It scales extremely well. One of the selling points in our organization, internally, is that I'm able to tell my application owners that we can deploy Contrast for them anywhere. If they want to have their web services in the cloud, we can deploy the agent in the cloud. If they want to have web servers on-premises, we can deploy it on-premises. We can do a hybrid approach and we deploy globally. We're able to provide the same service to development teams in other parts of the world.

We're planning to use it for roughly 50 percent of our environment. We certainly intend to increase our footprint. Our objective is to do all of our application security testing through Contrast. One of our primary hurdles right now, in that regard, is that we're using technology that they don't support. If they supported all of our application technologies, our objective would be to migrate all of our applications into Contrast.

In terms of how much of the solution we're using, I put us at around 75 percent. We could get more out of the product. We could utilize the product better. A lot of that is dependent on adoption by developers. They're really not used to interactive application security testing solutions. They're used to legacy solutions like DAST or SAST. This is a change in process for them and a change in technology. We need to get further along with the developers before we can really maximize our utilization of the product.

Contrast Security Assess is a scalable solution. More than 200 employees were using Contrast Security Assess in my previous organization.

Assess has as scalable as Contrast Security Protect, but our user base is lower on the Assess side. We have more developers connecting to the machine, but fewer transactions from the development side.

It depends on how many apps a company or organization has. But whatever the different apps are that you have, you can scale it to those apps. It has wide coverage. Once you install it in an app server, if the app is very convoluted, it has too many workflows, that is no problem. Contrast is per app. It's not like when you install source-code tools, where they charge by lines of code, per KLOC. Here, it's per app. You can pick 50 apps or 100 apps and then scale it. If the app is complex, that's still no problem, because it's all per app.

We have continuously increased our license count with Contrast, because of the ease of deployment and the ease of remediating vulnerabilities. We had a fixed set for one year. When we updated about six months ago, we did purchase extra licenses and we intend to ramp up and keep going. It will be based on the business cases and the business apps that come out of our organization.

Once we get a license for an app, folks who are project managers and scrum masters, who also have access to Contrast, get emails directly. They know they can put defects right from Contrast into JIRA. We also have other different tools that we use for integration like ThreatFix, and risk and compliance and governance tools. We take the results and upload them to those tools for the audit team to look at.

I would rate the product's scalability an eight out of ten. My company has 32 users for the tool. 

At this point, we have provided access to 20 people in the Contrast platform. However, it is being used by more people than that because once a vulnerability is identified and marked as something that we should fix, then it's handled by a person who may not have access to Contrast and is only presented with a specific vulnerability in order to fix it. Top management receives the reports that we give them as well as the KPI's. So, it's used across the organization. It's not really limited to just the teams who have actual access to it.

At this point, we see great value for the applications that we have it on. We want to spread it across lower criticality applications. This is something that's a positive thing, because if we want to have it on a larger scale, we'll just add another web node and filter different apps on it. It's a very scalable and easy to manage. We are more than sure that it will cover the needs that we'll have in the future as well. We have weekly releases with no issues so far.

Scalability ties back to automation. It's very tough to scale this from an automated perspective, so we've just been doing manual installs from the beginning. If there were an easier way, a way to automate the deployment of the solution, that would be one of our hopes for the product roadmap.

The scalability of the product is a problem in the solution, especially from a commercial perspective.

There must be an integration with the ecosystem and application development landscape. So once the solution is integrated with many tools, it is scalable. It's different from the product, which is scalable because the product is one of the steps within a complex process.

To complete the process, you must integrate the solution with other tools.

It's easily scalable. We are planning to spread it to other teams and we are planning on one more application from within our team. It's just a matter of installing it on the proper cloud and it's good to go. It's easy to configure and you just have to decide which environment you want it on and make a few configuration changes.

In our company, it's mainly security who maintains and uses the tool. We haven't onboarded any of the developers or security champions within the company because we just started with it and we want to get to know the tool entirely. Then we can pass it on to other people in the company. For now, we, as the security team, are using it. Our team has 10 to 11 people. There are a few people from the DevOps team who have access to it to do the configuration stuff, and that team is another four or five people.

The scalability ties back to something I said before about change management. So far, we haven't seen anything that would prevent us from scaling upwards significantly. However, it requires the organization to have a pretty robust way of handling the changes for Contrast: for instance, the updates of the application itself. Because those updates aren't bundled into Contrast, it behooves the organization that's deploying Contrast to ensure it has a very robust change-management strategy to work with the product.

Out of our perimeter applications, we've got about 20 apps onboarded. Those applications that it has been deployed to are key applications, including key revenue-driving applications, but it's still being used only in a minority of our applications at the moment. Our adoption rate is around 10 percent. We have plans to increase usage of Contrast Security. We have hundreds of applications. Out of our customer-focused applications that are on the perimeter — we have over 200 of them — Contrast is deployed to about 20 of them.

We have about 130 users registered to use the product. The majority, about 80 percent, are developers, while about 10 percent are security personnel, and 10 percent are managers. We have a dedicated staff for maintaining the solution. That's the staff that I'm part of right now.

Contrast is a well-designed SaaS platform and scales well. There are no practical limits on the number of users or apps.