We performed a comparison between Contrast Security Assess and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."
"When we access the application, it continuously monitors and detects vulnerabilities."
"The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes."
"I am impressed with the product's identification of alerts and vulnerabilities."
"In our most critical applications, we have a deep dive in the code evaluation, which was something we usually did with periodic vulnerability assessments, code reviews, etc. Now, we have real time access to it. It's something that has greatly enhanced our code's quality. We have actually embedded a KPI in regards to the improvement of our code shell. For example, Contrast provides a baseline where libraries and the usability of the code are evaluated, and they produce a score. We always aim to improve that score. On a quarterly basis, we have added this to our KPIs."
"No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime."
"The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of."
"It is a stable solution...Contrast Security Assess is one of the first players in this market, so they have experience and customers, especially abroad. Overall, it's a good product."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"SonarQube is useful for controlling all of our Azure task tracking and scanning."
"It is very good at identifying technical debt."
"The product has a friendly UI that is easy to use and understand."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"The solution needs to improve flexibility...The scalability of the product is a problem in the solution, especially from a commercial perspective."
"I think there was activity underway to support the centralized configuration control. There are ways to do it, but I think they were productizing more of that."
"To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."
"Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."
"Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage."
"The setup of the solution is different for each application. That's the one thing that has been a challenge for us. The deployment itself is simple, but it's tough to automate because each application is different, so each installation process for Contrast is different."
"Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."
"I would like to see them come up with more scanning rules."
"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"It would be better if SonarQube provided a good UI for external configuration."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"I am not very pleased with the technical debt computation."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
Contrast Security Assess is ranked 31st in Application Security Tools with 11 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. Contrast Security Assess is rated 8.8, while SonarQube is rated 8.0. The top reviewer of Contrast Security Assess writes "We're gathering vulnerability data from multiple environments in real time, fundamentally changing how we identify issues in applications". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Contrast Security Assess is most compared with Veracode, Seeker, Fortify WebInspect, HCL AppScan and OWASP Zap, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Contrast Security Assess vs. SonarQube report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.