Contrast Security Assess Benefits

C. Ray Mallory
Lead Application Security Engineer at FEPOC
The daily reporting of vulnerabilities is very helpful for our development team. They can log in to the Contrast tool and see the vulnerabilities and start working to mitigate them before my test-app team reaches out to them inquiring about when certain vulnerabilities are going to be remediated. A case in point was last week, when I followed up with one of my developers. I said, "We need to mitigate this set of vulnerabilities," and he said, "Well, I've already started mitigating them. You should see the JIRA ticket out pretty soon." It's that type of response that we really like with Contrast. It allows us to move faster than if we were just using a SAST tool. Before Contrast, everything was done manually. The developers were doing their own code reviews as best they could. When I came in and I started having the application security meetings, I found that most of the developers were very adept at building code for functionality, and testing functionality based on their unit tests. We had something like 25 or 30 developers in my class, and only one person was familiar with application security. That should tell you how far behind we were. So we had a heavy educational push, bringing in Contrast personnel for onsite application security training and to learn how to integrate Contrast into our SDLC. They showed them what the vulnerabilities are and how to mitigate them. The change from three years ago to now is one of the benefits. Once we got it implemented — deployed the agents onto the application servers and got those vulnerabilities to populate into our team server — it was coming up with a Visio diagram of our processes for Agile development and our process for Waterfall development and it really turned around how our company is is a able to identify and mitigate and roll out fixes for our security vulnerabilities. It also helps developers incorporate security elements while they're writing code. Our development team has it on their local box, through the IDE, and as they are building the functionality they're running the scans at that time. They correct some of the vulnerabilities right there before passing it along on the SDLC. Sometimes they will miss things and we'll catch them in our QA environment. It has positively affected our software development because, before that, everything was manual. When we brought in Contrast, it exposed how many vulnerabilities, criticals and highs, had been missed. The difference between doing purely manual reviews and doing a review with instrumentation was very stark. It's hard to quantify how much time and money it has saved us by fixing software bugs earlier in the software development lifecycle. There's time, cost, and public image. In terms of the costs saved, we had something like 2,000 vulnerabilities — some critical and some high — and I don't even know how to put a price on that. Sometimes a vulnerability can end up costing 100 times what it would cost to fix in a development environment. So you can start to calculate what that cost would be, per vulnerability. And then we're looking at the time to detect, mitigate, validate, and then roll out to production. And correcting these vulnerabilities before they get into our production network is crucial to our image. If we were still doing manual reviews, we probably would not know of the critical and high vulnerabilities that we've found using Contrast. It would just be a matter of time before some hacker exploited those vulnerabilities for PHI data. Another great benefit that Contrast has allowed us to enjoy is that there was no push-back from our development teams. Normally, in an organization, when you bring up security, developers gripe and moan because they look at security as a hindrance. But they were very receptive, very eager, and asked a lot of questions. We had two or three sessions with Contrast and, even today, developers are highly engaged with using the tool. They have implemented it into their development lifecycle process, both for our Agile teams and our Waterfall teams. It's been a huge turnaround here at FEPOC. Management loves it. Having Contrast expose so many vulnerabilities that are in the applications means there's this heavy pressure now for 2020 to mitigate the vulnerabilities But it's a funny thing. Normally this task would be very cumbersome and problematic because of the number of vulnerabilities, but everyone loves the tool and the Contrast personnel are very helpful and very responsive. I'm enjoying it and I think our development and our test-app teams are as well. We have a very high adoption rate in our company. View full review »
Find out what your peers are saying about Contrast Security, HCL, Veracode and others in Application Security Testing (AST). Updated: May 2020.
419,536 professionals have used our research since 2012.