Contrast Security Assess OverviewUNIXBusinessApplication

Contrast Security Assess is the #7 ranked solution in our list of AST tools. It is most often compared to Veracode: Contrast Security Assess vs Veracode

What is Contrast Security Assess?

Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.

Contrast Security Assess is also known as Contrast Assess.

Contrast Security Assess Buyer's Guide

Download the Contrast Security Assess Buyer's Guide including reviews and more. Updated: September 2021

Contrast Security Assess Customers

Williams-Sonoma, Autodesk, HUAWEI, Chromeriver, RingCentral, Demandware.

Contrast Security Assess Video

Pricing Advice

What users are saying about Contrast Security Assess pricing:
  • "I like the per-application licensing model... We just license the app and we look at different vulnerabilities on that app and we remediate within the app. It's simpler."
  • "It's a tiered licensing model. The more you buy, as you cross certain quantity thresholds, the pricing changes. If you have a smaller environment, your licensing costs are going to be different than a larger environment... The licensing is primarily per application. An application can be as many agents as you need. If you've got 10 development servers and 20 production servers and 50 QA servers, all of those agents can be reporting as a single application that utilizes one license."
  • "For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of onboarded applications. It suits our model as well, because we have huge traffic. Our number of applications is not that large, so the pricing works great for us."
  • "The good news is that the agent itself comes in two different forms: the unlicensed form and the licensed form. Unlicensed gives use of that software composition analysis for free. Thereafter, if you apply a license to that same agent, that's when the instrumentation takes hold. So one of my suggestions is to do what we're doing: Deploy the agent to as many applications as possible, with just the SCA feature turned on with no license applied, and then you can be more choosy and pick which teams will get the license applied."
  • "You only get one license for an application. Ours are very big, monolithic applications with millions of lines of code. We were able to apply one license to one monolithic application, which is great. We are happy with the licensing. Pricing-wise, they are industry-standard, which is fine."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Ramesh Raja
Senior Security Architect at a tech services company with 5,001-10,000 employees
Real User
Top 20
Continuously looks at application traffic, adding to the coverage of our manual pen testing

What is our primary use case?

We use the solution for application vulnerability scanning and pen-testing. We have a workflow where we use a Contrast agent and deploy it to apps from our development team. Contrast continuously monitors the apps. When any development team comes to us and asks, "Hey, can you take care of the Assess, run a pen test and do vulnerability scanning for our application?" We have a workflow and deploy a Contrast agent to their app. Because Contrast continuously monitors the app, when we have notifications from Contrast and they go to the developers who are responsible for fixing that piece of the… more »

Pros and Cons

  • "We use the Contrast OSS feature that allows us to look at third-party, open-source software libraries, because it has a cool interface where you can look at all the different libraries. It has some really cool additional features where it gives us how many instances in which something has been used... It tells us it has been used 10 times out of 20 workloads, for example. Then we know for sure that OSS is being used."
  • "Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage."

What other advice do I have?

If you are thinking about Contrast, you should evaluate it for your specific needs. Companies are different. The way they work is different. I know a bunch of companies that still have the Waterfall model. So evaluate and see how it fits in your mode. It's very easy to go and buy a tool, but if it does not fit very well in your processes and in your software development lifecycle, it will be wasted money. My strongest advice is: See how well it fits in your model and in your environment. For example, are developers using more of pre-production? Are they using a Dev sandbox? How is QA working…
ML
Director of Threat and Vulnerability Management at a consultancy with 10,001+ employees
MSP
Top 20
We're gathering vulnerability data from multiple environments in real time, fundamentally changing how we identify issues in applications

What is our primary use case?

The primary use case is application security testing, where we try to identify vulnerabilities within applications developed by our company. Contrast a cloud-hosted solution. That's where most of the data and analysis takes place. It's also how most users interact with that data. Data is collected by agents that are deployed to servers within our environment. The agent component is internal to our organization, gathering data that is sent back to the cloud.

Pros and Cons

  • "The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of."
  • "To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."

What other advice do I have?

Be prepared for the cultural change, more than the technology change. Most of the benefits that I have from the solution are the time savings where we're not scanning things and analyzing things. I now spend a lot of my time explaining to people how Contrast works, explaining to people how it changes our program, and explaining to people how Contrast fits into their development life cycle. If you're approaching it from a purely technical perspective, you're missing a big piece of what you're going to be spending your time on. I don't have any major complaints. Most of our challenges with…
Learn what your peers think about Contrast Security Assess. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
535,919 professionals have used our research since 2012.
Aggelos Karonis
Technical Information Security Team Lead at Kaizen Gaming
Real User
Top 20
An easy, fast way to improve your code security and health

What is our primary use case?

Up to this point, as an information security company, we had very limited visibility over the testing of the code. We have 25 Scrum teams working but we were only included in very specific projects where information security feedback was required and mandatory to be there. With the use of Contrast, including the evaluation we did, and the applications we have included in the system, we now have clear visibility of the code.

Pros and Cons

  • "In our most critical applications, we have a deep dive in the code evaluation, which was something we usually did with periodic vulnerability assessments, code reviews, etc. Now, we have real time access to it. It's something that has greatly enhanced our code's quality. We have actually embedded a KPI in regards to the improvement of our code shell. For example, Contrast provides a baseline where libraries and the usability of the code are evaluated, and they produce a score. We always aim to improve that score. On a quarterly basis, we have added this to our KPIs."
  • "Personalization of the board and how to make it appealing to an organization is something that could be done on their end. The reports could be adaptable to the customer's preferences."

What other advice do I have?

I would recommend trying and buying it. This solution is something that everyone should try in order to enhance their security. It's a very easy, fast way to improve your code security and health. We do not use the solution’s OSS feature (through which you can look at third-party open-source software libraries) yet. We have not discussed that with our solutions architect, but it's something that we may use in the future when we have more applications onboard. At this point, we have a very specific path in order to raise the volume of those critical apps, then we will proceed to more features…
TS
Manager at a consultancy with 10,001+ employees
Real User
Because they're not waiting on security to complete scans for them, Dev teams are not seeing delays in deployment

What is our primary use case?

We've been using Contrast Security Assess for our applications that are under more of an Agile development methodology, those that need to deliver on faster timelines. The solution itself is inherently a cloud-based solution. The TeamServer aspect, the consolidated portal, is hosted by the vendor and we have the actual Assess agent deployed in our own application environments on-prem.

Pros and Cons

  • "The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes."
  • "This has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries."
  • "Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."
  • "The setup of the solution is different for each application. That's the one thing that has been a challenge for us. The deployment itself is simple, but it's tough to automate because each application is different, so each installation process for Contrast is different."

What other advice do I have?

Make sure you understand your environment before deploying. Try to get an idea of what technologies are in use by applications so you can group them and group the deployment and the implementation. That way you can focus on automating .NET deployments, for example, first, and then move on to Java, etc. The biggest lesson I have learned from using this solution is that there is a tool out there that is really changing the way that we are running security testing. In the security realm we're used to the static and dynamic testing approaches. Contrast Assess, as well as some other tools out…
TM
Director of Innovation at a tech services company with 1-10 employees
Real User
OSS feature gives us better visibility and valuable insight into third-party open-source software libraries

What is our primary use case?

It is used primarily to help put a layer of security around some of our legacy applications that were built quite some time ago. It's also used to provide better quality assessments on the vulnerabilities of some of these applications, compared to some of the other tools that we've been using. We're using the SaaS platform.

Pros and Cons

  • "The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low."
  • "Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to your servers where your app is hosted. That can be quite cumbersome from a change-management perspective."

What other advice do I have?

Make sure that you have a very good change-management strategy in place ahead of time. Also, it's not enough to have the solution itself. It still requires proactive management on behalf of your developers to make sure they understand what the product is offering and that they are using the product in a way that will benefit them.
HK
Product Security Engineer at a tech services company with 10,001+ employees
Real User
Finds high-priority issues that static scanning tools have not found

What is our primary use case?

The product scans runtime and that is our main use case. We have deployed it for one application in our testing environment, and for the other one on in our Dev environment. Whatever routes are exercised with those environments are being scanned by Contrast.

Pros and Cons

  • "No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime."
  • "I would like to see them come up with more scanning rules."

What other advice do I have?

It depends on the company, but if you want to manage and maintain and onboard, I would recommend having Contrast as part of your toolkit. It is definitely helpful. My advice would be to install it on the environment in which there are more routes exercised, whether it is the testing environment or Dev, to get most out of the tool. In terms of configuration, we have Contrast on one of the applications in our testing environment and we have the other in the Dev environment. To decide on that took us some time because we didn't have access to all the environments of a single application…
SW
Senior Customer Success Manager at a tech company with 201-500 employees
Real User
Top 5Leaderboard
Infuses software with vulnerability assessment capabilities for automatic flaw detection

What is our primary use case?

A good use case is a development team with an established DevOps process. The Assess product natively integrates into developer workflows to deliver immediate results. Highly accurate vulnerability findings are available at the same time as functional /regression testing results. There is no wait for time-consuming static scans. Assess works with several languages, including Java and .NET, which are common in enterprise environments, as well as Node.JS, Ruby and Python.

Pros and Cons

  • "By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."
  • "I think there was activity underway to support the centralized configuration control. There are ways to do it, but I think they were productizing more of that."

What other advice do I have?

Start with a small app team initially, before scheduling a larger rollout. Teams that have been using SAST tools find that using Assess changes how they think about appSec in their development workflow and helps them identify process modifications that maximize the value of the tool. Overall, on a scale from one to ten, I would give this solution a rating of ten. The product is strong and improving, support is responsive and effective, and supported integrations work for many customers.
Buyer's Guide
Download our free Contrast Security Assess Report and get advice and tips from experienced pros sharing their opinions.