We did not use any other interactive application security testing solutions. There are very few on the market. We did use legacy technologies like DAST and SAST. We still use those technologies in our environment mostly to supplement Contrast or to assess environments that Contrast is not able to assess.

Before Contrast we were using regular manual pen-testing tools like Burp and other common tools. We switched to Contrast because the way it scans is different. Back in those days, security would do a pen test on Friday or Saturday — over the weekend when the traffic is less. We used to set aside time. Contrast doesn't work that way. It's continuous scanning. We install an agent and it continuously does it. Continuous is way better than having a separate time where you say, "We're going to scan at this time." The Dev-SecOps model is continuous and Contrast fits well there. That's why we made the switch.

Contrast is above par with respect to the different applications that I've used in the past, like Veracode. I saw false positives and false negatives with all those tools. But Contrast is better than all the other tools that I've used.

I have used SonarQube and GitLab Premium before. We decided to go with Contrast because it has the best price model since it takes into accord only the number of applications. It also finds vulnerabilities within minutes of its launch. The product is also developer-friendly.

Prior to to this, we did not have such a solution and relied on other controls.

Our initial thought was that we needed a SAST tool. So, we proceeded with approaching some vendors. What sparked the interest for Contrast is its real-time evaluation of requests from our users and identification of real-time vulnerabilities.

We have now established specific web nodes serving those requests. We get all the feedback from there along with all the vulnerabilities identified. Then, we have a clear dashboard managed by our information security team, which is the first step of evaluation. After that, we proceed with adding those pieces of the vulnerabilities to our software development life cycle.

Prior to using Contrast, we didn't have any visibility. There were no false positives; we had just the emptiness where even false positives would be a good thing. Then, within the first week of having the tool, 80 or 90 vulnerabilities had been identified, which gave us lots to do with minor false positives.

We did not use something else specifically for interactive app testing or software composition. We've only had tools for static and dynamic testing.

Our decision to go with Contrast dates back to the whole issue of our application teams that need faster results and fewer bottlenecks. We use Fortify for static and dynamic scanning, and that creates a lot of time delays, either waiting for a scan or waiting for review of the scan results to be completed. Whereas with Contrast, there are no delays. The teams that are more Agile and deploying much more often require that feature.

We did not have a previous solution. Contrast is a one-of-a-kind tool. It does runtime scanning so this is the only runtime scanning tool we have had.

Before me, one of my teammates was working on a different application and he was the first person to use Contrast. Then we bought three licenses. There is one more person who used it before me, for a different application. We have had good findings there as well. I have put to use the second license and we have one more license to use. We have identified an application to onboard, and we have also spread the word to different teams within the company and they're working closely with the Contrast team to use it in a different way. We are using the cloud version and they're still deciding on how to use it. We are just starting with Contrast but use of it is expanding within our company.

By "application" I mean monolithic, big applications. We currently have two such applications in Contrast and we will be working on the third one. We are looking to do more.

We use WebInspect and AppScan. We're evaluating the possibility of switching from them to Contrast, but right now Contrast is still in trial. We're not quite at that point in making a decision to drop one of those other tools yet.