What is our primary use case?
A good use case is a development team with an established DevOps process. The Assess product natively integrates into developer workflows to deliver immediate results. Highly accurate vulnerability findings are available at the same time as functional /regression testing results. There is no wait for time-consuming static scans.
Assess works with several languages, including Java and .NET, which are common in enterprise environments, as well as Node.JS, Ruby and Python.
What is most valuable?
Assess is valuable for several reasons, but time-saving factors are high on the list. Compared to a typical development environment with a SAST tool, Assess saves developer time and reduces the time-to-market. With Assess there is no waiting for a slow static scan to complete. Vulnerability findings are reported during testing and the reported findings are highly accurate, with very few false positives. Other SAST tools often emit a great number of false positives that must be investigated and resolved before the code can be released, consuming the time of developers and the security team chasing invalid vulnerability reports. Assess also provides clear and actionable guidance on how to fix each vulnerability, saving more time.
Assess integrates with a many common tools to generate notifications and tickets, such as JIRA tickets. The result is that application security vulnerabilities can be handled by developers as just another type of bug found during testing. Application security becomes part of the development process rather than a step that is done “after” development. The temptation to skip the security testing step to meet a release deadline is eliminated.
The combination of real-time analysis and accurate vulnerability reports can really accelerate time-to-market. One large customer was even able to eliminate the human signoff before release to production. This customer had a solid DevOps process with automated application testing, but still had the security testing and review process delaying releases. With Assess in their pipeline they were able to automate the release decision. Apps that passed functional tests and reported only vulnerabilities below a certain criticality threshold would be automatically released directly to production.
What needs improvement?
Contrast is good at listening to its customers and setting product directions based on their feedback. Contrast continues to improve along multiple axes. One axis is languages and platforms. Support for Python was recently added and Go is in beta.
Another axis is the deployment and configuration of agents. Contrast offers a lot of flexibility in agent management but is working on enhancements to improve centralized control.
For how long have I used the solution?
I've used this product for about three years.
What do I think about the stability of the solution?
Operational stability of the platform has been excellent.
The Assess agent is designed to run with the app in a preproduction environment. The agent monitors the operation of the application to which it is bound. This monitoring of course uses some processing resources and time, but the impact is usually not detectable by a human user of a web app. The additional processing might impact a loaded production system, so Contrast recommends that the Assess agent not be used in production.
However, some customers deploy Assess in production occasionally because they view the live production traffic as a source of additional test activity.
What do I think about the scalability of the solution?
Contrast is a well-designed SaaS platform and scales well. There are no practical limits on the number of users or apps.
How are customer service and technical support?
The technical support is excellent, with a knowledgeable team and access to the necessary resources.
How was the initial setup?
The agent installation is straightforward. Typically, for an initial user (developer) and application, Customer Success or Professional Services can just walk them through the setup over the phone. The dashboard requires no installation (SaaS), so the developer can exercise the app + agent and see vulnerabilities immediately.
Some deployments are more complex, but deployment complexity generally reflects the complexity of the customer and their overall situation. A large customer may have many business units, app teams, apps, and languages, requiring some planning.
What other advice do I have?
Start with a small app team initially, before scheduling a larger rollout. Teams that have been using SAST tools find that using Assess changes how they think about appSec in their development workflow and helps them identify process modifications that maximize the value of the tool.
Overall, on a scale from one to ten, I would give this solution a rating of ten. The product is strong and improving, support is responsive and effective, and supported integrations work for many customers.