Lead Application and Data Security Engineer at a insurance company with 5,001-10,000 employees
Real User
Top 20
2022-08-01T19:19:47Z
Aug 1, 2022
The Assess licensing model is different from Contrast Security Protect. It's based on the number of servers you are connecting for assessment. Protect is the number of servers it's covering. There are fewer servers on the Protect side, because you're not looking at each application. You're looking at what's coming from your WAF or your Edge Device.
Director of Threat and Vulnerability Management at a consultancy with 10,001+ employees
MSP
2021-06-18T08:38:00Z
Jun 18, 2021
It's a tiered licensing model. The more you buy, as you cross certain quantity thresholds, the pricing changes. If you have a smaller environment, your licensing costs are going to be different than a larger environment. While the licensing is tiered, there are no or mandatory minimums. With some of our other products, you have to buy at least 50 licenses in a block, or you have to buy 100 in a block. With Contrast, you can buy a single license. The licensing is primarily per application. An application can be as many agents as you need. If you've got 10 development servers and 20 production servers and 50 QA servers, all of those agents can be reporting as a single application that utilizes one license. That's really outstanding if you want to cover a large environment, because you get a holistic view of an application under a single license. Licensing is done annually, for us at least, although they might have some flexibility on that. The licensing that I'm talking about is specifically Assess. There's also developer licensing where the developers can have a plugin for their development platforms. That's separate, but the structure is the same. It's also tiered. Depending on how many developers you have, you'll ultimately pay less based on quantity. I don't believe there are any costs in addition to the standard licensing. However, they do have a part of their licensing model where they assume a certain number of developers are going to be present when you have an application. I don't know if this has changed recently, but if you buy licensing for a number of applications, they're going to assume that there are also a set ratio of developers per application, and therefore you must also buy the developer licensing. One of the challenges we've had with them is explaining to them that that's not how our developers work. In our environment, we have developers who are responsible for multiple applications. If we're buying licensing for our applications, we're somewhat forced into buying developer licensing that we don't need or can't use.
Technical Information Security Team Lead at Kaizen Gaming
Real User
2020-09-14T06:48:00Z
Sep 14, 2020
For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of applications. It suits our model as well, because we have huge traffic. Our number of onboarded applications is not that large, so the pricing works great for us. There is a very small fee for the additional web node we have in place; it's a nonexistent cost. If you decide to apply it on existing web nodes, that is eliminated as well. It's just something that suits our solution.
The good news is that the agent itself comes in two different forms: the unlicensed form and the licensed form. Unlicensed gives use of that software composition analysis for free. Thereafter, if you apply a license to that same agent, that's when the instrumentation takes hold. So one of my suggestions is to do what we're doing: Deploy the agent to as many applications as possible, with just the SCA feature turned on with no license applied, and then you can be more choosy and pick which teams will get the license applied. Thankfully, it's always going to be working. You just won't be able to see the IAST results without applying that license. There are no fees apart from the licensing fee. Some teams might run into issues where they need to spend more money on their servers and increase memory to support the Contrast Assess agent running while the application is running, but that is a small amount.
You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine.
Senior Security Architect at a tech services company with 5,001-10,000 employees
Real User
2020-06-07T09:09:00Z
Jun 7, 2020
I like the per-application licensing model, but there are reasons why some solutions want to do per KLOC. For us, especially because it's per app, it's really easy. We just license the app and we look at different vulnerabilities on that app and we remediate within the app. It's simpler. If you have to go to somebody, like a Dev manager and ask him, "Hey, how many thousands of lines of code does your application have?" he will be taken aback. He'll probably say, "I don't know." It's difficult to cost-segregate and price things in that kind of model. But if, like with Contrast, they say, "Hey, your entire application — however big it is, we don't care. We're just going to use one license," that is simpler. This type of license model works better for us.
Director of Innovation at a tech services company with 1-10 employees
Real User
2020-06-02T08:40:00Z
Jun 2, 2020
If you know your needs upfront, and if you're more concerned about vulnerabilities and you already have a web application firewall that you're happy with, then focus on the Assess component of it, because the Assess component has a very straightforward licensing strategy. If you need the web application firewall and you have a highly clustered environment, then you will be paying that license cost per server. Unfortunately, that does not scale as well for us. It helps to understand what your use case is upfront and apply that with Contrast, knowing whether or not you need it per application or per server.
The pricing was a point of contention even within our organization. There are some folks who felt we could get a cheaper tool, but there's a tradeoff there. We could have gotten a cheaper SAST tool, but what we would have saved in money we would have spent in learning-curve time. We didn't want to have a learning curve. We wanted something that we could set up and run now, so we felt the cost was justified by our requirements. Regarding the OSS feature, when we got Contrast it came with the free version of the OSS, but after Contrast found out how popular their OSS was they started packaging it separately where new customers will have to pay for it. If we want to expand on Contrast's OSS offering, I think we'll have to pay for that, but I'm not sure. Right now, the OSS offering we have works for what we need it to do.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside...
The product's pricing is low. I would rate it a two out of ten.
The Assess licensing model is different from Contrast Security Protect. It's based on the number of servers you are connecting for assessment. Protect is the number of servers it's covering. There are fewer servers on the Protect side, because you're not looking at each application. You're looking at what's coming from your WAF or your Edge Device.
It's a tiered licensing model. The more you buy, as you cross certain quantity thresholds, the pricing changes. If you have a smaller environment, your licensing costs are going to be different than a larger environment. While the licensing is tiered, there are no or mandatory minimums. With some of our other products, you have to buy at least 50 licenses in a block, or you have to buy 100 in a block. With Contrast, you can buy a single license. The licensing is primarily per application. An application can be as many agents as you need. If you've got 10 development servers and 20 production servers and 50 QA servers, all of those agents can be reporting as a single application that utilizes one license. That's really outstanding if you want to cover a large environment, because you get a holistic view of an application under a single license. Licensing is done annually, for us at least, although they might have some flexibility on that. The licensing that I'm talking about is specifically Assess. There's also developer licensing where the developers can have a plugin for their development platforms. That's separate, but the structure is the same. It's also tiered. Depending on how many developers you have, you'll ultimately pay less based on quantity. I don't believe there are any costs in addition to the standard licensing. However, they do have a part of their licensing model where they assume a certain number of developers are going to be present when you have an application. I don't know if this has changed recently, but if you buy licensing for a number of applications, they're going to assume that there are also a set ratio of developers per application, and therefore you must also buy the developer licensing. One of the challenges we've had with them is explaining to them that that's not how our developers work. In our environment, we have developers who are responsible for multiple applications. If we're buying licensing for our applications, we're somewhat forced into buying developer licensing that we don't need or can't use.
For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of applications. It suits our model as well, because we have huge traffic. Our number of onboarded applications is not that large, so the pricing works great for us. There is a very small fee for the additional web node we have in place; it's a nonexistent cost. If you decide to apply it on existing web nodes, that is eliminated as well. It's just something that suits our solution.
The good news is that the agent itself comes in two different forms: the unlicensed form and the licensed form. Unlicensed gives use of that software composition analysis for free. Thereafter, if you apply a license to that same agent, that's when the instrumentation takes hold. So one of my suggestions is to do what we're doing: Deploy the agent to as many applications as possible, with just the SCA feature turned on with no license applied, and then you can be more choosy and pick which teams will get the license applied. Thankfully, it's always going to be working. You just won't be able to see the IAST results without applying that license. There are no fees apart from the licensing fee. Some teams might run into issues where they need to spend more money on their servers and increase memory to support the Contrast Assess agent running while the application is running, but that is a small amount.
You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine.
I like the per-application licensing model, but there are reasons why some solutions want to do per KLOC. For us, especially because it's per app, it's really easy. We just license the app and we look at different vulnerabilities on that app and we remediate within the app. It's simpler. If you have to go to somebody, like a Dev manager and ask him, "Hey, how many thousands of lines of code does your application have?" he will be taken aback. He'll probably say, "I don't know." It's difficult to cost-segregate and price things in that kind of model. But if, like with Contrast, they say, "Hey, your entire application — however big it is, we don't care. We're just going to use one license," that is simpler. This type of license model works better for us.
If you know your needs upfront, and if you're more concerned about vulnerabilities and you already have a web application firewall that you're happy with, then focus on the Assess component of it, because the Assess component has a very straightforward licensing strategy. If you need the web application firewall and you have a highly clustered environment, then you will be paying that license cost per server. Unfortunately, that does not scale as well for us. It helps to understand what your use case is upfront and apply that with Contrast, knowing whether or not you need it per application or per server.
The pricing was a point of contention even within our organization. There are some folks who felt we could get a cheaper tool, but there's a tradeoff there. We could have gotten a cheaper SAST tool, but what we would have saved in money we would have spent in learning-curve time. We didn't want to have a learning curve. We wanted something that we could set up and run now, so we felt the cost was justified by our requirements. Regarding the OSS feature, when we got Contrast it came with the free version of the OSS, but after Contrast found out how popular their OSS was they started packaging it separately where new customers will have to pay for it. If we want to expand on Contrast's OSS offering, I think we'll have to pay for that, but I'm not sure. Right now, the OSS offering we have works for what we need it to do.