The initial setup was both straightforward and complex. Getting the agent deployed to environments can be complex when people don't understand how it works. But once that agent is deployed, it's very simple. The agent starts gathering data immediately and the data is presented in a UI in a way that is easily understood. You pretty much have vulnerability data right away. The only hurdle is making sure that you've got the agent deployed correctly. After that, everything is very simple.

Deployment for us is ongoing, as we continue to add applications. If I were to just choose one application and look at how long it takes to deploy to that environment, if the application owner has the resources and the ability to deploy the agent, it could be done in a few hours.

In our case, because deploying the agent is a change to the environment, sometimes that impacts larger processes like change management or making sure that the appropriate resources are assigned to do that work. If you have a large environment with many servers that need to have the agent deployed, it could take days or weeks if you don't have the resources to do it. That's not really a weakness of Contrast, but I think it's important to be aware of that if an organization is going to deploy this. A security team like mine might have external dependencies. When it comes to a legacy scan, we might not need anybody's input for us to run it. But with Contrast, we definitely need other teams to help us deploy the agents. Those teams include application owners, cloud services, server management. Whoever is responsible for installing software on a server in your environment would have to participate in this process. It's not something that the security team can do alone.

A good implementation strategy would be

• having an application inventory
• knowing where you're going to deploy this
• ensuring that your applications are using technologies that are supported by Contrast. 

One of the things that we've done internally to try to simplify the agent deployment process is that we give the development teams a package that includes the agent, instructions for deploying the agent, and a couple of other properties that are included in the agent to help us with overall organization. At that point, it really is just a matter of getting the agents installed.

Once you're gathering data, you want to work with development teams to make sure that they have access to the data. Once you're gathering data, that's when you can start working with integration points, because Contrast does allow you to create tickets in bug-tracking systems or to send alerts to communications platforms. Gathering the data is just the beginning of the process. There's also the dissemination of that data. That part is really dependent on how your organization utilizes and communicates vulnerability data.

We have under 50 users of the solution and about 80 percent are developers, while 10 percent are program management and the other 10 percent are in security. Aside from security, they're all consumers of data. The security users operate the platform, make sure that everything is in order, that applications are being added correctly, and that integration is being added correctly. All of the other users are people who are logging in to view vulnerabilities or to review the state of their applications or to gather reporting data for some deliverable. They don't actually operate or manage the platform. I'm the primary operator.

In the security department, our role in deployment and maintenance is creating those packages that I referred to earlier, packages that tell the developers or the application owners how to deploy the agents. It's the application owners who are responsible for a lot of the maintenance. They're the ones that have to make sure that the agent is part of their build process, they have to make sure that the agent is reporting correctly, and they have to make sure the agent is deployed to servers that are associated with their application. It's the agent that feeds the platform, so a lot of the maintenance is associated with maintaining the agent.

The solution’s initial setup was easy.

Assess is easy to deploy and has the same learning curve as Protect. You must be familiar with your JVM to add the agents. Other than that, it's pretty straightforward. I set it up with two different people. 

The initial setup was straightforward. At the time, I was doing a proof of concept of Contrast Security to see how it works. It was fairly simple. Our company has a bunch of apps in various environments. Initially, we wanted to make sure that it works for .NET, Java, and PCF before we procured it. It was easy.

Our implementation strategy was coverage for a complete .NET application and then coverage for a complete Java application, in and out, where you find all the vulnerabilities and you have all the different remediation steps. Then we set up meetings with the app teams to go over some of it and explain things. And then, we had a bunch of apps in PCF. These were the three that we wanted: .NET, Java, and PCF. They are our bread and butter. We did all three in 45 days.

From our side, it was just me and another infrastructure guy involved.

The product's setup is easy. I would rate it a ten out of ten. The tool's deployment took one day to complete. The engineers from Contrast did an analysis and submitted a report post which we initiated the tool's installation. 

The setup is very straightforward. Something that has worked greatly in their favor: The documentation, although extensive, was not very time consuming for us to prepare. We have a great team and had a very easy integration. The only problems that we stumbled onto was when we didn't know which solution would work better for our production. Once we found that out, everything went very smoothly and the operation was a success.

The final deployment: Once the solution was complete, it took us about less than a day. However, in order to decide which solution we would go with, we had a discussion that lasted two or three working days but was split up over a week or so to have the feedback from all the teams. The deployment was very fast. It took one day tops.

The setup of the solution is different for each application. That's the one thing that has been a challenge for us. The deployment itself is simple, but it's tough to automate because each application is different, so each installation process for Contrast is different. But manually installing the tool or deploying it is very simple.

The setup of the Contrast Assess agent is quite simple. Not much time is needed upfront to get this working and, thereafter, ongoing maintenance is very trivial for Assess.

We're still deploying. We have thousands of applications and thousands of teams around the world that we're deploying to. But if we're talking about just one application, at most it would take one to two hours.

The implementation strategy is that we are deploying it firm-wide within our organization to at least make use of the software composition analysis, because that is a part of the agent that is a free feature. At that point, once we have the agent deployed, that's when we would start working with application teams to give them an understanding of the findings that are being identified, just for software composition analysis. In the meanwhile, the interactive application security testing feature of the same agent is working in the background. So as teams are seeing custom code vulnerabilities being identified as well, we're working with those teams to apply licenses as needed. 

From the deployment perspective, we're focusing holistically on deploying the agent for software composition, and then thereafter, making more risk-based decisions on which teams or applications would use a license for interactive testing.

The adoption rate will be 100 percent because we're deploying all of these agents to all of our application servers out there. For now, we're at about 30 percent. We have a little over 100 users, currently. They range from application security testers and managers, like myself, to product managers who are worried about the business-side of getting the application deployed. And then there are the development teams and build-engineers who comprise those teams. Each application team maintains its own instance.

I have no direct experience with the initial setup, but I needed a couple of proofs of concept for comparing Contrast with one of its Spanish competitors.

The setup wasn't complex. It was pretty simple. We worked with an internal team that deals with the firewalls, because that's how it has to be configured. Because it was new to us, it took time for us to understand. But otherwise, it was smooth and we were able to configure it pretty quickly. Everything together took under three months. It might have taken less time but it was during the December/January time frame so we weren't available and people from other teams weren't available.

We have an internal process where we connect with other stakeholders to come up with a plan. We worked with a different team to be able to configure it and to be able to run a scan. We also worked closely with them for key rotation and other maintenance stuff connected to the tool. We have a lot of processes internally on how to manage the tool and how to maintain the tool and to make sure it's running scans continuously and that the key rotation is done. We have our own internal processes and our own strategy to maintain it and manage the program.

There is also regular maintenance from Contrast, making sure that it doesn't go down.

The initial setup is straightforward. The version we're using is built for Java, and the setup procedure involves you associating the Contrast .jar file with the JVM arguments of the app server itself. The instructions on that are relatively clear and they've broken those instructions out per container platform that the JVM can run in. It's as clear as it can be for that product.

We're still deploying. We have many apps and there's an onboarding process associated with it. But on a per-app basis, it can take us less than an hour. For a larger app, in a clustered environment, it might take closer to a week.

Because we have a very large organization, we have a different team per application. We have an onboarding process where we work with an application team to onboard the Contrast product into their workflow, and then follow up with them to ensure that they're using it correctly. It's a multi-stage approach on a per-app basis.

The agent installation is straightforward. Typically, for an initial user (developer) and application, Customer Success or Professional Services can just walk them through the setup over the phone. The dashboard requires no installation (SaaS), so the developer can exercise the app + agent and see vulnerabilities immediately.

Some deployments are more complex, but deployment complexity generally reflects the complexity of the customer and their overall situation. A large customer may have many business units, app teams, apps, and languages, requiring some planning.