RASP with its Contrast Protect product, which can be licensed independently or jointly with Assess. Contrast also offers a
central management console, the Contrast TeamServer, which can be delivered as a service or on-premises. Testing does
not require attack data to identify vulnerabilities; rather, it is driven by application test activity, such as QA, executed
automatically or manually.
During the past 12 months, Contrast Security improved its native integration with development and bug-tracking
environments, and added support for additional languages and platform as a service (PaaS). Contrast Security also added
vulnerability autoremediation capabilities.
Contrast is a good fit for organizations pursuing a DevOps methodology and looking for approaches to insert automated,
continuous security testing that's transparent to developers and testers.
Strengths
Cautions
IBM
IBM is a global vendor of IT services and products based in the U.S. IBM provides SAST and DAST desktop tools,
including IBM Security AppScan Source, IBM Security AppScan Standard and an enterprise platform (AppScan
Enterprise). This includes a centralized management console that enables users to import findings from third-party tools.
IBM's cloud services for SAST and DAST (IBM Security Application Security on Cloud). IAST is delivered via the Glassbox
agent in AppScan (AppScan Standard, Enterprise and Cloud), which is free to DAST customers, mobile AST (MAST; IBM
Mobile Analyzer) and SCA offerings (IBM Security Open Source Analyzer [OSA]). For SCA, they license vulnerability and
remediation databases from WhiteSource. IBM also has a partnership with Prevoty for RASP.
Contrast's testing approach is transparent to developers and security specialists, and does not require stand-alone
testing or training. The solution does not require security specialists to run dedicated security tests; instead, the agent
can identify vulnerabilities through normal application execution.
■
Contrast Assess is one of the most broadly adopted IAST solutions and regularly competes in IAST shortlists.■
Clients highly rate the ease of use of the tool and the vendor's support.■
Contrast provides virtual patches of some identified vulnerabilities when licensed with Contrast Protect, for both in-
house and third-party code, until the vulnerability is remediated in underlying code or server configuration.
■
Contrast's solution enables customers to leverage the instrumentation agent to add or enhance security logging,
delivering security analytics for production applications.
■
Contrast Security does not provide traditional SAST or DAST tools or services.■
Even though Contrast Security has expanded its language support, it still offers a limited spectrum, compared with
other AST solutions.
■
Contrast Security does not observe and analyze client-side logic executed in the browser only (for example, JavaScript
or Java applets); therefore, it cannot identify client-side vulnerabilities, such as JavaScript-based Document Object
Model (DOM) XSS.
■
Contrast Security does not provide any human augmentation options, and the passive testing model means that proof
of exploitation is not an option.
■
Contrast can test mobile application back ends, but not the client-side code of the mobile app and does not conduct
behavioral analysis.
■