4 out of 5.0, Reviewed Nov 2, 2016
Core RASP functionality seems to work well. LDAP and JIRA intergrations seems limited right now, but understandable for a relatively new product.
4 out of 5.0, Reviewed Oct 27, 2016
Very responsive to support tickets
There will be extra set up effort if your applications have unusual configurations
Great tool, wealth of information.
Issues setting up out of the ordinary application configuration. Agent causes performance issues in some cases.
I wish support was more inclined to get on a call to resolve issues, instead of emai
Have a training session immediately after set up in Contrast
5 out of 5.0, Reviewed Oct 26, 2016
Contrast has been easy to work with and very forthcoming with their ability to take suggestions and implement quickly.
Talk technical early. All software works great at a marketing level, but when judging different products, get in the weeds. We found too many problems with other software once we took a deep dive. Other products failed the second we realized that scalability and configuration didn't exist. Contrast had an architecture that allows us to grow now and in the future easily.
Once configured, it's set and forget. All functional testing is perfect security testing.
I wish the product could have a better integration with IDE tooling. This would need to be coupled with a better concept of vulnerabilities found in a master branch of code (the stuff we need to fix immediately) vs vulnerabilities found in a dev branch (stuff we need to fix before merging with master and stuff that AppSec doesn't need to focus on)
I wish there were other ways to integrate the tool besides as a java agent. This can cause some bad interactions with other java agents that we had to choose between.
Begin with a better understanding of coverage before integrating IAST. we took too long to understand what we were missing with IAST security testing.
4 out of 5.0, Reviewed Oct 25, 2016
The vendor was easy to work. I expect issues during rollouts of this type, and this rollout was no different. The ability for the vendor to work us and resolve issues is what drives the willingness to continue with a product. Contrast support staff assisted on some challenging issues while we underwent some underlying technology changes.
Understand the deployment model and functionality of the application. We do file processing and as a result have some chatty communication that could be perceived as load testing. Contrast brought this processing to a grind. We also do a lot of JSON processing on the server side and use heavy client side JS. We have very high quality developers (we do security application development). As a result, the findings have been pretty limited. I believe there will still be an ROI of the product by sharing with customers that we have a sound Secure SDLC model.
Everyone has been curteous and understanding. I had worked witht the Sales Engineer prevoiusly so I know the quality of people they higher. The product is relatively easy to install and easy to use.
Processing the results can be challenging at times.
I'm pretty happy with the way Contrast has handled things. I wish they would do a slightly better job of asking more detailed architecture questions about the products from a high level. It may have helped us manage expectations for our file processing/authentication. They were open about disabling contrast on load testing machines, but the correlation between load testing and high processing wasn't quite there.
I honestly think we would have held off on the purchase. We had not reached a point internally where we had a grasp of our SDLC deployment methodology and were switching between virtual machine host software as well as creating an internal cloud CI/CD model.
We had challenges deploying on-prem. Some was due to our own implementation, others were due to scripts in the installation process. Some of the error messaging was not there.
1 of 1 peer(s) found this review helpful.
5 out of 5.0, Reviewed Oct 18, 2016
People we worked with had extensive knowlege of JAVA and OWASP
Understand your module configurations.
Integration with our developer stack and fast feedback. Also fits well with our our Agile development cycle.
Some minor feature changes.
Contrast has been very responsive
5 out of 5.0, Reviewed Oct 18, 2016
Contrast Security is a very hard working customer-focused organization with a superb product. They showed great flexibility to meet the needs of our time zone and processes. The Java IAST product was more accurate and mature than the Node.js product which was very new when we started evaluating it. The Contrast engineers pulled out all the stops to diagnose and resolve issues to get the Node.js product right for us in time.
SaaS is quicker and easier to install than on-premises.
Speed and accuracy of vulnerability detection right down to the line of code at fault.
The version we installed was focused on the application server vulnerabilities only. I'd have liked browser-side vulnerability detection also (for DOM based XSS & HTML5 SQL injection etc.), and believe that is on the near-horizon in the roadmap.
Stabilized the pricing model.
We should have been quicker in identifying and building environments for the on-premises proof of concept work. There were long delays in gaining official approval to deploy the IAST tool in our estate. This was due to Technical Design Authority concerns about security of the tool which turned out to be unfounded.
Within the context of application server-side vulnerability detection, excluding business logic, the product is superb.
Great support every time we asked. We even needed an invoice converted from $ to £ at 4 A.M. USA time and they did it straight away.
Initially we had some problems with the Node.js version, but these were resolved within a few days and never troubled us again.