We performed a comparison between Contrast Security Assess and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime."
"When we access the application, it continuously monitors and detects vulnerabilities."
"In our most critical applications, we have a deep dive in the code evaluation, which was something we usually did with periodic vulnerability assessments, code reviews, etc. Now, we have real time access to it. It's something that has greatly enhanced our code's quality. We have actually embedded a KPI in regards to the improvement of our code shell. For example, Contrast provides a baseline where libraries and the usability of the code are evaluated, and they produce a score. We always aim to improve that score. On a quarterly basis, we have added this to our KPIs."
"I am impressed with the product's identification of alerts and vulnerabilities."
"By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."
"The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes."
"This has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries."
"Assess has an excellent API interface to pull APIs."
"The active scanner, which does an automated search of any web vulnerabilities."
"The initial setup is simple."
"The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""
"You can scan any number of applications and it updates its database."
"We are mostly using it for scanning the entire website. So, we basically create a script with the entire website and then run it for different injections."
"It's good testing software."
"The solution should provide more details in the section where it shows that third-party libraries have CVEs or some vulnerabilities."
"To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."
"Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."
"I think there was activity underway to support the centralized configuration control. There are ways to do it, but I think they were productizing more of that."
"Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to your servers where your app is hosted. That can be quite cumbersome from a change-management perspective."
"Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."
"Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage."
"The out-of-the-box reporting could be improved. We need to write our own APIs to make the reporting more robust."
"The solution’s pricing could be improved."
"Scanning needs to be improved in enterprise and professional versions."
"The solution’s pricing could be improved."
"The reporting needs to be improved; it is very bad."
"PortSwigger Burp Suite Professional could improve the static code review."
"One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."
"There is not much automation in the tool."
"The solution is not easy to set it up. You need a lot of knowledge."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
Contrast Security Assess is ranked 32nd in Application Security Tools with 11 reviews while PortSwigger Burp Suite Professional is ranked 10th in Application Security Tools with 57 reviews. Contrast Security Assess is rated 8.8, while PortSwigger Burp Suite Professional is rated 8.6. The top reviewer of Contrast Security Assess writes "We're gathering vulnerability data from multiple environments in real time, fundamentally changing how we identify issues in applications". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "The solution is versatile and easy to deploy, but it needs to give more detailed security reports". Contrast Security Assess is most compared with Veracode, Seeker, Fortify WebInspect, HCL AppScan and Checkmarx One, whereas PortSwigger Burp Suite Professional is most compared with OWASP Zap, Fortify WebInspect, Acunetix, HCL AppScan and Qualys Web Application Scanning. See our Contrast Security Assess vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.