't support. For instance, we have ColdFusion applications and, on paper, Contrast did not support ColdFusion. However, it will still work with ColdFusion, kind of. But it has caused some problems as it comes to isolating troubleshooting issues that occur. It's left us in a position where we have to make generalized assumptions about what can and can't be supported. So, out-of-the-box, we've made the decision not to try to support ColdFusion because of the issues that that can pose for us.

The scalability ties back to something I said before about change management. So far, we haven't seen anything that would prevent us from scaling upwards significantly. However, it requires the organization to have a pretty robust way of handling the changes for Contrast: for instance, the updates of the application itself. Because those updates aren't bundled into Contrast, it behooves the organization that's deploying Contrast to ensure it has a very robust change-management strategy to work with the product.

Out of our perimeter applications, we've got about 20 apps onboarded. Those applications that it has been deployed to are key applications, including key revenue-driving applications, but it's still being used only in a minority of our applications at the moment. Our adoption rate is around 10 percent. We have plans to increase usage of Contrast Security. We have hundreds of applications. Out of our customer-focused applications that are on the perimeter — we have over 200 of them — Contrast is deployed to about 20 of them.

We have about 130 users registered to use the product. The majority, about 80 percent, are developers, while about 10 percent are security personnel, and 10 percent are managers. We have a dedicated staff for maintaining the solution. That's the staff that I'm part of right now.

Their level of support and troubleshooting for the product is limited because of how they handle troubleshooting. It's done through a log file that's very cumbersome to work with.

Their technical support staff is very responsive. Personally, I've put in about 60 support tickets with Contrast. Some of the support tickets have ended up being actual changes to the product itself. Overall, I'm pretty pleased with that. But they're definitely still growing. They're a small company that is on the verge of growing into a very big company. I can tell from the quality of support I'm getting that they're struggling to keep up with that demand.

We use WebInspect and AppScan. We're evaluating the possibility of switching from them to Contrast, but right now Contrast is still in trial. We're not quite at that point in making a decision to drop one of those other tools yet.

The initial setup is straightforward. The version we're using is built for Java, and the setup procedure involves you associating the Contrast .jar file with the JVM arguments of the app server itself. The instructions on that are relatively clear and they've broken those instructions out per container platform that the JVM can run in. It's as clear as it can be for that product.

We're still deploying. We have many apps and there's an onboarding process associated with it. But on a per-app basis, it can take us less than an hour. For a larger app, in a clustered environment, it might take closer to a week.

Because we have a very large organization, we have a different team per application. We have an onboarding process where we work with an application team to onboard the Contrast product into their workflow, and then follow up with them to ensure that they're using it correctly. It's a multi-stage approach on a per-app basis.

We've mostly done it ourselves, although we have Contrast Security Professional Services on staff to assist with harder problems, and to follow up directly with our development teams. We've been happy with Professional Services.

We have seen ROI, but I can't get into specific numbers because those are sensitive to the organization. But some of these applications are key revenue drivers. Contrast's ability to help secure them, even if it is just those applications, gives us a little confidence that they are being looked at in terms of security. That is always going to be a significant return on investment, compared to the other tools that, frankly, weren't driving the progress necessary to secure those applications.

If you know your needs upfront, and if you're more concerned about vulnerabilities and you already have a web application firewall that you're happy with, then focus on the Assess component of it, because the Assess component has a very straightforward licensing strategy.

If you need the web application firewall and you have a highly clustered environment, then you will be paying that license cost per server. Unfortunately, that does not scale as well for us. It helps to understand what your use case is upfront and apply that with Contrast, knowing whether or not you need it per application or per server.

We have not evaluated other IAST platforms.

Make sure that you have a very good change-management strategy in place ahead of time. 

Also, it's not enough to have the solution itself. It still requires proactive management on behalf of your developers to make sure they understand what the product is offering and that they are using the product in a way that will benefit them.

Contrast Security Assess is one of the first players in this market, so they have experience and customers, especially abroad. Overall, it's a good product. But, again, if you are commercially weak, you remain a single supplier. In any given market with only one supplier, the market cannot function. It is important to have competition, and one should gain market share through flexibility. It will be too late in two years, as many companies claim to be doing IAST. It's like selling there's no Desktop antivirus versus traditional antivirus. Everybody shall do signature-less virus detection. Otherwise, you're out of the market. This scenario is very similar here, especially in the forward applications.

The solution needs to improve flexibility and provide a complete ecosystem like its competitor named, Synopsys. An ecosystem could appeal to their large customers because they are looking for a complete solution, not just a best-in-class solution, but something which integrates into the rest of the development framework.

I have been using Contrast Security Assess since 2017.

It is a stable solution.

The scalability of the product is a problem in the solution, especially from a commercial perspective.

There must be an integration with the ecosystem and application development landscape. So once the solution is integrated with many tools, it is scalable. It's different from the product, which is scalable because the product is one of the steps within a complex process.

To complete the process, you must integrate the solution with other tools.

I have no direct experience with the initial setup, but I needed a couple of proofs of concept for comparing Contrast with one of its Spanish competitors.

The solution is expensive.

The IAST adoption in Italy, at least, is slow. My customers' feedback is that their commercial aptitude could be more flexible. It needs to be more flexible. They need to understand that they have an opportunity window that will last only a few years. And they are selling to win market share now, wherein in the next two years, everybody will be doing IAST. Whether it is good or bad, more or less, everybody will be doing that because the proposition is unbeatable.

I recommend others to try the solution because it is the most rewarding investment you can make in security access, apart from end-user training and user-awareness training.

But my bad side is that I think three, four years in advance. For example, I made a marketing campaign on VPNs in nineteen ninety-eight. Because VPNs were unbeatable, and it took another ten years before the market took off.

So I'm sure it will happen. Especially in the Italian market, there are market specifics because, in Italy, most of the development is outsourced, and very little development is done in-house.

So the big customers usually do not make the investment. The company which generates the code should be tailored to be bought by the leading company, which then uses the product to assess the work. Technology vendors usually focus on technology, and companies focus on organizational processes. So I was trying to sell outlets, which now are IBM source good edition, Upscaler. I was selling outlets to telecoms and proposing ounce levels as portfolio management. So that they have thousands of applications and you have a tool that assesses any given application's security. And the problem was that the guys in charge of the portfolio were not supposed to have access to the code.

So there was an additional problem stopping the customer from buying a perfect technological solution. They could manage the security, but the guys managing the application portfolio were not supposed to add access to the source code. And so they were not the proper organization for the thing to happen. And this is a problem which in large customers is quite frequent. But, again, you should see any market, a single customer, the needs, the processes, the power struggle, and data on a power struggle; it's more complicated though it can be done.

I would give Synopsys a nine because no one is at ten today.

I have ranked Contrast just below Synopsys because Synopsys has the size and the scope, and they have an internal vertically integrated solution apart from all the partnerships you could have. Since Contrast is a much smaller company, they should enter into some partnerships.

I rate the overall solution an eight out of ten.

A good use case is a development team with an established DevOps process. The Assess product natively integrates into developer workflows to deliver immediate results. Highly accurate vulnerability findings are available at the same time as functional /regression testing results. There is no wait for time-consuming static scans.

Assess works with several languages, including Java and .NET, which are common in enterprise environments, as well as Node.JS, Ruby and Python. 

Assess is valuable for several reasons, but time-saving factors are high on the list. Compared to a typical development environment with a SAST tool, Assess saves developer time and reduces the time-to-market. With Assess there is no waiting for a slow static scan to complete. Vulnerability findings are reported during testing and the reported findings are highly accurate, with very few false positives. Other SAST tools often emit a great number of false positives that must be investigated and resolved before the code can be released, consuming the time of developers and the security team chasing invalid vulnerability reports. Assess also provides clear and actionable guidance on how to fix each vulnerability, saving more time. 

Assess integrates with a many common tools to generate notifications and tickets, such as JIRA tickets. The result is that application security vulnerabilities can be handled by developers as just another type of bug found during testing. Application security becomes part of the development process rather than a step that is done “after” development. The temptation to skip the security testing step to meet a release deadline is eliminated.

The combination of real-time analysis and accurate vulnerability reports can really accelerate time-to-market. One large customer was even able to eliminate the human signoff before release to production. This customer had a solid DevOps process with automated application testing, but still had the security testing and review process delaying releases. With Assess in their pipeline they were able to automate the release decision. Apps that passed functional tests and reported only vulnerabilities below a certain criticality threshold would be automatically released directly to production.

Contrast is good at listening to its customers and setting product directions based on their feedback. Contrast continues to improve along multiple axes. One axis is languages and platforms. Support for Python was recently added and Go is in beta.

Another axis is the deployment and configuration of agents. Contrast offers a lot of flexibility in agent management but is working on enhancements to improve centralized control.

I've used this product for about three years.

Operational stability of the platform has been excellent.

The Assess agent is designed to run with the app in a preproduction environment. The agent monitors the operation of the application to which it is bound. This monitoring of course uses some processing resources and time, but the impact is usually not detectable by a human user of a web app. The additional processing might impact a loaded production system, so Contrast recommends that the Assess agent not be used in production.

However, some customers deploy Assess in production occasionally because they view the live production traffic as a source of additional test activity.

Contrast is a well-designed SaaS platform and scales well. There are no practical limits on the number of users or apps. 

The technical support is excellent, with a knowledgeable team and access to the necessary resources. 

The agent installation is straightforward. Typically, for an initial user (developer) and application, Customer Success or Professional Services can just walk them through the setup over the phone. The dashboard requires no installation (SaaS), so the developer can exercise the app + agent and see vulnerabilities immediately.

Some deployments are more complex, but deployment complexity generally reflects the complexity of the customer and their overall situation. A large customer may have many business units, app teams, apps, and languages, requiring some planning. 

Start with a small app team initially, before scheduling a larger rollout. Teams that have been using SAST tools find that using Assess changes how they think about appSec in their development workflow and helps them identify process modifications that maximize the value of the tool.

Overall, on a scale from one to ten, I would give this solution a rating of ten. The product is strong and improving, support is responsive and effective, and supported integrations work for many customers.