We evaluated all of the IAST products that were on the market at the time. It was the most mature product in the space. One vendor had an IAST solution, but it wasn't a fully developed solution; they may not have even had any customers. There was another that had a fairly mature IAST product, but they hadn't done a lot of development in terms of the look and feel. Contrast was a very complete solution. It met all of our technical requirements and it was really the only IAST product that felt like a real product.

Before choosing Contrast Assess, we looked at Veracode and Checkmarx. 

Contrast does things continuously so it's more of an IAST. Checkmarx didn't. Using it, you would have to upload a .war file and then it would do analysis. You would then go back to the portal and see the vulnerabilities there. 

It was the same with Veracode. When you take a SAST piece or a DAST piece, you have to have some specific timing in some workflows and then you upload all of the stuff to their portal and wait for results. The results would only come after three days or after five days, depending on how long it takes to scan that specific workflow. 

The way the scanning is done is fundamentally different in Contrast compared to how the solutions do it. You just install Contrast on the app server and voilà. Within five minutes you might see some vulnerabilities when you use that application workflow.

We had an extensive list that we examined. We dove into some portable solutions. We did have some excellent competitors because they gave us a clear indication of what we wanted to do. We examined SonarQube and Veracode, who presented us with a great product, but was not a great fit for us at the time. These solutions gave us the idea of going with something much larger and more broad than just a tool to produce findings. So, many competitors were examined, and we just selected the one who mostly fit our way of doing things.

The main thing to note is the key differentiation between Contrast and everything else we evaluated is the production value range since we had the chance to examine actual requests to our site using our code. Contrast eliminated the competition with their ability to add the live aspects of a request taken. That was something we weren't able to find in other solutions.

Some of the other competitive solutions were more expensive.

We did not evaluate other options. We met with Contrast and they were the leader in the space for instrumentation, so we went forward with them.

There were other companies that the people involved in evaluations were looking at, but I was not involved in that process.

We have not evaluated other IAST platforms.